asyncrat | a108c1d0db9a98a9da88179ef4b244a8c37f01134c9727343f131b5a04109a89

General

Target

Infected.exe
Size

63KB
MD5

a63400efe58b3ff95cbdc1c101f18751
SHA1

dc8b76f2ef8b99bc500b36cb836fc522127d2186
SHA256

a108c1d0db9a98a9da88179ef4b244a8c37f01134c9727343f131b5a04109a89
SHA512

bc35161f6017dce82ddf2c5c98ba429168ecf30e4126e99467f3e6bc4d101bc71c4570a24df4c656ddb40bef22b7b31c6ebdae130210672c5213b9e209c7b0cb
SSDEEP

768:Cmxvn0zXf78NwC8A+XU2azcBRL5JTk1+T4KSBGHmDbD/ph0oXlUMZhSusdpqKYhg:LQXDLdSJYUbdh92/usdpqKmY7

Score

10^/10

asyncrat default execution rat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

147.185.221.23:28959

Attributes

delay
1
install
true
install_file
Windows Startup.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Windows Startup.exe	family_asyncrat

Executes dropped EXE 1 IoCs

Processes:

Windows Startup.exe

pid process

4688 Windows Startup.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Start PowerShell.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2700 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1288 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

4128 schtasks.exe

pid	process
4688	Windows Startup.exe

pid	process
2700	powershell.exe

pid	process
1288	timeout.exe

pid	process
4128	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

Infected.exeWindows Startup.exe

pid	process
600	Infected.exe
600	Infected.exe
600	Infected.exe
600	Infected.exe
600	Infected.exe
600	Infected.exe
600	Infected.exe
600	Infected.exe
600	Infected.exe
600	Infected.exe
600	Infected.exe
600	Infected.exe
600	Infected.exe
4688	Windows Startup.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Infected.exeWindows Startup.exe

description pid process

Token: SeDebugPrivilege 600 Infected.exe
Token: SeDebugPrivilege 4688 Windows Startup.exe

description	pid	process
Token: SeDebugPrivilege	600	Infected.exe
Token: SeDebugPrivilege	4688	Windows Startup.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

Infected.execmd.execmd.exeWindows Startup.execmd.exe

description	pid	process	target process
PID 600 wrote to memory of 3084	600	Infected.exe	cmd.exe
PID 600 wrote to memory of 3084	600	Infected.exe	cmd.exe
PID 600 wrote to memory of 2452	600	Infected.exe	cmd.exe
PID 600 wrote to memory of 2452	600	Infected.exe	cmd.exe
PID 2452 wrote to memory of 1288	2452	cmd.exe	timeout.exe
PID 2452 wrote to memory of 1288	2452	cmd.exe	timeout.exe
PID 3084 wrote to memory of 4128	3084	cmd.exe	schtasks.exe
PID 3084 wrote to memory of 4128	3084	cmd.exe	schtasks.exe
PID 2452 wrote to memory of 4688	2452	cmd.exe	Windows Startup.exe
PID 2452 wrote to memory of 4688	2452	cmd.exe	Windows Startup.exe
PID 4688 wrote to memory of 4444	4688	Windows Startup.exe	cmd.exe
PID 4688 wrote to memory of 4444	4688	Windows Startup.exe	cmd.exe
PID 4444 wrote to memory of 2700	4444	cmd.exe	powershell.exe
PID 4444 wrote to memory of 2700	4444	cmd.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Infected.exe
"C:\Users\Admin\AppData\Local\Temp\Infected.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:600

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Startup" /tr '"C:\Users\Admin\AppData\Roaming\Windows Startup.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:3084

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Windows Startup" /tr '"C:\Users\Admin\AppData\Roaming\Windows Startup.exe"'
3⤵
- Scheduled Task/Job: Scheduled Task
PID:4128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp62E0.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:2452

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1288

C:\Users\Admin\AppData\Roaming\Windows Startup.exe
"C:\Users\Admin\AppData\Roaming\Windows Startup.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4688

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\cecfvw.exe"' & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:4444

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\cecfvw.exe"'
5⤵
- Command and Scripting Interpreter: PowerShell
PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp62E0.tmp.bat

Filesize
159B

MD5
5a11ba0d50bf2cf9815e58a80221c067

SHA1
948e0db8dc7537b36ac7d6089baadb476a8dc13d

SHA256
e50f166bcc911f5e86b62a33cc858f345ff75bce7dca83f1ab88404ac259442b

SHA512
596c8eeee62a2cbeb1afb987d7e512626b9c479ae4fb981564cbabf6dbef24ae630b2913608a8f307f758cd998f6ba1c7a38731187333d521ff9d9311db6088d

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Startup.exe

Filesize
63KB

MD5
a63400efe58b3ff95cbdc1c101f18751

SHA1
dc8b76f2ef8b99bc500b36cb836fc522127d2186

SHA256
a108c1d0db9a98a9da88179ef4b244a8c37f01134c9727343f131b5a04109a89

SHA512
bc35161f6017dce82ddf2c5c98ba429168ecf30e4126e99467f3e6bc4d101bc71c4570a24df4c656ddb40bef22b7b31c6ebdae130210672c5213b9e209c7b0cb

Download Submit
memory/600-0-0x00007FFA2ACB3000-0x00007FFA2ACB4000-memory.dmp

Filesize
4KB

Download
memory/600-1-0x0000000000090000-0x00000000000A6000-memory.dmp

Filesize
88KB

Download
memory/600-2-0x00007FFA2ACB0000-0x00007FFA2B69C000-memory.dmp

Filesize
9.9MB

Download
memory/600-3-0x00007FFA2ACB0000-0x00007FFA2B69C000-memory.dmp

Filesize
9.9MB

Download
memory/600-8-0x00007FFA2ACB0000-0x00007FFA2B69C000-memory.dmp

Filesize
9.9MB

Download
memory/4688-15-0x000000001C160000-0x000000001C1D6000-memory.dmp

Filesize
472KB

Download
memory/4688-16-0x0000000002990000-0x00000000029C4000-memory.dmp

Filesize
208KB

Download
memory/4688-17-0x000000001C100000-0x000000001C11E000-memory.dmp

Filesize
120KB

Download
memory/4688-18-0x000000001C120000-0x000000001C152000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads