asyncrat | ec1801ff79dcf59dfaf2a22c69769a9482edbe46847d9944f27105b2634e9807

General

Target

PG03360126-ES6378027-GH093773S68-56372227.exe
Size

1003KB
MD5

b44079d5d3715e31a4dd4c13ad899fd4
SHA1

9fbcddfebfd05586a7b31703e4ad110c066078eb
SHA256

06b9d622ecd26a0f75180459d60b4b1554d173f20b81c59b63c7b920fb0d03d8
SHA512

92890be215c9591cab70b27b0bad722a6b272b4689b4a893c81092b3fae67923ca7ca8f624958b05feae9998e5544c43d2b80d1cccd7c69a1275dd6b0f7bddb2
SSDEEP

24576:gAHnh+eWsN3skA4RV1Hom2KXMmHa3Asa74d3xM95:Xh+ZkldoPK8Ya3AT8VxW

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

zaragoza.ddns.net:5480

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
fwqoouQWEGr.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Executes dropped EXE 1 IoCs

Processes:

fwqoouQWEGr.exe

pid process

2696 fwqoouQWEGr.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2740 cmd.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

PG03360126-ES6378027-GH093773S68-56372227.exe

description pid process target process

PID 2644 set thread context of 2176 2644 PG03360126-ES6378027-GH093773S68-56372227.exe RegSvcs.exe

pid	process
2696	fwqoouQWEGr.exe

pid	process
2740	cmd.exe

description	pid	process	target process
PID 2644 set thread context of 2176	2644	PG03360126-ES6378027-GH093773S68-56372227.exe	RegSvcs.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.execmd.exeschtasks.exetimeout.exefwqoouQWEGr.exePG03360126-ES6378027-GH093773S68-56372227.exeRegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fwqoouQWEGr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PG03360126-ES6378027-GH093773S68-56372227.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2920 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2964 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

RegSvcs.exe

pid process

2176 RegSvcs.exe
2176 RegSvcs.exe
2176 RegSvcs.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

PG03360126-ES6378027-GH093773S68-56372227.exe

pid process

2644 PG03360126-ES6378027-GH093773S68-56372227.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 2176 RegSvcs.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

PG03360126-ES6378027-GH093773S68-56372227.exe

pid process

2644 PG03360126-ES6378027-GH093773S68-56372227.exe
2644 PG03360126-ES6378027-GH093773S68-56372227.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

PG03360126-ES6378027-GH093773S68-56372227.exe

pid process

2644 PG03360126-ES6378027-GH093773S68-56372227.exe
2644 PG03360126-ES6378027-GH093773S68-56372227.exe

pid	process
2920	timeout.exe

pid	process
2964	schtasks.exe

pid	process
2176	RegSvcs.exe
2176	RegSvcs.exe
2176	RegSvcs.exe

pid	process
2644	PG03360126-ES6378027-GH093773S68-56372227.exe

description	pid	process
Token: SeDebugPrivilege	2176	RegSvcs.exe

pid	process
2644	PG03360126-ES6378027-GH093773S68-56372227.exe
2644	PG03360126-ES6378027-GH093773S68-56372227.exe

pid	process
2644	PG03360126-ES6378027-GH093773S68-56372227.exe
2644	PG03360126-ES6378027-GH093773S68-56372227.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

PG03360126-ES6378027-GH093773S68-56372227.exeRegSvcs.execmd.execmd.exe

description	pid	process	target process
PID 2644 wrote to memory of 2176	2644	PG03360126-ES6378027-GH093773S68-56372227.exe	RegSvcs.exe
PID 2644 wrote to memory of 2176	2644	PG03360126-ES6378027-GH093773S68-56372227.exe	RegSvcs.exe
PID 2644 wrote to memory of 2176	2644	PG03360126-ES6378027-GH093773S68-56372227.exe	RegSvcs.exe
PID 2644 wrote to memory of 2176	2644	PG03360126-ES6378027-GH093773S68-56372227.exe	RegSvcs.exe
PID 2644 wrote to memory of 2176	2644	PG03360126-ES6378027-GH093773S68-56372227.exe	RegSvcs.exe
PID 2644 wrote to memory of 2176	2644	PG03360126-ES6378027-GH093773S68-56372227.exe	RegSvcs.exe
PID 2644 wrote to memory of 2176	2644	PG03360126-ES6378027-GH093773S68-56372227.exe	RegSvcs.exe
PID 2644 wrote to memory of 2176	2644	PG03360126-ES6378027-GH093773S68-56372227.exe	RegSvcs.exe
PID 2176 wrote to memory of 2664	2176	RegSvcs.exe	cmd.exe
PID 2176 wrote to memory of 2664	2176	RegSvcs.exe	cmd.exe
PID 2176 wrote to memory of 2664	2176	RegSvcs.exe	cmd.exe
PID 2176 wrote to memory of 2664	2176	RegSvcs.exe	cmd.exe
PID 2176 wrote to memory of 2740	2176	RegSvcs.exe	cmd.exe
PID 2176 wrote to memory of 2740	2176	RegSvcs.exe	cmd.exe
PID 2176 wrote to memory of 2740	2176	RegSvcs.exe	cmd.exe
PID 2176 wrote to memory of 2740	2176	RegSvcs.exe	cmd.exe
PID 2664 wrote to memory of 2964	2664	cmd.exe	schtasks.exe
PID 2664 wrote to memory of 2964	2664	cmd.exe	schtasks.exe
PID 2664 wrote to memory of 2964	2664	cmd.exe	schtasks.exe
PID 2664 wrote to memory of 2964	2664	cmd.exe	schtasks.exe
PID 2740 wrote to memory of 2920	2740	cmd.exe	timeout.exe
PID 2740 wrote to memory of 2920	2740	cmd.exe	timeout.exe
PID 2740 wrote to memory of 2920	2740	cmd.exe	timeout.exe
PID 2740 wrote to memory of 2920	2740	cmd.exe	timeout.exe
PID 2740 wrote to memory of 2696	2740	cmd.exe	fwqoouQWEGr.exe
PID 2740 wrote to memory of 2696	2740	cmd.exe	fwqoouQWEGr.exe
PID 2740 wrote to memory of 2696	2740	cmd.exe	fwqoouQWEGr.exe
PID 2740 wrote to memory of 2696	2740	cmd.exe	fwqoouQWEGr.exe
PID 2740 wrote to memory of 2696	2740	cmd.exe	fwqoouQWEGr.exe
PID 2740 wrote to memory of 2696	2740	cmd.exe	fwqoouQWEGr.exe
PID 2740 wrote to memory of 2696	2740	cmd.exe	fwqoouQWEGr.exe

C:\Users\Admin\AppData\Local\Temp\PG03360126-ES6378027-GH093773S68-56372227.exe
"C:\Users\Admin\AppData\Local\Temp\PG03360126-ES6378027-GH093773S68-56372227.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\PG03360126-ES6378027-GH093773S68-56372227.exe"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "fwqoouQWEGr" /tr '"C:\Users\Admin\AppData\Roaming\fwqoouQWEGr.exe"' & exit
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "fwqoouQWEGr" /tr '"C:\Users\Admin\AppData\Roaming\fwqoouQWEGr.exe"'
4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp148A.tmp.bat""
3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2920

C:\Users\Admin\AppData\Roaming\fwqoouQWEGr.exe
"C:\Users\Admin\AppData\Roaming\fwqoouQWEGr.exe"
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp148A.tmp.bat

Filesize
155B

MD5
f455639dc56eec7bff1311e9a768e4c3

SHA1
537113778155bd44248887e43c42edc72a132699

SHA256
961ea057233ab4104b68c9ae6f0c1f0a2a1fdb625bdfcc6640582cfc1c618446

SHA512
c071ce5288f435d55c1579752e86420b37f9af2df42c01c6d028475b76e37917a99ee9ad6057d1af74c617b52f2f95db14d7ed29634ee8cc90b5c0cfda1bf6b2

Download Submit
\Users\Admin\AppData\Roaming\fwqoouQWEGr.exe

Filesize
44KB

MD5
0e06054beb13192588e745ee63a84173

SHA1
30b7d4d1277bafd04a83779fd566a1f834a8d113

SHA256
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

SHA512
251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

Download Submit
memory/2176-11-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2176-15-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2176-13-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2176-16-0x000000007492E000-0x000000007492F000-memory.dmp

Filesize
4KB

Download
memory/2176-17-0x0000000074920000-0x000000007500E000-memory.dmp

Filesize
6.9MB

Download
memory/2176-26-0x0000000074920000-0x000000007500E000-memory.dmp

Filesize
6.9MB

Download
memory/2644-10-0x0000000000160000-0x0000000000164000-memory.dmp

Filesize
16KB

Download
memory/2696-31-0x0000000000120000-0x000000000012E000-memory.dmp

Filesize
56KB

Download
memory/2696-32-0x0000000000250000-0x0000000000270000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads