Overview

overview

10

Static

static

10

AsyncClient.exe

windows10-ltsc 2021-x64

10

AsyncClient.exe

ubuntu-22.04-amd64

Analysis

  • max time kernel
    387s
  • max time network
    384s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    06-11-2024 21:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AsyncClient.exe

  • Size

    45KB

  • MD5

    0ec178ef04926e4f210b86e3e2ea08a4

  • SHA1

    ba06b654c033a4c7a59992e7e7fe1fc2ebde4fd4

  • SHA256

    8c08f6bb56a501cb7b055a0025562490219be8fcb7cdd482282233a7bc3f0b07

  • SHA512

    a271d8d36750603e50f6598665df82656a3bd9bd1c4226b1eb30062fa4dd5bbb4d8bb460bd437ad77d71008adb35f52d5e67c83ac41c65012feba36dcdb66b12

  • SSDEEP

    768:GuYHKTsufqG9vSLjWUvlPRmo2qbUKjPGaG6PIyzjbFgX3inFeDzOWE3BDZmx:GuYHKTsjMvSX2BKTkDy3bCXSnFeWHdmx

Score
10/10
asyncratdefaultdiscoveryrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808
Mutex

E2qgtjRHaRSi

Attributes
  • delay

    3

  • install

    false

  • install_file

    Java updater.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SendNotifyMessage 20 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
    "C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:4600
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4656
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3196
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2028 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1936 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {88f3fc77-db93-4e58-82e2-9cc502c3608a} 3196 "\\.\pipe\gecko-crash-server-pipe.3196" gpu
        3⤵
          PID:4264
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2428 -parentBuildID 20240401114208 -prefsHandle 2420 -prefMapHandle 2416 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {658b7a8f-7176-487e-9f73-7f6f45cc18ed} 3196 "\\.\pipe\gecko-crash-server-pipe.3196" socket
          3⤵
            PID:4216
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2992 -childID 1 -isForBrowser -prefsHandle 3004 -prefMapHandle 3048 -prefsLen 23858 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2c94d0a-6329-4f98-b12a-e452aaf0fb03} 3196 "\\.\pipe\gecko-crash-server-pipe.3196" tab
            3⤵
              PID:4772
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3756 -childID 2 -isForBrowser -prefsHandle 3748 -prefMapHandle 2700 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60fb1023-fbf8-4271-83ca-f38899aac61d} 3196 "\\.\pipe\gecko-crash-server-pipe.3196" tab
              3⤵
                PID:4060
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4884 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4936 -prefMapHandle 4916 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc63a641-ca14-4342-92e0-f5830f672dca} 3196 "\\.\pipe\gecko-crash-server-pipe.3196" utility
                3⤵
                • Checks processor information in registry
                PID:1472
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5656 -childID 3 -isForBrowser -prefsHandle 5540 -prefMapHandle 5564 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cfff1696-dc8a-45b1-af8c-9d029d9b0f75} 3196 "\\.\pipe\gecko-crash-server-pipe.3196" tab
                3⤵
                  PID:3352
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5784 -childID 4 -isForBrowser -prefsHandle 5792 -prefMapHandle 5796 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ecb7c09c-35e0-4764-b7ac-fdb2f40cc365} 3196 "\\.\pipe\gecko-crash-server-pipe.3196" tab
                  3⤵
                    PID:4660
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6072 -childID 5 -isForBrowser -prefsHandle 5992 -prefMapHandle 6000 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf56138b-2c88-4d82-8f12-4a12c6633a62} 3196 "\\.\pipe\gecko-crash-server-pipe.3196" tab
                    3⤵
                      PID:1588
                • C:\Windows\system32\cmd.exe
                  "C:\Windows\system32\cmd.exe"
                  1⤵
                    PID:2976
                    • C:\Windows\system32\NETSTAT.EXE
                      netstat -a
                      2⤵
                      • Gathers network information
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2144

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                    Filesize

                    479KB

                    MD5

                    09372174e83dbbf696ee732fd2e875bb

                    SHA1

                    ba360186ba650a769f9303f48b7200fb5eaccee1

                    SHA256

                    c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                    SHA512

                    b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                    Filesize

                    13.8MB

                    MD5

                    0a8747a2ac9ac08ae9508f36c6d75692

                    SHA1

                    b287a96fd6cc12433adb42193dfe06111c38eaf0

                    SHA256

                    32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                    SHA512

                    59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
                    Filesize

                    5KB

                    MD5

                    0dd3e5564eda4e67de832d4fac54c4d0

                    SHA1

                    59ee4cfca049eefc1bdf6052e7ff982387169eeb

                    SHA256

                    538f812fe9ea20a644bed5f06eb980d5ca31001b01a000ca7eaed2aebc768485

                    SHA512

                    8a0a1fdcb6127f9ad6cdca0a2c023e82d7052e2182cdf6ff4c7b2e9cbd1e8263b1134f68cc03c272f3269c8eb5c1864650081122483719d149fa4f643ef1c1e3

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\AlternateServices.bin
                    Filesize

                    8KB

                    MD5

                    06f2e320ee95a0a8c9c4f3e2eb19fcff

                    SHA1

                    fb1b998d30f086d4c02f26bec070e8ef8044d459

                    SHA256

                    49aa1d903da57896d315045f7c794520bf3cd115c123a81dd966aca790be8fa2

                    SHA512

                    d1bfe0173cf1b404a0a0f5bbdaed992434f208d10ce0ce78d78fbd6afcea5571d174851e83b214ad75014ec775086aee954d7364b501e73f04c66aa5e72224d4

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\datareporting\glean\db\data.safe.tmp
                    Filesize

                    25KB

                    MD5

                    125ac137098241fa6210c4595fc5f4ea

                    SHA1

                    fa6ae856a07713dceac222d22e78fa24fcc6a125

                    SHA256

                    3aaf2a181c1948af56d46f035088278a2a397ad071abb86973be06d6c6b7dcaf

                    SHA512

                    8f9b4f2c79df61d5632ee59957c10e259fb5859486c7623bb8d36d02b458641ef331d853c7e32ad6fb2f5bef7251e786a9edeeb97bc966492200cdf3dafb69d7

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\datareporting\glean\db\data.safe.tmp
                    Filesize

                    5KB

                    MD5

                    466a60674ecb712a0f9b79f71e5a50e0

                    SHA1

                    7eb574a694915737e26106a373d372b493bfb06e

                    SHA256

                    c687477c69f94608c9355d589d9c0aac31ebf170cbd21149ad73a2271241895a

                    SHA512

                    71b6c673627f60fd2091619f423ce975a859d8905c007b0d6ee49adaee2ed1365942e4cd450a983887868be0dfdf2ce81325e0b1b2a545a50d629acb6e887398

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\datareporting\glean\db\data.safe.tmp
                    Filesize

                    15KB

                    MD5

                    0b17749376919826504bedbb52f314ad

                    SHA1

                    fe33bab5c819785c0553805ae3735fd5e2a4578c

                    SHA256

                    74557bae2061bf54b617bb95523d47ca66617d93e685308e50c807585d9c5844

                    SHA512

                    f0dc2f9033a06e9548554aaab2e21e04e539252152d460d20baad6d259dbb45725c00d01e1c30f86096002f933d8ba50d3228584f5e89de13da1a093daaaed91

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\datareporting\glean\db\data.safe.tmp
                    Filesize

                    6KB

                    MD5

                    541b9a54b1c40327ca3ef71941be1465

                    SHA1

                    10da470d98f0e159d0ba43317cb4a63c631b3025

                    SHA256

                    2126966500fb466e5e4fc3169864c700082f6016cb26d639f8677c09db89092d

                    SHA512

                    fd8727601548f45268fa3120f4a5cba958cc7f4a7e4bf6c690a3aa003a0c0adf92e0d8eabef754eaf96080c40fe6caf6b525518e880e6fef7400b1fe5a8df927

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\datareporting\glean\db\data.safe.tmp
                    Filesize

                    25KB

                    MD5

                    ba93d53e7830568a052605b5d70b077a

                    SHA1

                    6a1a8a18c61bc60cb0a180e9d37f7873c9d24b6a

                    SHA256

                    6de037ecfdc808ed60e2c4ce37d7e406d9cc6d0378b39f12b069011b483d2b07

                    SHA512

                    6e93759e44102a97cc591f64295edd0ade1cfe1ba34f475f45c94e95ede316c5aeee68f47f1e2cff42ac313781044efd8ad444ccf628d64ad514ed272d8830cb

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\datareporting\glean\pending_pings\2cd4b495-857d-4ca7-8d29-ad6e2cb43d3b
                    Filesize

                    25KB

                    MD5

                    30624a505a1c823d7ec9d62d6950db9c

                    SHA1

                    c6481fbc0660d08f95ce3b7930575e6bdc1cf797

                    SHA256

                    c2e6a08dad43e07a2223546fdd64dbf22bc9fc6b7af6d16de5bcda48bd8fd3c6

                    SHA512

                    c822d3a198a072133299bc14bcdfaf2d6005267eba33c292bf3f811ee4f51985ad603a89514f8a5edce3c860a3f2584d9fc27c78af92a330577eeacb4a69048a

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\datareporting\glean\pending_pings\bc765b1e-ce55-4963-8d2b-2bf988261e79
                    Filesize

                    671B

                    MD5

                    cba8f219a79ad6e59c8f4bdcc52b22f0

                    SHA1

                    e9bbf16e5d8816ea08f81beac284d934c48c2cfc

                    SHA256

                    8a180e1512cbad8a0d9321e23c1a5ad96892590fa4c42305c5b92d0968648caf

                    SHA512

                    6f5e33410a63c39b13182696ef4f6dca019438f86fa15635b801e25cf53835a8212ac359a098eb49292b7f93ae4fcadbc16d2124d002b03a9218ad515299b15a

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\datareporting\glean\pending_pings\dd1be539-62c7-4001-9385-0494e1cefc35
                    Filesize

                    982B

                    MD5

                    751592f4a004a114d5c65dd6f771fa4f

                    SHA1

                    d661f4a1970ef75fcc9908662f827c3480df1d19

                    SHA256

                    4ad64ee3552d9f8f87b94431f21900eef5615dcd5acf5bed85327ca737aadb5a

                    SHA512

                    17cb995fb26a7bd587e0405cf2f79b5e93c33d905cf29d961acfc970f9d85f405a15d6017b942737f4267ee311d0bcdea046318a29a83d178d0c334257a9e347

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
                    Filesize

                    1.1MB

                    MD5

                    842039753bf41fa5e11b3a1383061a87

                    SHA1

                    3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                    SHA256

                    d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                    SHA512

                    d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
                    Filesize

                    116B

                    MD5

                    2a461e9eb87fd1955cea740a3444ee7a

                    SHA1

                    b10755914c713f5a4677494dbe8a686ed458c3c5

                    SHA256

                    4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                    SHA512

                    34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
                    Filesize

                    372B

                    MD5

                    bf957ad58b55f64219ab3f793e374316

                    SHA1

                    a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                    SHA256

                    bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                    SHA512

                    79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
                    Filesize

                    17.8MB

                    MD5

                    daf7ef3acccab478aaa7d6dc1c60f865

                    SHA1

                    f8246162b97ce4a945feced27b6ea114366ff2ad

                    SHA256

                    bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                    SHA512

                    5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\prefs-1.js
                    Filesize

                    11KB

                    MD5

                    4c3b52a8144dec15054944eddfe6aabd

                    SHA1

                    4f6cb375bbdba494baca5276ba3d18b3a041f198

                    SHA256

                    32c6ae70128486fc456a21e35f01576562981163f1c39821e4ba57baaf3d6e37

                    SHA512

                    4a27467926e4a1716e280348d75e26e24b1e79428b95e3f55ae935a72a3ebe1ab030581c531da0c482f7136efe8434985ca595627cf41d7a72ab5a2d11d311fb

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\prefs-1.js
                    Filesize

                    12KB

                    MD5

                    4f9159986bdc85817ac8a3abb960a5ed

                    SHA1

                    e0e55dff586f7b1ed5cacf8aa4585cc615059aa5

                    SHA256

                    7e0bd3313d784bfe17063ddf498709ab30f2d709bec5f9fdafc0d47fcd57c05c

                    SHA512

                    fd6b2a1498154d147420a7d2014bd894c2785cd17a8bb2178d08c5ef729901693de9ef0664ea0d6481a9653d1c412bc91fa2899038e0bc51007b89442e3b68bf

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\prefs.js
                    Filesize

                    11KB

                    MD5

                    0dd86bb5e09435129060a76dae5f3b26

                    SHA1

                    572c5c80039aa75af992d0abfc1edc5434020d3a

                    SHA256

                    111d0e069c3c4b2abbc968c3558dcdf4dfcdb6564e53379f208eabad4a71943a

                    SHA512

                    947eedf4ba7da071ab128cdfa660ac43e36e5f78b0edb2ff4e00e1d0e8165e3fda777de73f5b349083502309fa91099503d424cad647c14b8a7d9eb8bf3bc1f6

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dom8snqr.default-release\prefs.js
                    Filesize

                    11KB

                    MD5

                    c1d163030c86707d2edf7c77eb1f1b14

                    SHA1

                    ac935dc62f7e9c379eccf28411ab3d18e55e15f3

                    SHA256

                    92bb4653c2d48ace8e7f1ccc0066dd503f9a21d39aefbb5866a178d795a34f8c

                    SHA512

                    957a205fbba22a429846606fcd0a7ac452001f73f5bc8ae918226d2430d043c46babc0cc485ab316ac0cd65aaed2f29084f3215fe10bcca4b2e26cf3bf312ae4

                    Download Submit

                  • memory/4600-0-0x00000000744CE000-0x00000000744CF000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4600-4-0x00000000744C0000-0x0000000074C71000-memory.dmp

                    Filesize

                    7.7MB

                    Download

                  • memory/4600-3-0x00000000744CE000-0x00000000744CF000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4600-2-0x00000000744C0000-0x0000000074C71000-memory.dmp

                    Filesize

                    7.7MB

                    Download

                  • memory/4600-1-0x0000000000E70000-0x0000000000E82000-memory.dmp

                    Filesize

                    72KB

                    Download