asyncrat | 723b199d02bbf3eeca3a4d2681dc7a0b6ff1d1f88e674aa07877ca45b2b1ab4a

General

Target

723b199d02bbf3eeca3a4d2681dc7a0b6ff1d1f88e674aa07877ca45b2b1ab4aN.exe
Size

48KB
MD5

0360d424c0b508ac29afcc5893ce1bc0
SHA1

109e72fcef8255c939f7d3a2afddb9916bbb3534
SHA256

723b199d02bbf3eeca3a4d2681dc7a0b6ff1d1f88e674aa07877ca45b2b1ab4a
SHA512

3d3e2f259f1e5a0a98e67928708c937652d7093a948d0aae4688a60d3c78c318b5bb0e38fb52a8fbde04af50e1fdd321e7c9d87c4f27799a341b092d587b1dc4
SSDEEP

768:KteuZggpSZJg5ZbPf1Q45EMgyBFpq17qqbiGrnGCU+LSAwBikqnvJlDdz5nSV:KteuZggQZi5ZbVwyQ7qqb9nGgnwBUvJS

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

103.145.50.68:8080

103.145.50.68:8880

Mutex

v0DhJzrjVEqz

Attributes

delay
3
install
true
install_file
DRE.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4776-2-0x0000000002E90000-0x0000000002EA2000-memory.dmp	family_asyncrat
behavioral2/memory/5048-16-0x0000000001690000-0x00000000016A2000-memory.dmp	family_asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

723b199d02bbf3eeca3a4d2681dc7a0b6ff1d1f88e674aa07877ca45b2b1ab4aN.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	723b199d02bbf3eeca3a4d2681dc7a0b6ff1d1f88e674aa07877ca45b2b1ab4aN.exe

Executes dropped EXE 1 IoCs

Processes:

DRE.exe

pid	Process
5048	DRE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

723b199d02bbf3eeca3a4d2681dc7a0b6ff1d1f88e674aa07877ca45b2b1ab4aN.execmd.execmd.exetimeout.exeschtasks.exeDRE.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	723b199d02bbf3eeca3a4d2681dc7a0b6ff1d1f88e674aa07877ca45b2b1ab4aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DRE.exe

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
3860	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exe

pid	Process
3768	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

723b199d02bbf3eeca3a4d2681dc7a0b6ff1d1f88e674aa07877ca45b2b1ab4aN.exe

pid	Process
4776	723b199d02bbf3eeca3a4d2681dc7a0b6ff1d1f88e674aa07877ca45b2b1ab4aN.exe
4776	723b199d02bbf3eeca3a4d2681dc7a0b6ff1d1f88e674aa07877ca45b2b1ab4aN.exe
4776	723b199d02bbf3eeca3a4d2681dc7a0b6ff1d1f88e674aa07877ca45b2b1ab4aN.exe
4776	723b199d02bbf3eeca3a4d2681dc7a0b6ff1d1f88e674aa07877ca45b2b1ab4aN.exe
4776	723b199d02bbf3eeca3a4d2681dc7a0b6ff1d1f88e674aa07877ca45b2b1ab4aN.exe
4776	723b199d02bbf3eeca3a4d2681dc7a0b6ff1d1f88e674aa07877ca45b2b1ab4aN.exe
4776	723b199d02bbf3eeca3a4d2681dc7a0b6ff1d1f88e674aa07877ca45b2b1ab4aN.exe
4776	723b199d02bbf3eeca3a4d2681dc7a0b6ff1d1f88e674aa07877ca45b2b1ab4aN.exe
4776	723b199d02bbf3eeca3a4d2681dc7a0b6ff1d1f88e674aa07877ca45b2b1ab4aN.exe
4776	723b199d02bbf3eeca3a4d2681dc7a0b6ff1d1f88e674aa07877ca45b2b1ab4aN.exe
4776	723b199d02bbf3eeca3a4d2681dc7a0b6ff1d1f88e674aa07877ca45b2b1ab4aN.exe
4776	723b199d02bbf3eeca3a4d2681dc7a0b6ff1d1f88e674aa07877ca45b2b1ab4aN.exe
4776	723b199d02bbf3eeca3a4d2681dc7a0b6ff1d1f88e674aa07877ca45b2b1ab4aN.exe
4776	723b199d02bbf3eeca3a4d2681dc7a0b6ff1d1f88e674aa07877ca45b2b1ab4aN.exe
4776	723b199d02bbf3eeca3a4d2681dc7a0b6ff1d1f88e674aa07877ca45b2b1ab4aN.exe
4776	723b199d02bbf3eeca3a4d2681dc7a0b6ff1d1f88e674aa07877ca45b2b1ab4aN.exe
4776	723b199d02bbf3eeca3a4d2681dc7a0b6ff1d1f88e674aa07877ca45b2b1ab4aN.exe
4776	723b199d02bbf3eeca3a4d2681dc7a0b6ff1d1f88e674aa07877ca45b2b1ab4aN.exe
4776	723b199d02bbf3eeca3a4d2681dc7a0b6ff1d1f88e674aa07877ca45b2b1ab4aN.exe
4776	723b199d02bbf3eeca3a4d2681dc7a0b6ff1d1f88e674aa07877ca45b2b1ab4aN.exe
4776	723b199d02bbf3eeca3a4d2681dc7a0b6ff1d1f88e674aa07877ca45b2b1ab4aN.exe
4776	723b199d02bbf3eeca3a4d2681dc7a0b6ff1d1f88e674aa07877ca45b2b1ab4aN.exe
4776	723b199d02bbf3eeca3a4d2681dc7a0b6ff1d1f88e674aa07877ca45b2b1ab4aN.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

723b199d02bbf3eeca3a4d2681dc7a0b6ff1d1f88e674aa07877ca45b2b1ab4aN.exeDRE.exe

description	pid	Process
Token: SeDebugPrivilege	4776	723b199d02bbf3eeca3a4d2681dc7a0b6ff1d1f88e674aa07877ca45b2b1ab4aN.exe
Token: SeDebugPrivilege	5048	DRE.exe
Token: SeDebugPrivilege	5048	DRE.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

723b199d02bbf3eeca3a4d2681dc7a0b6ff1d1f88e674aa07877ca45b2b1ab4aN.execmd.execmd.exe

description	pid	Process	procid_target
PID 4776 wrote to memory of 3032	4776	723b199d02bbf3eeca3a4d2681dc7a0b6ff1d1f88e674aa07877ca45b2b1ab4aN.exe	93
PID 4776 wrote to memory of 3032	4776	723b199d02bbf3eeca3a4d2681dc7a0b6ff1d1f88e674aa07877ca45b2b1ab4aN.exe	93
PID 4776 wrote to memory of 3032	4776	723b199d02bbf3eeca3a4d2681dc7a0b6ff1d1f88e674aa07877ca45b2b1ab4aN.exe	93
PID 4776 wrote to memory of 756	4776	723b199d02bbf3eeca3a4d2681dc7a0b6ff1d1f88e674aa07877ca45b2b1ab4aN.exe	94
PID 4776 wrote to memory of 756	4776	723b199d02bbf3eeca3a4d2681dc7a0b6ff1d1f88e674aa07877ca45b2b1ab4aN.exe	94
PID 4776 wrote to memory of 756	4776	723b199d02bbf3eeca3a4d2681dc7a0b6ff1d1f88e674aa07877ca45b2b1ab4aN.exe	94
PID 756 wrote to memory of 3860	756	cmd.exe	97
PID 756 wrote to memory of 3860	756	cmd.exe	97
PID 756 wrote to memory of 3860	756	cmd.exe	97
PID 3032 wrote to memory of 3768	3032	cmd.exe	98
PID 3032 wrote to memory of 3768	3032	cmd.exe	98
PID 3032 wrote to memory of 3768	3032	cmd.exe	98
PID 756 wrote to memory of 5048	756	cmd.exe	101
PID 756 wrote to memory of 5048	756	cmd.exe	101
PID 756 wrote to memory of 5048	756	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\723b199d02bbf3eeca3a4d2681dc7a0b6ff1d1f88e674aa07877ca45b2b1ab4aN.exe
"C:\Users\Admin\AppData\Local\Temp\723b199d02bbf3eeca3a4d2681dc7a0b6ff1d1f88e674aa07877ca45b2b1ab4aN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "DRE" /tr '"C:\Users\Admin\AppData\Roaming\DRE.exe"' & exit
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "DRE" /tr '"C:\Users\Admin\AppData\Roaming\DRE.exe"'
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp87ED.tmp.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:756
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:3860
- - C:\Users\Admin\AppData\Roaming\DRE.exe
    "C:\Users\Admin\AppData\Roaming\DRE.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp87ED.tmp.bat

Filesize
147B

MD5
4c6675cb5485342fe00538db26016424

SHA1
b32c96889cb8138af4e8b094a5e4196e04bd2979

SHA256
4cf3b6749e13aeb6f74bde92b27605b3c3dc169c60c0bad839bec57dbd22f597

SHA512
6f58a5f4720be851b2a5d4d09c1eaf50cf8c42356c4407013ffc3e224cbabd0e08a8c354057ab522c0fa18020c95ba6bdea1a96f144b7b50fb81a5e0152d00c7

Download Submit
C:\Users\Admin\AppData\Roaming\DRE.exe

Filesize
48KB

MD5
0360d424c0b508ac29afcc5893ce1bc0

SHA1
109e72fcef8255c939f7d3a2afddb9916bbb3534

SHA256
723b199d02bbf3eeca3a4d2681dc7a0b6ff1d1f88e674aa07877ca45b2b1ab4a

SHA512
3d3e2f259f1e5a0a98e67928708c937652d7093a948d0aae4688a60d3c78c318b5bb0e38fb52a8fbde04af50e1fdd321e7c9d87c4f27799a341b092d587b1dc4

Download Submit
memory/4776-10-0x00000000744C0000-0x0000000074C70000-memory.dmp

Filesize
7.7MB

Download
memory/4776-3-0x00000000744C0000-0x0000000074C70000-memory.dmp

Filesize
7.7MB

Download
memory/4776-4-0x0000000005410000-0x0000000005476000-memory.dmp

Filesize
408KB

Download
memory/4776-5-0x0000000007EC0000-0x0000000007F5C000-memory.dmp

Filesize
624KB

Download
memory/4776-0-0x00000000744CE000-0x00000000744CF000-memory.dmp

Filesize
4KB

Download
memory/4776-2-0x0000000002E90000-0x0000000002EA2000-memory.dmp

Filesize
72KB

Download
memory/4776-1-0x00000000009B0000-0x00000000009C2000-memory.dmp

Filesize
72KB

Download
memory/5048-15-0x0000000074410000-0x0000000074BC0000-memory.dmp

Filesize
7.7MB

Download
memory/5048-16-0x0000000001690000-0x00000000016A2000-memory.dmp

Filesize
72KB

Download
memory/5048-17-0x0000000074410000-0x0000000074BC0000-memory.dmp

Filesize
7.7MB

Download
memory/5048-18-0x0000000074410000-0x0000000074BC0000-memory.dmp

Filesize
7.7MB

Download
memory/5048-19-0x0000000074410000-0x0000000074BC0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads