asyncrat | 56ab78b1f5f73c93d063d4c85837353b96c19bdacecb1d4ed955d170d2553980

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-11-2024 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client.exe
Size

48KB
MD5

3b4c1a3663d6d5ae561b793822b045ab
SHA1

2ef8222de19762ab8558922b3ba3cfe53285b7ae
SHA256

56ab78b1f5f73c93d063d4c85837353b96c19bdacecb1d4ed955d170d2553980
SHA512

034bdc45bed22d7ad968ce7b6747ba2dfb80d350a82f77d291e01bb0076fb69e7fa79ff4f4b8160ae6779d466123fe50278c7c8ee3d04ce0c3ff9b2202e27b16
SSDEEP

768:1UcRUbDILQe08+bixtelDSN+iV08YbygextUBl/of1vEgK/JbWfVc6KN:mc8ExtKDs4zb10yBJK1nkJbWfVclN

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

127.0.0.1:8848

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
true
install_file
opus hook injector.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/files/0x000e00000001228d-15.dat	family_asyncrat

Executes dropped EXE 1 IoCs

Processes:

opus hook injector.exe

pid	Process
2724	opus hook injector.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
3064	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exe

pid	Process
2588	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Client.exeopus hook injector.exe

pid	Process
764	Client.exe
764	Client.exe
764	Client.exe
764	Client.exe
764	Client.exe
764	Client.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe
2724	opus hook injector.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Client.exeopus hook injector.exe

description	pid	Process
Token: SeDebugPrivilege	764	Client.exe
Token: SeDebugPrivilege	2724	opus hook injector.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Client.execmd.execmd.exe

description	pid	Process	procid_target
PID 764 wrote to memory of 2752	764	Client.exe	31
PID 764 wrote to memory of 2752	764	Client.exe	31
PID 764 wrote to memory of 2752	764	Client.exe	31
PID 764 wrote to memory of 2712	764	Client.exe	33
PID 764 wrote to memory of 2712	764	Client.exe	33
PID 764 wrote to memory of 2712	764	Client.exe	33
PID 2752 wrote to memory of 2588	2752	cmd.exe	34
PID 2752 wrote to memory of 2588	2752	cmd.exe	34
PID 2752 wrote to memory of 2588	2752	cmd.exe	34
PID 2712 wrote to memory of 3064	2712	cmd.exe	36
PID 2712 wrote to memory of 3064	2712	cmd.exe	36
PID 2712 wrote to memory of 3064	2712	cmd.exe	36
PID 2712 wrote to memory of 2724	2712	cmd.exe	37
PID 2712 wrote to memory of 2724	2712	cmd.exe	37
PID 2712 wrote to memory of 2724	2712	cmd.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:764
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "opus hook injector" /tr '"C:\Users\Admin\AppData\Roaming\opus hook injector.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "opus hook injector" /tr '"C:\Users\Admin\AppData\Roaming\opus hook injector.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2588
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpEF00.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3064
- - C:\Users\Admin\AppData\Roaming\opus hook injector.exe
    "C:\Users\Admin\AppData\Roaming\opus hook injector.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpEF00.tmp.bat

Filesize
162B

MD5
eb1d999bf2059bbbe4f5826271c4ce1c

SHA1
c47b058262aa8f5f2c764c7d353e3c89d1ef9929

SHA256
554f5ebf7890d0b7f76e94e363e65c932c2000d6c215fbb0032a7b75833b45a9

SHA512
8620937e4074c7c71a0bc59c61319b11d246776f15078afaa20bcdf01dd69c867c29a4247373e23547daf383d2487ffe9e58850c005b890496228ce8806ca551

Download Submit
C:\Users\Admin\AppData\Roaming\opus hook injector.exe

Filesize
48KB

MD5
3b4c1a3663d6d5ae561b793822b045ab

SHA1
2ef8222de19762ab8558922b3ba3cfe53285b7ae

SHA256
56ab78b1f5f73c93d063d4c85837353b96c19bdacecb1d4ed955d170d2553980

SHA512
034bdc45bed22d7ad968ce7b6747ba2dfb80d350a82f77d291e01bb0076fb69e7fa79ff4f4b8160ae6779d466123fe50278c7c8ee3d04ce0c3ff9b2202e27b16

Download Submit
memory/764-0-0x000007FEF5EB3000-0x000007FEF5EB4000-memory.dmp

Filesize
4KB

Download
memory/764-1-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download
memory/764-2-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

Filesize
9.9MB

Download
memory/764-11-0x000007FEF5EB0000-0x000007FEF689C000-memory.dmp

Filesize
9.9MB

Download
memory/2724-16-0x0000000001130000-0x0000000001142000-memory.dmp

Filesize
72KB

Download