Analysis Overview
SHA256
7d41f2fe756509c85b54522b30bc26bfedfaff42ead65e82d6de9c67c03a06d8
Threat Level: Known bad
The file AsyncClient.exe was found to be: Known bad.
Malicious Activity Summary
Asyncrat family
Async RAT payload
AsyncRat
Async RAT payload
Executes dropped EXE
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Delays execution with timeout.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 07:18
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Asyncrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 07:18
Reported
2024-11-13 07:19
Platform
win11-20241023-es
Max time kernel
53s
Command Line
Signatures
AsyncRat
Asyncrat family
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\InstallerPeclient1.21.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\InstallerPeclient1.21.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\InstallerPeclient1.21.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\InstallerPeclient1.21.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "InstallerPeclient1.21" /tr '"C:\Users\Admin\AppData\Roaming\InstallerPeclient1.21.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp366.tmp.bat""
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "InstallerPeclient1.21" /tr '"C:\Users\Admin\AppData\Roaming\InstallerPeclient1.21.exe"'
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\InstallerPeclient1.21.exe
"C:\Users\Admin\AppData\Roaming\InstallerPeclient1.21.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:2009 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:2009 | tcp | |
| N/A | 127.0.0.1:2009 | tcp | |
| N/A | 127.0.0.1:6606 | tcp |
Files
memory/3100-0-0x0000000074C5E000-0x0000000074C5F000-memory.dmp
memory/3100-1-0x0000000000C30000-0x0000000000C42000-memory.dmp
memory/3100-2-0x0000000074C5E000-0x0000000074C5F000-memory.dmp
memory/3100-3-0x0000000074C50000-0x0000000075401000-memory.dmp
memory/3100-4-0x0000000005690000-0x00000000056F6000-memory.dmp
memory/3100-5-0x0000000005BA0000-0x0000000005C3C000-memory.dmp
memory/3100-6-0x0000000005B00000-0x0000000005B40000-memory.dmp
memory/3100-11-0x0000000074C50000-0x0000000075401000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp366.tmp.bat
| MD5 | 8275d1edb1865da05da8675f6a53e179 |
| SHA1 | d1cee23be39c64d4cf95df1ca7db68471ba9d28b |
| SHA256 | d6db7fc33b49cb42b270dfd77e5a946a87e5c2be0d8bc0997d631b9e4fc02b1f |
| SHA512 | 18458ca4f8e701acbf8dc8e0bde93123de40858b750f83c84ce4ddbfef720d9f206882d4a110d4d4086d5894fc50a11cd607fdbc02523354a79bc9358f2c8680 |
C:\Users\Admin\AppData\Roaming\InstallerPeclient1.21.exe
| MD5 | a133aa15dff0878b51f78a73f26dcb75 |
| SHA1 | 496da7070019ed5d6f0e113a2a456b6417f5fba8 |
| SHA256 | 7d41f2fe756509c85b54522b30bc26bfedfaff42ead65e82d6de9c67c03a06d8 |
| SHA512 | 9a7fef9d09697a71f8ce0e44a8bac041d8a7bec31a9c7c3bddc3efaecb0145a2ff96767e9ca19eca3384c6333263cf3ec55be125236a275bee7a857ccfce2fca |
memory/904-16-0x0000000074BA0000-0x0000000075351000-memory.dmp
memory/904-17-0x0000000074BA0000-0x0000000075351000-memory.dmp