asyncrat | 671c2b036deed4e63f32adb4834fc6b2d9479d04a64025fa0245e6797add02e6

Resubmissions

16-11-2024 13:28

241116-qq11yaxejd 10

16-11-2024 13:22

241116-ql9ghs1mcj 10

Analysis

max time kernel
300s
max time network
304s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
16-11-2024 13:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

skibidirat.exe
Size

16.4MB
MD5

266764b1328dfba596ec0fbf5feca39a
SHA1

099c1d1750238b9e6ab0979c9cff8493c4f3c373
SHA256

300838a1445ba35fcf31f65018293d8cb9a7bfe0c4859b26205c09be3a7b3b3d
SHA512

f6f69498be690023553f4aabba26f27a0cdf3c68f405ffc76637eb6c933c1061bb92c40934276cb7751f6061de515e4f8ded12fef1c93a533dbbfb1c395ceea8
SSDEEP

196608:EVCpPOu8P5G2eee0yMRs4vkmXaU7aIObk9fcdHJDLscmZk36zOAE2A1cZF7sL9YR:2kr0TaZ1LmZ+F1cby9YN/X

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

natural-familiar.gl.at.ply.gg:65030

Attributes

delay
1
install
true
install_file
search.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral21/memory/4824-1-0x000002784E9D0000-0x000002784FA36000-memory.dmp	disable_win_def

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral21/files/0x001c00000002aadd-5.dat	family_asyncrat

Executes dropped EXE 2 IoCs

pid	Process
3144	temp.exe
3456	search.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1208	timeout.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Internet Explorer\TypedURLs	skibidirat.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4352	schtasks.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4824	skibidirat.exe
4824	skibidirat.exe
4824	skibidirat.exe
4824	skibidirat.exe
4824	skibidirat.exe
4824	skibidirat.exe
3144	temp.exe
3144	temp.exe
3144	temp.exe
3144	temp.exe
3144	temp.exe
3144	temp.exe
3144	temp.exe
3144	temp.exe
3144	temp.exe
3144	temp.exe
3144	temp.exe
3144	temp.exe
3144	temp.exe
3144	temp.exe
3144	temp.exe
3144	temp.exe
3144	temp.exe
3144	temp.exe
3144	temp.exe
3144	temp.exe
3144	temp.exe
4824	skibidirat.exe
4824	skibidirat.exe
4824	skibidirat.exe
4824	skibidirat.exe
4824	skibidirat.exe
4824	skibidirat.exe
4824	skibidirat.exe
4824	skibidirat.exe
4824	skibidirat.exe
4824	skibidirat.exe
4824	skibidirat.exe
4824	skibidirat.exe
4824	skibidirat.exe
4824	skibidirat.exe
4824	skibidirat.exe
4824	skibidirat.exe
4824	skibidirat.exe
4824	skibidirat.exe
4824	skibidirat.exe
4824	skibidirat.exe
4824	skibidirat.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4824	skibidirat.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3144	temp.exe
Token: SeDebugPrivilege	3144	temp.exe
Token: SeDebugPrivilege	3456	search.exe
Token: SeDebugPrivilege	3456	search.exe
Token: SeDebugPrivilege	4824	skibidirat.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4824	skibidirat.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4824	skibidirat.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 3144	4824	skibidirat.exe	80
PID 4824 wrote to memory of 3144	4824	skibidirat.exe	80
PID 3144 wrote to memory of 4500	3144	temp.exe	83
PID 3144 wrote to memory of 4500	3144	temp.exe	83
PID 3144 wrote to memory of 3780	3144	temp.exe	84
PID 3144 wrote to memory of 3780	3144	temp.exe	84
PID 4500 wrote to memory of 4352	4500	cmd.exe	87
PID 4500 wrote to memory of 4352	4500	cmd.exe	87
PID 3780 wrote to memory of 1208	3780	cmd.exe	88
PID 3780 wrote to memory of 1208	3780	cmd.exe	88
PID 3780 wrote to memory of 3456	3780	cmd.exe	89
PID 3780 wrote to memory of 3456	3780	cmd.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\skibidirat.exe
"C:\Users\Admin\AppData\Local\Temp\skibidirat.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Users\Admin\AppData\Local\Temp\temp.exe
  "C:\Users\Admin\AppData\Local\Temp\temp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3144
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "search" /tr '"C:\Users\Admin\AppData\Roaming\search.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4500
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "search" /tr '"C:\Users\Admin\AppData\Roaming\search.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD1D7.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3780
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1208
  - - C:\Users\Admin\AppData\Roaming\search.exe
      "C:\Users\Admin\AppData\Roaming\search.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3456

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\temp.exe

Filesize
63KB

MD5
4a3d7bd2084b48024bf8f459b10aa913

SHA1
ed47940c8e00f846e0656bd95ca14ddd8d157ba0

SHA256
7c15fa68e1ae83f81c98a2c616753777ccd720a8a2a1adda490e08be9369a3c8

SHA512
94e00110aa23f713e099039b027d01e7ea1c5521b4f9b6563cebf537eafb226a3aa840d7f3f4ec08872ec098bd57567c3fd8c3694ea62468139ae84ee5cc5b35

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD1D7.tmp.bat

Filesize
150B

MD5
fe61f615973cae8b624c1828512f6b4a

SHA1
ce3aa06ad4d1ecdf210a78a1cc4a6c8642ce8ee8

SHA256
6cde1ef402abccbb4c0f6ec2d2b95651ce968d800c0cdf9f7f771eda28056dbe

SHA512
c932fc5bfa5fba509c924bed7cea502dceea9bb63a83f4d7a754052c9cf4d713b6ef9a478db1847e6740bf7b7387e5784f3b22e9f8ab53e9b3469b83d16c340a

Download Submit
memory/3144-13-0x00007FFBD8450000-0x00007FFBD8F12000-memory.dmp

Filesize
10.8MB

Download
memory/3144-6-0x00000000009C0000-0x00000000009D6000-memory.dmp

Filesize
88KB

Download
memory/3144-20-0x00007FFBD8450000-0x00007FFBD8F12000-memory.dmp

Filesize
10.8MB

Download
memory/3144-8-0x00007FFBD8450000-0x00007FFBD8F12000-memory.dmp

Filesize
10.8MB

Download
memory/3144-15-0x00007FFBD8450000-0x00007FFBD8F12000-memory.dmp

Filesize
10.8MB

Download
memory/4824-14-0x00007FFBD8450000-0x00007FFBD8F12000-memory.dmp

Filesize
10.8MB

Download
memory/4824-1-0x000002784E9D0000-0x000002784FA36000-memory.dmp

Filesize
16.4MB

Download
memory/4824-12-0x00000278516D0000-0x00000278516E4000-memory.dmp

Filesize
80KB

Download
memory/4824-0-0x00007FFBD8453000-0x00007FFBD8455000-memory.dmp

Filesize
8KB

Download
memory/4824-10-0x00007FFBD8450000-0x00007FFBD8F12000-memory.dmp

Filesize
10.8MB

Download
memory/4824-9-0x000002786A680000-0x000002786A874000-memory.dmp

Filesize
2.0MB

Download
memory/4824-7-0x000002786A320000-0x000002786A572000-memory.dmp

Filesize
2.3MB

Download
memory/4824-11-0x000002786A180000-0x000002786A2CE000-memory.dmp

Filesize
1.3MB

Download
memory/4824-25-0x00007FFBD8453000-0x00007FFBD8455000-memory.dmp

Filesize
8KB

Download
memory/4824-26-0x00007FFBD8450000-0x00007FFBD8F12000-memory.dmp

Filesize
10.8MB

Download
memory/4824-27-0x000002786DED0000-0x000002786E4B8000-memory.dmp

Filesize
5.9MB

Download
memory/4824-28-0x000002786DA30000-0x000002786DA3A000-memory.dmp

Filesize
40KB

Download
memory/4824-29-0x00007FFBD8450000-0x00007FFBD8F12000-memory.dmp

Filesize
10.8MB

Download
memory/4824-30-0x000002786B3C0000-0x000002786B3D2000-memory.dmp

Filesize
72KB

Download
memory/4824-31-0x000002786EDF0000-0x000002786F070000-memory.dmp

Filesize
2.5MB

Download