asyncrat | ba4e656f1e01be59a74dd10864d9bc50d9add5647c2d860a6d1ad183008a39fb

General

Target

bundy.exe
Size

45KB
MD5

7f6f0f84c1ebc50ef5b07b400e3055b9
SHA1

ff1d521cd7e28db6a80fcb6a0937eab2efba8292
SHA256

ba4e656f1e01be59a74dd10864d9bc50d9add5647c2d860a6d1ad183008a39fb
SHA512

ba65999a790f0c76e315e023e69a1d748187ce1f7b4a68ab34618df97265dc5b16663251dcec14b6ee5bcb825094fba8049c088f9ae150edaf8fa62bf6c7fdfb
SSDEEP

768:Fuu11TwQsOnFWUFN1/mo2qD60YFK8oubbbQtTk/nPIAdzjbigX3iyX72osKkPNDo:Fuu11TwSb22YnctTiAAd3bFXSS72osKP

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:1604

Mutex

76neALhoLeyJ

Attributes

delay
3
install
true
install_file
bundy.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\bundy.exe	family_asyncrat

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

bundy.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation bundy.exe
Executes dropped EXE 1 IoCs

Processes:

bundy.exe

pid process

3664 bundy.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	bundy.exe

pid	process
3664	bundy.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

schtasks.exetimeout.exebundy.exeIEXPLORE.EXEbundy.execmd.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bundy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bundy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3864 timeout.exe

pid	process
3864	timeout.exe

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a5925e1af387674d896cbd662f92590a000000000200000000001066000000010000200000009632acfd82cebd3670e9d7c4b1ec76addc23e9325ab2db668405eba78cd323a1000000000e80000000020000200000008740b1ee626fb73db45d9dfd4da36c197dd406c9ca0ea7c08a2e6a22cc28f8f120000000bb159cf9070e14c43609a485e2a6c76b229dca33a0c236b61ddab344bcccf01840000000bfae459de3bab31473935a188fde3ab9829216cf1a3bb82ba95187101b41e58f038bfecd26697ececf60232798b99ff78d01233b13aa02107f0d24d55954119d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31144124"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "794056774"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a5925e1af387674d896cbd662f92590a000000000200000000001066000000010000200000005579070c741e2d8692944a3b9e105f4e4809c9339f2d1afa90ef90e99fe2266d000000000e80000000020000200000006d4cc4bed67c25453a80ab63ec91e916ed4bed194e2d95fb368714f0aa41ccd020000000c0a9da372a3649819a24d6c0b3a01802c5ca8b7156d594163f52c14d6e967cf640000000c5649d8deabd2b7fac4235b74e5bfde47cc58e1b23e7ffd88cc7ceaecba3001f2a2dcdd3c9255b819dbcf5e00b6f82a9218687129238149aac131954e4abd5e8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31144124"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5AEACBB8-A4AF-11EF-BD16-E60B6437E69C} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0a38032bc38db01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "793900955"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.4355\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80198a32bc38db01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

544 schtasks.exe

pid	process
544	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

bundy.exe

pid	process
4232	bundy.exe
4232	bundy.exe
4232	bundy.exe
4232	bundy.exe
4232	bundy.exe
4232	bundy.exe
4232	bundy.exe
4232	bundy.exe
4232	bundy.exe
4232	bundy.exe
4232	bundy.exe
4232	bundy.exe
4232	bundy.exe
4232	bundy.exe
4232	bundy.exe
4232	bundy.exe
4232	bundy.exe
4232	bundy.exe
4232	bundy.exe
4232	bundy.exe
4232	bundy.exe

Suspicious behavior: LoadsDriver 6 IoCs

Processes:

pid

4
4
4
4
4
676
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

bundy.exebundy.exe

description pid process

Token: SeDebugPrivilege 4232 bundy.exe
Token: SeDebugPrivilege 3664 bundy.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2612 iexplore.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2612 iexplore.exe
2612 iexplore.exe
1204 IEXPLORE.EXE
1204 IEXPLORE.EXE
1204 IEXPLORE.EXE
1204 IEXPLORE.EXE
1204 IEXPLORE.EXE

pid
4
4
4
4
4
676

description	pid	process
Token: SeDebugPrivilege	4232	bundy.exe
Token: SeDebugPrivilege	3664	bundy.exe

pid	process
2612	iexplore.exe

pid	process
2612	iexplore.exe
2612	iexplore.exe
1204	IEXPLORE.EXE
1204	IEXPLORE.EXE
1204	IEXPLORE.EXE
1204	IEXPLORE.EXE
1204	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

bundy.execmd.execmd.exeiexplore.exe

description	pid	process	target process
PID 4232 wrote to memory of 2096	4232	bundy.exe	cmd.exe
PID 4232 wrote to memory of 2096	4232	bundy.exe	cmd.exe
PID 4232 wrote to memory of 2096	4232	bundy.exe	cmd.exe
PID 4232 wrote to memory of 1724	4232	bundy.exe	cmd.exe
PID 4232 wrote to memory of 1724	4232	bundy.exe	cmd.exe
PID 4232 wrote to memory of 1724	4232	bundy.exe	cmd.exe
PID 2096 wrote to memory of 544	2096	cmd.exe	schtasks.exe
PID 2096 wrote to memory of 544	2096	cmd.exe	schtasks.exe
PID 2096 wrote to memory of 544	2096	cmd.exe	schtasks.exe
PID 1724 wrote to memory of 3864	1724	cmd.exe	timeout.exe
PID 1724 wrote to memory of 3864	1724	cmd.exe	timeout.exe
PID 1724 wrote to memory of 3864	1724	cmd.exe	timeout.exe
PID 1724 wrote to memory of 3664	1724	cmd.exe	bundy.exe
PID 1724 wrote to memory of 3664	1724	cmd.exe	bundy.exe
PID 1724 wrote to memory of 3664	1724	cmd.exe	bundy.exe
PID 2612 wrote to memory of 1204	2612	iexplore.exe	IEXPLORE.EXE
PID 2612 wrote to memory of 1204	2612	iexplore.exe	IEXPLORE.EXE
PID 2612 wrote to memory of 1204	2612	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\bundy.exe
"C:\Users\Admin\AppData\Local\Temp\bundy.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "bundy" /tr '"C:\Users\Admin\AppData\Roaming\bundy.exe"' & exit
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "bundy" /tr '"C:\Users\Admin\AppData\Roaming\bundy.exe"'
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9A0D.tmp.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:3864
- - C:\Users\Admin\AppData\Roaming\bundy.exe
    "C:\Users\Admin\AppData\Roaming\bundy.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3664

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2612 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bundy.exe.log

Filesize
522B

MD5
00da7f1e650af65ee27f2c786561d83b

SHA1
071e8622f304964d2350202c1ca9db34d71d29e9

SHA256
706d2dc5cd3f617834859782684b201a324ed5e8edc9bdea38e886341c931776

SHA512
ae22913cafaf59eee00c2775a9c29d110e11b8f9732c9c2ad69acc30f95d59d983ff269d31a5747aff8971bcde31f83fb40dc6a3656ab3d272f35c194bb90b12

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9A0D.tmp.bat

Filesize
149B

MD5
def1f867e7979b6c05ce78731f9ff642

SHA1
d2320fd69f7818d4af084449d7e1a33d47b8d24a

SHA256
e1a35f51556a2447eef9d262e92715ac1cefcdea2c29371acba09521a5bb2ed1

SHA512
9cd52d90ef132b1d4420043de8b0a9029d1711da4a8199455b95b2e687d7beb9d1fdb584f087f3b77943fcaa8ee519fb27b405e298114cde4fdd060f59a7aeae

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF6DC31C9B44AF524C.TMP

Filesize
16KB

MD5
cb93dd7b84bc48eae065caceec0ab631

SHA1
8c6ad73ee1f13556af70255fceddd85861db7ff4

SHA256
0cc591ee3dc19c29f5b71ccff2b13113787c128974422c970fff540d75cdc04a

SHA512
b71414928c8e3286a758fc9ab04afe0281f8430f5f09b9de5405adc587e3e3c201e363d051bb5869ffd9bbeeb299c2b989ec59a6a220631b95adcb637483a700

Download Submit
C:\Users\Admin\AppData\Roaming\bundy.exe

Filesize
45KB

MD5
7f6f0f84c1ebc50ef5b07b400e3055b9

SHA1
ff1d521cd7e28db6a80fcb6a0937eab2efba8292

SHA256
ba4e656f1e01be59a74dd10864d9bc50d9add5647c2d860a6d1ad183008a39fb

SHA512
ba65999a790f0c76e315e023e69a1d748187ce1f7b4a68ab34618df97265dc5b16663251dcec14b6ee5bcb825094fba8049c088f9ae150edaf8fa62bf6c7fdfb

Download Submit
memory/3664-14-0x0000000075350000-0x0000000075B01000-memory.dmp

Filesize
7.7MB

Download
memory/3664-15-0x0000000075350000-0x0000000075B01000-memory.dmp

Filesize
7.7MB

Download
memory/4232-0-0x000000007540E000-0x000000007540F000-memory.dmp

Filesize
4KB

Download
memory/4232-1-0x0000000000790000-0x00000000007A2000-memory.dmp

Filesize
72KB

Download
memory/4232-2-0x0000000075400000-0x0000000075BB1000-memory.dmp

Filesize
7.7MB

Download
memory/4232-3-0x00000000052D0000-0x000000000536C000-memory.dmp

Filesize
624KB

Download
memory/4232-8-0x0000000075400000-0x0000000075BB1000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads