asyncrat | a2026da11259eef54d6162eafef538d915895fcd42d42dae5d0c65c975c07145

General

Target

Infected.exe
Size

63KB
MD5

c8b877cb0d39bd95d7069f5b4c23612a
SHA1

5fb64bfb87b525c12d424baeb3128ddcde85a4de
SHA256

a2026da11259eef54d6162eafef538d915895fcd42d42dae5d0c65c975c07145
SHA512

0b1fb239a7eaad73e9d965e5ffa9b8ad0ebf44e5e799ffb0570eafa4c4895d936619321bf577d89ff6c31b338854d667fafc8317bfea40c7f9a7d6fe397bcab0
SSDEEP

768:tYtz5i7QHEU78j8C8A+Xi+azcBRL5JTk1+T4KSBGHmDbD/ph0oXcpBSuZCdpqKYC:tGIgE8ddSJYUbdh9XuZCdpqKmY7

Score

10^/10

asyncrat default rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

consumer-cms.gl.at.ply.gg:2155

Attributes

delay
1
install
true
install_file
SteamWebHelper.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\SteamWebHelper.exe	family_asyncrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Infected.exeSteamWebHelper.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Infected.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	SteamWebHelper.exe

Executes dropped EXE 1 IoCs

Processes:

SteamWebHelper.exe

pid process

3996 SteamWebHelper.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

4012 timeout.exe
2372 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2804 schtasks.exe

pid	process
3996	SteamWebHelper.exe

pid	process
4012	timeout.exe
2372	timeout.exe

pid	process
2804	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Infected.exeSteamWebHelper.exe

pid	process
1040	Infected.exe
1040	Infected.exe
1040	Infected.exe
1040	Infected.exe
1040	Infected.exe
1040	Infected.exe
1040	Infected.exe
1040	Infected.exe
1040	Infected.exe
1040	Infected.exe
1040	Infected.exe
1040	Infected.exe
1040	Infected.exe
1040	Infected.exe
1040	Infected.exe
1040	Infected.exe
1040	Infected.exe
1040	Infected.exe
1040	Infected.exe
1040	Infected.exe
1040	Infected.exe
1040	Infected.exe
1040	Infected.exe
1040	Infected.exe
1040	Infected.exe
1040	Infected.exe
1040	Infected.exe
1040	Infected.exe
1040	Infected.exe
3996	SteamWebHelper.exe
3996	SteamWebHelper.exe
3996	SteamWebHelper.exe
3996	SteamWebHelper.exe
3996	SteamWebHelper.exe
3996	SteamWebHelper.exe
3996	SteamWebHelper.exe
3996	SteamWebHelper.exe
3996	SteamWebHelper.exe
3996	SteamWebHelper.exe
3996	SteamWebHelper.exe
3996	SteamWebHelper.exe
3996	SteamWebHelper.exe
3996	SteamWebHelper.exe
3996	SteamWebHelper.exe
3996	SteamWebHelper.exe
3996	SteamWebHelper.exe
3996	SteamWebHelper.exe
3996	SteamWebHelper.exe
3996	SteamWebHelper.exe
3996	SteamWebHelper.exe
3996	SteamWebHelper.exe
3996	SteamWebHelper.exe
3996	SteamWebHelper.exe
3996	SteamWebHelper.exe
3996	SteamWebHelper.exe
3996	SteamWebHelper.exe
3996	SteamWebHelper.exe
3996	SteamWebHelper.exe
3996	SteamWebHelper.exe
3996	SteamWebHelper.exe
3996	SteamWebHelper.exe
3996	SteamWebHelper.exe
3996	SteamWebHelper.exe
3996	SteamWebHelper.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Infected.exeSteamWebHelper.exe

description pid process

Token: SeDebugPrivilege 1040 Infected.exe
Token: SeDebugPrivilege 3996 SteamWebHelper.exe

description	pid	process
Token: SeDebugPrivilege	1040	Infected.exe
Token: SeDebugPrivilege	3996	SteamWebHelper.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

Infected.execmd.execmd.exeSteamWebHelper.execmd.execmd.exe

description	pid	process	target process
PID 1040 wrote to memory of 2452	1040	Infected.exe	cmd.exe
PID 1040 wrote to memory of 2452	1040	Infected.exe	cmd.exe
PID 1040 wrote to memory of 2364	1040	Infected.exe	cmd.exe
PID 1040 wrote to memory of 2364	1040	Infected.exe	cmd.exe
PID 2364 wrote to memory of 4012	2364	cmd.exe	timeout.exe
PID 2364 wrote to memory of 4012	2364	cmd.exe	timeout.exe
PID 2452 wrote to memory of 2804	2452	cmd.exe	schtasks.exe
PID 2452 wrote to memory of 2804	2452	cmd.exe	schtasks.exe
PID 2364 wrote to memory of 3996	2364	cmd.exe	SteamWebHelper.exe
PID 2364 wrote to memory of 3996	2364	cmd.exe	SteamWebHelper.exe
PID 3996 wrote to memory of 2380	3996	SteamWebHelper.exe	cmd.exe
PID 3996 wrote to memory of 2380	3996	SteamWebHelper.exe	cmd.exe
PID 3996 wrote to memory of 3756	3996	SteamWebHelper.exe	cmd.exe
PID 3996 wrote to memory of 3756	3996	SteamWebHelper.exe	cmd.exe
PID 3756 wrote to memory of 2372	3756	cmd.exe	timeout.exe
PID 3756 wrote to memory of 2372	3756	cmd.exe	timeout.exe
PID 2380 wrote to memory of 3932	2380	cmd.exe	schtasks.exe
PID 2380 wrote to memory of 3932	2380	cmd.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Infected.exe
"C:\Users\Admin\AppData\Local\Temp\Infected.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "SteamWebHelper" /tr '"C:\Users\Admin\AppData\Roaming\SteamWebHelper.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "SteamWebHelper" /tr '"C:\Users\Admin\AppData\Roaming\SteamWebHelper.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCDA0.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:4012
- - C:\Users\Admin\AppData\Roaming\SteamWebHelper.exe
    "C:\Users\Admin\AppData\Roaming\SteamWebHelper.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3996
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "SteamWebHelper"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2380
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "SteamWebHelper"
        5⤵
        
        PID:3932
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAA83.tmp.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3756
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpAA83.tmp.bat

Filesize
163B

MD5
08db42bf371cb1d2dba1d3b3e701258e

SHA1
7feca3b43068d16c2b2436cb1ae340e6b4755a7f

SHA256
7b41768bd87d2487c9aabc95b60526a7f299cd1b1f2dbacdcc8c6c4de0bbf3f8

SHA512
4eada9898674c03208a7b06f79f2780168857d479e92185f9d8d60ed430585ab6c039367bd1660bc543e5e66caeda92e7c93ff0578bec7be2b5c8230e7efd20e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCDA0.tmp.bat

Filesize
158B

MD5
7e6c0e6fa8a4443c65def2776a98243d

SHA1
1c6ac2aa26363ed4daf5ad0e714616ab659992ea

SHA256
b4a92164e46a44b1d6b96cd1318821ec841a25e3450317fbf7fcae820e2fad18

SHA512
82996509611194d0f893b5f6507a4d34fe1968ec92cf760e5f130d32b8aadf78eca7eab77cc0cb665af6a8d79b47fe2704dd0f82d7cfd145e00ea1f088fe4752

Download Submit
C:\Users\Admin\AppData\Roaming\SteamWebHelper.exe

Filesize
63KB

MD5
c8b877cb0d39bd95d7069f5b4c23612a

SHA1
5fb64bfb87b525c12d424baeb3128ddcde85a4de

SHA256
a2026da11259eef54d6162eafef538d915895fcd42d42dae5d0c65c975c07145

SHA512
0b1fb239a7eaad73e9d965e5ffa9b8ad0ebf44e5e799ffb0570eafa4c4895d936619321bf577d89ff6c31b338854d667fafc8317bfea40c7f9a7d6fe397bcab0

Download Submit
memory/1040-7-0x00007FFDCF480000-0x00007FFDCFF41000-memory.dmp

Filesize
10.8MB

Download
memory/1040-8-0x00007FFDCF480000-0x00007FFDCFF41000-memory.dmp

Filesize
10.8MB

Download
memory/1040-0-0x00007FFDCF483000-0x00007FFDCF485000-memory.dmp

Filesize
8KB

Download
memory/1040-2-0x00007FFDCF480000-0x00007FFDCFF41000-memory.dmp

Filesize
10.8MB

Download
memory/1040-15-0x00007FFDCF480000-0x00007FFDCFF41000-memory.dmp

Filesize
10.8MB

Download
memory/1040-1-0x0000000000D20000-0x0000000000D36000-memory.dmp

Filesize
88KB

Download
memory/3996-16-0x000000001B7C0000-0x000000001B836000-memory.dmp

Filesize
472KB

Download
memory/3996-17-0x0000000002C30000-0x0000000002C84000-memory.dmp

Filesize
336KB

Download
memory/3996-18-0x0000000002CA0000-0x0000000002CBE000-memory.dmp

Filesize
120KB

Download
memory/3996-19-0x0000000002B40000-0x0000000002B50000-memory.dmp

Filesize
64KB

Download
memory/3996-20-0x000000001D9B0000-0x000000001DA14000-memory.dmp

Filesize
400KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads