asyncrat | a2026da11259eef54d6162eafef538d915895fcd42d42dae5d0c65c975c07145

General

Target

Infected.exe
Size

63KB
MD5

c8b877cb0d39bd95d7069f5b4c23612a
SHA1

5fb64bfb87b525c12d424baeb3128ddcde85a4de
SHA256

a2026da11259eef54d6162eafef538d915895fcd42d42dae5d0c65c975c07145
SHA512

0b1fb239a7eaad73e9d965e5ffa9b8ad0ebf44e5e799ffb0570eafa4c4895d936619321bf577d89ff6c31b338854d667fafc8317bfea40c7f9a7d6fe397bcab0
SSDEEP

768:tYtz5i7QHEU78j8C8A+Xi+azcBRL5JTk1+T4KSBGHmDbD/ph0oXcpBSuZCdpqKYC:tGIgE8ddSJYUbdh9XuZCdpqKmY7

Score

10^/10

asyncrat default evasion rat spyware stealer trojan

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

consumer-cms.gl.at.ply.gg:2155

Attributes

delay
1
install
true
install_file
SteamWebHelper.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

SteamWebHelper.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	SteamWebHelper.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	SteamWebHelper.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	SteamWebHelper.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	SteamWebHelper.exe

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\SteamWebHelper.exe	family_asyncrat

Executes dropped EXE 1 IoCs

Processes:

SteamWebHelper.exe

pid process

1732 SteamWebHelper.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

SteamWebHelper.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" SteamWebHelper.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

1624 timeout.exe
4556 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

3024 schtasks.exe

pid	process
1732	SteamWebHelper.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	SteamWebHelper.exe

pid	process
1624	timeout.exe
4556	timeout.exe

pid	process
3024	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Infected.exeSteamWebHelper.exe

pid	process
3068	Infected.exe
3068	Infected.exe
3068	Infected.exe
3068	Infected.exe
3068	Infected.exe
3068	Infected.exe
3068	Infected.exe
3068	Infected.exe
3068	Infected.exe
3068	Infected.exe
3068	Infected.exe
3068	Infected.exe
3068	Infected.exe
3068	Infected.exe
3068	Infected.exe
3068	Infected.exe
3068	Infected.exe
3068	Infected.exe
3068	Infected.exe
3068	Infected.exe
3068	Infected.exe
3068	Infected.exe
3068	Infected.exe
1732	SteamWebHelper.exe
1732	SteamWebHelper.exe
1732	SteamWebHelper.exe
1732	SteamWebHelper.exe
1732	SteamWebHelper.exe
1732	SteamWebHelper.exe
1732	SteamWebHelper.exe
1732	SteamWebHelper.exe
1732	SteamWebHelper.exe
1732	SteamWebHelper.exe
1732	SteamWebHelper.exe
1732	SteamWebHelper.exe
1732	SteamWebHelper.exe
1732	SteamWebHelper.exe
1732	SteamWebHelper.exe
1732	SteamWebHelper.exe
1732	SteamWebHelper.exe
1732	SteamWebHelper.exe
1732	SteamWebHelper.exe
1732	SteamWebHelper.exe
1732	SteamWebHelper.exe
1732	SteamWebHelper.exe
1732	SteamWebHelper.exe
1732	SteamWebHelper.exe
1732	SteamWebHelper.exe
1732	SteamWebHelper.exe
1732	SteamWebHelper.exe
1732	SteamWebHelper.exe
1732	SteamWebHelper.exe
1732	SteamWebHelper.exe
1732	SteamWebHelper.exe
1732	SteamWebHelper.exe
1732	SteamWebHelper.exe
1732	SteamWebHelper.exe
1732	SteamWebHelper.exe
1732	SteamWebHelper.exe
1732	SteamWebHelper.exe
1732	SteamWebHelper.exe
1732	SteamWebHelper.exe
1732	SteamWebHelper.exe
1732	SteamWebHelper.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Infected.exeSteamWebHelper.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3068	Infected.exe
Token: SeDebugPrivilege	1732	SteamWebHelper.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	4292	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

Infected.execmd.execmd.exeSteamWebHelper.execmd.exe

description	pid	process	target process
PID 3068 wrote to memory of 3040	3068	Infected.exe	cmd.exe
PID 3068 wrote to memory of 3040	3068	Infected.exe	cmd.exe
PID 3068 wrote to memory of 1372	3068	Infected.exe	cmd.exe
PID 3068 wrote to memory of 1372	3068	Infected.exe	cmd.exe
PID 1372 wrote to memory of 1624	1372	cmd.exe	timeout.exe
PID 1372 wrote to memory of 1624	1372	cmd.exe	timeout.exe
PID 3040 wrote to memory of 3024	3040	cmd.exe	schtasks.exe
PID 3040 wrote to memory of 3024	3040	cmd.exe	schtasks.exe
PID 1372 wrote to memory of 1732	1372	cmd.exe	SteamWebHelper.exe
PID 1372 wrote to memory of 1732	1372	cmd.exe	SteamWebHelper.exe
PID 1732 wrote to memory of 2136	1732	SteamWebHelper.exe	powershell.exe
PID 1732 wrote to memory of 2136	1732	SteamWebHelper.exe	powershell.exe
PID 1732 wrote to memory of 4292	1732	SteamWebHelper.exe	powershell.exe
PID 1732 wrote to memory of 4292	1732	SteamWebHelper.exe	powershell.exe
PID 1732 wrote to memory of 3432	1732	SteamWebHelper.exe	cmd.exe
PID 1732 wrote to memory of 3432	1732	SteamWebHelper.exe	cmd.exe
PID 1732 wrote to memory of 4820	1732	SteamWebHelper.exe	cmd.exe
PID 1732 wrote to memory of 4820	1732	SteamWebHelper.exe	cmd.exe
PID 4820 wrote to memory of 4556	4820	cmd.exe	timeout.exe
PID 4820 wrote to memory of 4556	4820	cmd.exe	timeout.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Infected.exe
"C:\Users\Admin\AppData\Local\Temp\Infected.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "SteamWebHelper" /tr '"C:\Users\Admin\AppData\Roaming\SteamWebHelper.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "SteamWebHelper" /tr '"C:\Users\Admin\AppData\Roaming\SteamWebHelper.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp928B.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1624
- - C:\Users\Admin\AppData\Roaming\SteamWebHelper.exe
    "C:\Users\Admin\AppData\Roaming\SteamWebHelper.exe"
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1732
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2136
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add - MpPreference - ExclusionExtension ".exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4292
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "SteamWebHelper"
      4⤵
      PID:3432
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "SteamWebHelper"
        5⤵
        
        PID:2624
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1B6E.tmp.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4820
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:4556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
05b3cd21c1ec02f04caba773186ee8d0

SHA1
39e790bfe10abf55b74dfb3603df8fcf6b5e6edb

SHA256
911efc5cf9cbeb697543eb3242f5297e1be46dd6603a390140a9ff031ed9e1e8

SHA512
e751008b032394817beb46937fd93a73be97254c2be94dd42f22fb1306d2715c653ece16fa96eab1a3e73811936768cea6b37888437086fc6f3e3e793a2515eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ubbjf23d.pyc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1B6E.tmp.bat

Filesize
163B

MD5
bf12292ca1163fb5261278b56c9cb9c3

SHA1
0bcb6343547aee5d152246d6b0cddf8e905647ff

SHA256
1e62e09da8f52728fa81789b14eed67e1539bf14af60f1c07bd439f929ca8669

SHA512
fb3c47e013c5240962ee81c268118f23284ffb4816b66c06bc78105e2ebf015302f551750d497152f7d5ead01f4f8d3c07fdcf1de36e75a8c571511c228ef30f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp928B.tmp.bat

Filesize
158B

MD5
f12402c80e898d76fac6010c6ee10b54

SHA1
49039ed18a89ca6a051daa78565faafe9c5baa9d

SHA256
2b79cfd3dbf14c0dcdd64822514216950350578e25f8bf98e2d397eca609afef

SHA512
24093ffb78ebfe7e79ef7fa60ec8ec0d6061fecc909fe011f02b2486f7fdd5faa0e53c15ed4d0436043c76af8effa663fae029386b983fd83777e50fa186ed0f

Download Submit
C:\Users\Admin\AppData\Roaming\SteamWebHelper.exe

Filesize
63KB

MD5
c8b877cb0d39bd95d7069f5b4c23612a

SHA1
5fb64bfb87b525c12d424baeb3128ddcde85a4de

SHA256
a2026da11259eef54d6162eafef538d915895fcd42d42dae5d0c65c975c07145

SHA512
0b1fb239a7eaad73e9d965e5ffa9b8ad0ebf44e5e799ffb0570eafa4c4895d936619321bf577d89ff6c31b338854d667fafc8317bfea40c7f9a7d6fe397bcab0

Download Submit
memory/1732-43-0x000000001DD30000-0x000000001DEE3000-memory.dmp

Filesize
1.7MB

Download
memory/1732-42-0x000000001D330000-0x000000001D362000-memory.dmp

Filesize
200KB

Download
memory/1732-16-0x000000001D170000-0x000000001D1C4000-memory.dmp

Filesize
336KB

Download
memory/1732-17-0x000000001D1C0000-0x000000001D1DE000-memory.dmp

Filesize
120KB

Download
memory/1732-18-0x000000001B030000-0x000000001B040000-memory.dmp

Filesize
64KB

Download
memory/1732-19-0x000000001D270000-0x000000001D2A4000-memory.dmp

Filesize
208KB

Download
memory/1732-15-0x000000001D1F0000-0x000000001D266000-memory.dmp

Filesize
472KB

Download
memory/1732-52-0x000000001DD30000-0x000000001DEE3000-memory.dmp

Filesize
1.7MB

Download
memory/1732-48-0x000000001B770000-0x000000001B7D4000-memory.dmp

Filesize
400KB

Download
memory/2136-25-0x00000202F9A10000-0x00000202F9A32000-memory.dmp

Filesize
136KB

Download
memory/3068-2-0x00007FFC85050000-0x00007FFC85B12000-memory.dmp

Filesize
10.8MB

Download
memory/3068-8-0x00007FFC85050000-0x00007FFC85B12000-memory.dmp

Filesize
10.8MB

Download
memory/3068-0-0x00007FFC85053000-0x00007FFC85055000-memory.dmp

Filesize
8KB

Download
memory/3068-3-0x00007FFC85050000-0x00007FFC85B12000-memory.dmp

Filesize
10.8MB

Download
memory/3068-1-0x0000000000020000-0x0000000000036000-memory.dmp

Filesize
88KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads