Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2024 11:49
Behavioral task
behavioral1
Sample
AsyncClient.exe
Resource
win7-20240708-en
General
-
Target
AsyncClient.exe
-
Size
47KB
-
MD5
678c7b99496c1e045a6f8a7072f41902
-
SHA1
fbc4bf034a1d4b0b7f0777da3dbf63ba2ea7d5de
-
SHA256
b89c64e6cb8ac56910849b3340322f3ed1aa77be3aee2a9e081ff08819ce43bd
-
SHA512
ac152cb621f2503178f82dfca62816cb13c91551c3f0c181c245117b3a1e2d9dbe022dce109f8e192d74e31c251a857770974f03c5f2b528017fe66e79195fc6
-
SSDEEP
768:QuYH9T3kH1jWUvTqRmo2qbcrFgnNyGzYk5PIqPESVOs0bXbva5XPfG1tRulaADVg:QuYH9T34y2nFg7X2qPJEbDatPfG1tRue
Malware Config
Extracted
asyncrat
0.5.8
Default
juGfnQMxS4Ze
-
delay
3
-
install
true
-
install_file
Sync.exe
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/s14cUU5G
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/files/0x0007000000023c97-11.dat family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation AsyncClient.exe -
Executes dropped EXE 1 IoCs
pid Process 1592 Sync.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 16 pastebin.com 17 pastebin.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AsyncClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Sync.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1340 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2588 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 4192 AsyncClient.exe 4192 AsyncClient.exe 4192 AsyncClient.exe 4192 AsyncClient.exe 4192 AsyncClient.exe 4192 AsyncClient.exe 4192 AsyncClient.exe 4192 AsyncClient.exe 4192 AsyncClient.exe 4192 AsyncClient.exe 4192 AsyncClient.exe 4192 AsyncClient.exe 4192 AsyncClient.exe 4192 AsyncClient.exe 4192 AsyncClient.exe 4192 AsyncClient.exe 4192 AsyncClient.exe 4192 AsyncClient.exe 4192 AsyncClient.exe 4192 AsyncClient.exe 4192 AsyncClient.exe 4192 AsyncClient.exe 4192 AsyncClient.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4192 AsyncClient.exe Token: SeDebugPrivilege 1592 Sync.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4192 wrote to memory of 5060 4192 AsyncClient.exe 88 PID 4192 wrote to memory of 5060 4192 AsyncClient.exe 88 PID 4192 wrote to memory of 5060 4192 AsyncClient.exe 88 PID 4192 wrote to memory of 672 4192 AsyncClient.exe 90 PID 4192 wrote to memory of 672 4192 AsyncClient.exe 90 PID 4192 wrote to memory of 672 4192 AsyncClient.exe 90 PID 5060 wrote to memory of 2588 5060 cmd.exe 92 PID 5060 wrote to memory of 2588 5060 cmd.exe 92 PID 5060 wrote to memory of 2588 5060 cmd.exe 92 PID 672 wrote to memory of 1340 672 cmd.exe 93 PID 672 wrote to memory of 1340 672 cmd.exe 93 PID 672 wrote to memory of 1340 672 cmd.exe 93 PID 672 wrote to memory of 1592 672 cmd.exe 96 PID 672 wrote to memory of 1592 672 cmd.exe 96 PID 672 wrote to memory of 1592 672 cmd.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Sync" /tr '"C:\Users\Admin\AppData\Roaming\Sync.exe"' & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Sync" /tr '"C:\Users\Admin\AppData\Roaming\Sync.exe"'3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2588
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBA28.tmp.bat""2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1340
-
-
C:\Users\Admin\AppData\Roaming\Sync.exe"C:\Users\Admin\AppData\Roaming\Sync.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1592
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
148B
MD5fbdf5f4cef856023bf7f334d770df363
SHA14d6adbb957e7a1c979430703f95c3647d4f956d8
SHA256a433e9f12592fd68aa68a7dfdf838cb4cbf3e85286ddbf66b89d1f5d79687c7f
SHA51222d422f20a416ca57be066e89a95059da5a89b4b7169a0291a9229e82606fc592790f5466bbfc060ddd7841f0a0a2fbd572a48d5c149979f2b5b6f07a0d2981b
-
Filesize
47KB
MD5678c7b99496c1e045a6f8a7072f41902
SHA1fbc4bf034a1d4b0b7f0777da3dbf63ba2ea7d5de
SHA256b89c64e6cb8ac56910849b3340322f3ed1aa77be3aee2a9e081ff08819ce43bd
SHA512ac152cb621f2503178f82dfca62816cb13c91551c3f0c181c245117b3a1e2d9dbe022dce109f8e192d74e31c251a857770974f03c5f2b528017fe66e79195fc6