Overview

overview

10

Static

static

10

AsyncClient.exe

windows7-x64

10

AsyncClient.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    28/11/2024, 01:15 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AsyncClient.exe

  • Size

    47KB

  • MD5

    ee97dc0328ea5ef92cdadeb280891591

  • SHA1

    916924ecdb96aa0ec227b12df2af8f5038f239ab

  • SHA256

    44b6e2af6e5e547cfc9c2c3607bd7cda4785688b60720c5501968b536ce331c9

  • SHA512

    52ecca0f00d47f9bffc50bb516988715ae2c1aaf96f3a5bb132619ebbd8a370c9eef0f33d5b67accc2ffe2187e60564fa353eef037b35be9159f17aad6e621c2

  • SSDEEP

    768:Zu6ZdTAYhbJWUh9Nzmo2qLxRQSJPVW1QMCfPIKSxlJpmqH0bAYpHZ+6GGAPMtV0g:Zu6ZdTAur2uQadMC4KSrvUbAYqMAknkU

Score
10/10
asyncratdefaultdiscoveryrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

listed-academics.gl.at.ply.gg:10068

Mutex

f7BTmla4eysw

Attributes
  • delay

    3

  • install

    true

  • install_file

    das.exe

  • install_folder

    %AppData%

aes.plain
1
kiCGkEorndDiZ6DUqQLX2F0Cr1Rs55wK

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
    "C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2652
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "das" /tr '"C:\Users\Admin\AppData\Roaming\das.exe"' & exit
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2300
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "das" /tr '"C:\Users\Admin\AppData\Roaming\das.exe"'
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:1516
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpDAC5.tmp.bat""
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3000
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:1780
      • C:\Users\Admin\AppData\Roaming\das.exe
        "C:\Users\Admin\AppData\Roaming\das.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2900

Network

  • flag-us
    DNS
    listed-academics.gl.at.ply.gg
    das.exe
    Remote address:
    8.8.8.8:53
    Request
    listed-academics.gl.at.ply.gg
    IN A
    Response
    listed-academics.gl.at.ply.gg
    IN A
    147.185.221.24
  • 147.185.221.24:10068
    listed-academics.gl.at.ply.gg
    tls
    das.exe
    368 B
     172 B
     4
    4
  • 147.185.221.24:10068
    listed-academics.gl.at.ply.gg
    tls
    das.exe
    364 B
     172 B
     4
    4
  • 147.185.221.24:10068
    listed-academics.gl.at.ply.gg
    tls
    das.exe
    368 B
     172 B
     4
    4
  • 147.185.221.24:10068
    listed-academics.gl.at.ply.gg
    tls
    das.exe
    364 B
     172 B
     4
    4
  • 147.185.221.24:10068
    listed-academics.gl.at.ply.gg
    tls
    das.exe
    368 B
     172 B
     4
    4
  • 147.185.221.24:10068
    listed-academics.gl.at.ply.gg
    tls
    das.exe
    364 B
     172 B
     4
    4
  • 147.185.221.24:10068
    listed-academics.gl.at.ply.gg
    tls
    das.exe
    368 B
     172 B
     4
    4
  • 147.185.221.24:10068
    listed-academics.gl.at.ply.gg
    tls
    das.exe
    364 B
     172 B
     4
    4
  • 147.185.221.24:10068
    listed-academics.gl.at.ply.gg
    tls
    das.exe
    368 B
     172 B
     4
    4
  • 147.185.221.24:10068
    listed-academics.gl.at.ply.gg
    tls
    das.exe
    364 B
     172 B
     4
    4
  • 147.185.221.24:10068
    listed-academics.gl.at.ply.gg
    tls
    das.exe
    368 B
     172 B
     4
    4
  • 147.185.221.24:10068
    listed-academics.gl.at.ply.gg
    tls
    das.exe
    364 B
     172 B
     4
    4
  • 147.185.221.24:10068
    listed-academics.gl.at.ply.gg
    tls
    das.exe
    368 B
     172 B
     4
    4
  • 147.185.221.24:10068
    listed-academics.gl.at.ply.gg
    tls
    das.exe
    364 B
     172 B
     4
    4
  • 147.185.221.24:10068
    listed-academics.gl.at.ply.gg
    tls
    das.exe
    503 B
     172 B
     5
    4
  • 8.8.8.8:53
    listed-academics.gl.at.ply.gg
    dns
    das.exe
    75 B
     91 B
     1
    1

    DNS Request

    listed-academics.gl.at.ply.gg

    DNS Response

    147.185.221.24

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpDAC5.tmp.bat
    Filesize

    147B

    MD5

    e9a5a6dba9efe7fe40c1c8a4643e02aa

    SHA1

    1bb333c33d0c7a907fdc9badb5e855d6d5914c64

    SHA256

    819336b31ab119c2de975b2267ce2455af32a5753247db92952e17e56fc2cda3

    SHA512

    db112bec9a1d2e79cd5c80557eb08ed7fe8341f9780d5a8e436a9d49991f85b5c03ad42658f91e2120df65159cc3cd48f9d485e5280f9dd2514ff64829b7acf2

    Download Submit

  • \Users\Admin\AppData\Roaming\das.exe
    Filesize

    47KB

    MD5

    ee97dc0328ea5ef92cdadeb280891591

    SHA1

    916924ecdb96aa0ec227b12df2af8f5038f239ab

    SHA256

    44b6e2af6e5e547cfc9c2c3607bd7cda4785688b60720c5501968b536ce331c9

    SHA512

    52ecca0f00d47f9bffc50bb516988715ae2c1aaf96f3a5bb132619ebbd8a370c9eef0f33d5b67accc2ffe2187e60564fa353eef037b35be9159f17aad6e621c2

    Download Submit

  • memory/2652-0-0x00000000748CE000-0x00000000748CF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-1-0x0000000000940000-0x0000000000952000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2652-2-0x00000000748C0000-0x0000000074FAE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2652-12-0x00000000748C0000-0x0000000074FAE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2900-16-0x0000000000DD0000-0x0000000000DE2000-memory.dmp

    Filesize

    72KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.