asyncrat | 0d1549d4f444f0dc08ae65a62a8d79cf53e3b112fdb4fb01fc0bb14c4a0104c4

General

Target

0d1549d4f444f0dc08ae65a62a8d79cf53e3b112fdb4fb01fc0bb14c4a0104c4N.exe
Size

254KB
MD5

8998bde874fb3f70d4a85e75d73307a0
SHA1

736cf3ce54743948e11b34c8d03a8f7d9b0df1db
SHA256

0d1549d4f444f0dc08ae65a62a8d79cf53e3b112fdb4fb01fc0bb14c4a0104c4
SHA512

2561c4dc5f160ccb13106ccc429548b8a1f55817c6fc789f5635b4ea6a9850263d4d03154e5f1ee8b0baaa58590daf7f3ddce3c7cb83b523737d21123c3b09dd
SSDEEP

3072:9B+Xhpk9KoCfzSz4RcKxm8ALazIG3f4zezLBk1qEHBAnpK37nXC8T0u3Q7XdPsHS:LQKC04lLsqzNk1S8xodPSWMP9kdp

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

doekdesktop-31952.portmap.host:31952

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2892-19-0x0000000000160000-0x0000000000176000-memory.dmp	family_asyncrat

Deletes itself 1 IoCs

pid	Process
2920	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2892	wininit.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3048	timeout.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2856	0d1549d4f444f0dc08ae65a62a8d79cf53e3b112fdb4fb01fc0bb14c4a0104c4N.exe
Token: SeDebugPrivilege	2892	wininit.exe
Token: SeDebugPrivilege	2892	wininit.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2920	2856	0d1549d4f444f0dc08ae65a62a8d79cf53e3b112fdb4fb01fc0bb14c4a0104c4N.exe	31
PID 2856 wrote to memory of 2920	2856	0d1549d4f444f0dc08ae65a62a8d79cf53e3b112fdb4fb01fc0bb14c4a0104c4N.exe	31
PID 2856 wrote to memory of 2920	2856	0d1549d4f444f0dc08ae65a62a8d79cf53e3b112fdb4fb01fc0bb14c4a0104c4N.exe	31
PID 2920 wrote to memory of 3048	2920	cmd.exe	33
PID 2920 wrote to memory of 3048	2920	cmd.exe	33
PID 2920 wrote to memory of 3048	2920	cmd.exe	33
PID 2860 wrote to memory of 2892	2860	taskeng.exe	34
PID 2860 wrote to memory of 2892	2860	taskeng.exe	34
PID 2860 wrote to memory of 2892	2860	taskeng.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0d1549d4f444f0dc08ae65a62a8d79cf53e3b112fdb4fb01fc0bb14c4a0104c4N.exe
"C:\Users\Admin\AppData\Local\Temp\0d1549d4f444f0dc08ae65a62a8d79cf53e3b112fdb4fb01fc0bb14c4a0104c4N.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8E7A.tmp.bat""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3048

C:\Windows\system32\taskeng.exe
taskeng.exe {152F60B9-64F5-4EA8-9899-83B5BA62638A} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Users\Admin\AppData\Roaming\wininit.exe
  C:\Users\Admin\AppData\Roaming\wininit.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8E7A.tmp.bat

Filesize
217B

MD5
8cde04e2ad11bafc1a7d365cb5cdf665

SHA1
16a12e5c549845dc573bf508860769ce38491224

SHA256
b50ce4a425f611fe174ee83794d20d5589e65ff15ee97422e2daa69fed7001d1

SHA512
ef3b91a81354fae06fee069df471f01dff6c9a66b3db5c9ba1db76cc2f849502fdc8ded4018da229f8eb34f1bebd19cc203d36ddaa9f5b8be5356d62003ccc04

Download Submit
C:\Users\Admin\AppData\Roaming\wininit.exe

Filesize
254KB

MD5
8998bde874fb3f70d4a85e75d73307a0

SHA1
736cf3ce54743948e11b34c8d03a8f7d9b0df1db

SHA256
0d1549d4f444f0dc08ae65a62a8d79cf53e3b112fdb4fb01fc0bb14c4a0104c4

SHA512
2561c4dc5f160ccb13106ccc429548b8a1f55817c6fc789f5635b4ea6a9850263d4d03154e5f1ee8b0baaa58590daf7f3ddce3c7cb83b523737d21123c3b09dd

Download Submit
memory/2856-0-0x000007FEF6BB3000-0x000007FEF6BB4000-memory.dmp

Filesize
4KB

Download
memory/2856-1-0x0000000000F70000-0x0000000000FB6000-memory.dmp

Filesize
280KB

Download
memory/2856-12-0x000007FEF6BB0000-0x000007FEF759C000-memory.dmp

Filesize
9.9MB

Download
memory/2856-21-0x000007FEF6BB0000-0x000007FEF759C000-memory.dmp

Filesize
9.9MB

Download
memory/2892-17-0x0000000000F20000-0x0000000000F66000-memory.dmp

Filesize
280KB

Download
memory/2892-18-0x000007FEF61C0000-0x000007FEF6BAC000-memory.dmp

Filesize
9.9MB

Download
memory/2892-19-0x0000000000160000-0x0000000000176000-memory.dmp

Filesize
88KB

Download
memory/2892-20-0x000007FEF61C0000-0x000007FEF6BAC000-memory.dmp

Filesize
9.9MB

Download
memory/2892-16-0x000007FEF61C3000-0x000007FEF61C4000-memory.dmp

Filesize
4KB

Download
memory/2892-22-0x000007FEF61C3000-0x000007FEF61C4000-memory.dmp

Filesize
4KB

Download
memory/2892-23-0x000007FEF61C0000-0x000007FEF6BAC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing