asyncrat | 0d1549d4f444f0dc08ae65a62a8d79cf53e3b112fdb4fb01fc0bb14c4a0104c4

Analysis

max time kernel
119s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2024 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d1549d4f444f0dc08ae65a62a8d79cf53e3b112fdb4fb01fc0bb14c4a0104c4N.exe
Size

254KB
MD5

8998bde874fb3f70d4a85e75d73307a0
SHA1

736cf3ce54743948e11b34c8d03a8f7d9b0df1db
SHA256

0d1549d4f444f0dc08ae65a62a8d79cf53e3b112fdb4fb01fc0bb14c4a0104c4
SHA512

2561c4dc5f160ccb13106ccc429548b8a1f55817c6fc789f5635b4ea6a9850263d4d03154e5f1ee8b0baaa58590daf7f3ddce3c7cb83b523737d21123c3b09dd
SSDEEP

3072:9B+Xhpk9KoCfzSz4RcKxm8ALazIG3f4zezLBk1qEHBAnpK37nXC8T0u3Q7XdPsHS:LQKC04lLsqzNk1S8xodPSWMP9kdp

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

doekdesktop-31952.portmap.host:31952

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/4808-13-0x0000000000CC0000-0x0000000000CD6000-memory.dmp	family_asyncrat

Executes dropped EXE 1 IoCs

pid	Process
4808	wininit.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3212	timeout.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2504	0d1549d4f444f0dc08ae65a62a8d79cf53e3b112fdb4fb01fc0bb14c4a0104c4N.exe
Token: SeDebugPrivilege	4808	wininit.exe
Token: SeDebugPrivilege	4808	wininit.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 1432	2504	0d1549d4f444f0dc08ae65a62a8d79cf53e3b112fdb4fb01fc0bb14c4a0104c4N.exe	91
PID 2504 wrote to memory of 1432	2504	0d1549d4f444f0dc08ae65a62a8d79cf53e3b112fdb4fb01fc0bb14c4a0104c4N.exe	91
PID 1432 wrote to memory of 3212	1432	cmd.exe	93
PID 1432 wrote to memory of 3212	1432	cmd.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0d1549d4f444f0dc08ae65a62a8d79cf53e3b112fdb4fb01fc0bb14c4a0104c4N.exe
"C:\Users\Admin\AppData\Local\Temp\0d1549d4f444f0dc08ae65a62a8d79cf53e3b112fdb4fb01fc0bb14c4a0104c4N.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp91C0.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1432
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3212

C:\Users\Admin\AppData\Roaming\wininit.exe
C:\Users\Admin\AppData\Roaming\wininit.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp91C0.tmp.bat

Filesize
217B

MD5
bb54cb21e2e330c67a0ec2fdd6db15ba

SHA1
ecd93a14130d21174c8ddb31be10a167dd267160

SHA256
575d6e242c9a84a559cd4e9d3b55ae43af86774bf8b0751aee2c919a74114f74

SHA512
15183131dabd0eb6680413653e3aee283062b1a2de1f2d5acfc06e75e30b83e7ccbbb826587f04782ecdfeda2f7a229ae0e0bd5e405df212aad0c8f952100d60

Download Submit
C:\Users\Admin\AppData\Roaming\wininit.exe

Filesize
254KB

MD5
8998bde874fb3f70d4a85e75d73307a0

SHA1
736cf3ce54743948e11b34c8d03a8f7d9b0df1db

SHA256
0d1549d4f444f0dc08ae65a62a8d79cf53e3b112fdb4fb01fc0bb14c4a0104c4

SHA512
2561c4dc5f160ccb13106ccc429548b8a1f55817c6fc789f5635b4ea6a9850263d4d03154e5f1ee8b0baaa58590daf7f3ddce3c7cb83b523737d21123c3b09dd

Download Submit
memory/2504-0-0x00007FFC6E913000-0x00007FFC6E915000-memory.dmp

Filesize
8KB

Download
memory/2504-1-0x0000000000BD0000-0x0000000000C16000-memory.dmp

Filesize
280KB

Download
memory/2504-7-0x00007FFC6E910000-0x00007FFC6F3D1000-memory.dmp

Filesize
10.8MB

Download
memory/2504-9-0x00007FFC6E910000-0x00007FFC6F3D1000-memory.dmp

Filesize
10.8MB

Download
memory/4808-12-0x00007FFC6E910000-0x00007FFC6F3D1000-memory.dmp

Filesize
10.8MB

Download
memory/4808-14-0x00007FFC6E910000-0x00007FFC6F3D1000-memory.dmp

Filesize
10.8MB

Download
memory/4808-13-0x0000000000CC0000-0x0000000000CD6000-memory.dmp

Filesize
88KB

Download
memory/4808-15-0x00007FFC6E910000-0x00007FFC6F3D1000-memory.dmp

Filesize
10.8MB

Download
memory/4808-16-0x00007FFC6E910000-0x00007FFC6F3D1000-memory.dmp

Filesize
10.8MB

Download