asyncrat | b89c8fb7d60e1ad1593a0f8f71f0ff8627f4cd7cdca0ad816cf88f17e36fa159

Analysis

max time kernel
28s
max time network
17s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
29-11-2024 20:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

listenlittlenigger.exe
Size

6.7MB
MD5

42bd70076cbd6bf784ab995852146824
SHA1

e0f1e831775736e856f5325f546c3638f6112775
SHA256

b89c8fb7d60e1ad1593a0f8f71f0ff8627f4cd7cdca0ad816cf88f17e36fa159
SHA512

61b4a3e526e84280df3a26b2d8e7cef969dd45f32f6e857f62e9e2b01b355d22da9430807ab1515b2a4be6c7ef2d4b5520d2c3cc8a5c0152595b9a91c3c38f54
SSDEEP

196608:QsjpAN/kWDGXtGzICteEroxzlxZV3Gu5D4S26/CS3HxTM9:Jj6buGzInErot14S26nxY9

Score

10^/10

asyncrat persistence rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x00290000000450e2-37.dat	family_asyncrat

Loads dropped DLL 4 IoCs

pid	Process
2540	listenlittlenigger.exe
2540	listenlittlenigger.exe
2540	listenlittlenigger.exe
2540	listenlittlenigger.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyApp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\_MEI35202\\file1.exe"	listenlittlenigger.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyApp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\_MEI35202\\file2.exe"	listenlittlenigger.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\file1.exe	listenlittlenigger.exe
File opened for modification	C:\Windows\System32\file1.exe	listenlittlenigger.exe
File created	C:\Windows\System32\file2.exe	listenlittlenigger.exe
File opened for modification	C:\Windows\System32\file2.exe	listenlittlenigger.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1532	taskmgr.exe
Token: SeSystemProfilePrivilege	1532	taskmgr.exe
Token: SeCreateGlobalPrivilege	1532	taskmgr.exe

Suspicious use of FindShellTrayWindow 31 IoCs

pid	Process
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe

Suspicious use of SendNotifyMessage 31 IoCs

pid	Process
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe
1532	taskmgr.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3520 wrote to memory of 2540	3520	listenlittlenigger.exe	82
PID 3520 wrote to memory of 2540	3520	listenlittlenigger.exe	82
PID 2540 wrote to memory of 3480	2540	listenlittlenigger.exe	83
PID 2540 wrote to memory of 3480	2540	listenlittlenigger.exe	83
PID 2540 wrote to memory of 4792	2540	listenlittlenigger.exe	84
PID 2540 wrote to memory of 4792	2540	listenlittlenigger.exe	84

C:\Users\Admin\AppData\Local\Temp\listenlittlenigger.exe
"C:\Users\Admin\AppData\Local\Temp\listenlittlenigger.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Users\Admin\AppData\Local\Temp\listenlittlenigger.exe
  "C:\Users\Admin\AppData\Local\Temp\listenlittlenigger.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35202\file1.exe"
    3⤵
    PID:3480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35202\file2.exe"
    3⤵
    PID:4792

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI35202\VCRUNTIME140.dll

Filesize
94KB

MD5
11d9ac94e8cb17bd23dea89f8e757f18

SHA1
d4fb80a512486821ad320c4fd67abcae63005158

SHA256
e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

SHA512
aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35202\_bz2.pyd

Filesize
78KB

MD5
b45e82a398713163216984f2feba88f6

SHA1
eaaf4b91db6f67d7c57c2711f4e968ce0fe5d839

SHA256
4c2649dc69a8874b91646723aacb84c565efeaa4277c46392055bca9a10497a8

SHA512
b9c4f22dc4b52815c407ab94d18a7f2e1e4f2250aecdb2e75119150e69b006ed69f3000622ec63eabcf0886b7f56ffdb154e0bf57d8f7f45c3b1dd5c18b84ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35202\_decimal.pyd

Filesize
241KB

MD5
1cdd7239fc63b7c8a2e2bc0a08d9ea76

SHA1
85ef6f43ba1343b30a223c48442a8b4f5254d5b0

SHA256
384993b2b8cfcbf155e63f0ee2383a9f9483de92ab73736ff84590a0c4ca2690

SHA512
ba4e19e122f83d477cc4be5e0dea184dafba2f438a587dd4f0ef038abd40cb9cdc1986ee69c34bac3af9cf2347bea137feea3b82e02cca1a7720d735cea7acda

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35202\_hashlib.pyd

Filesize
57KB

MD5
cfb9e0a73a6c9d6d35c2594e52e15234

SHA1
b86042c96f2ce6d8a239b7d426f298a23df8b3b9

SHA256
50daeb3985302a8d85ce8167b0bf08b9da43e7d51ceae50e8e1cdfb0edf218c6

SHA512
22a5fd139d88c0eee7241c5597d8dbbf2b78841565d0ed0df62383ab50fde04b13a203bddef03530f8609f5117869ed06894a572f7655224285823385d7492d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35202\_lzma.pyd

Filesize
149KB

MD5
5a77a1e70e054431236adb9e46f40582

SHA1
be4a8d1618d3ad11cfdb6a366625b37c27f4611a

SHA256
f125a885c10e1be4b12d988d6c19128890e7add75baa935fe1354721aa2dea3e

SHA512
3c14297a1400a93d1a01c7f8b4463bfd6be062ec08daaf5eb7fcbcde7f4fa40ae06e016ff0de16cb03b987c263876f2f437705adc66244d3ee58f23d6bf7f635

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35202\_socket.pyd

Filesize
72KB

MD5
5dd51579fa9b6a06336854889562bec0

SHA1
99c0ed0a15ed450279b01d95b75c162628c9be1d

SHA256
3669e56e99ae3a944fbe7845f0be05aea96a603717e883d56a27dc356f8c2f2c

SHA512
7aa6c6587890ae8c3f9a5e97ebde689243ac5b9abb9b1e887f29c53eef99a53e4b4ec100c03e1c043e2f0d330e7af444c3ca886c9a5e338c2ea42aaacae09f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35202\base_library.zip

Filesize
858KB

MD5
98619f4a9ef4debe1f8e20361c3e5280

SHA1
d6fd1b33527b0a8db0070bfd8c0a75d59ecd8daa

SHA256
ac11659983d0cd24f8cae58fb12ad017a4d4523c9486247d477fbea5bd49f951

SHA512
a39bc78bb4b37f64b2046fe5b9dfc1dfb0b2f5b8733f3bde4a6fa38ed8abaed5992574ea89634294472f2d82f0f0314cd3de093f288076e74213ced58c205434

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35202\file1.exe

Filesize
1.6MB

MD5
ebb40145a6bfbed88859e41689315d82

SHA1
7bb2c82ef24ef919d04592930bceae039f78aebf

SHA256
e4baeaa3c58628acfd7058b9d434ab2e6a7400445f55685169a79f045810298c

SHA512
67c6601bed14363e6850d93cf2b90c1e4f69c7cd5098d548aa0f378fb42dc6e32fe52cb81aeb232a365a3edb24fdc6ef46f6400cf1709e1d5ee22fa4ac4e07ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35202\file2.exe

Filesize
74KB

MD5
e16eebd243b2f89c9d9c1d81dc44a09d

SHA1
268c938415c863c330a00747ee9ddd5a7d890ffc

SHA256
fc0118ea892af96231a2f6314fe1f8d19ce5393a04be525e6c977b300d28d3d3

SHA512
dacef3fef80ec8cff1f2ec25ab78fb2e27f430f87512d21e3009fdc4cccddff2ef7c29fa78fe80aca7c32db51bd42d03842f50774690c3d39e25ce6469d25831

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35202\libcrypto-1_1.dll

Filesize
3.3MB

MD5
63c4f445b6998e63a1414f5765c18217

SHA1
8c1ac1b4290b122e62f706f7434517077974f40e

SHA256
664c3e52f914e351bb8a66ce2465ee0d40acab1d2a6b3167ae6acf6f1d1724d2

SHA512
aa7bdb3c5bc8aeefbad70d785f2468acbb88ef6e6cac175da765647030734453a2836f9658dc7ce33f6fff0de85cb701c825ef5c04018d79fa1953c8ef946afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35202\python310.dll

Filesize
4.2MB

MD5
384349987b60775d6fc3a6d202c3e1bd

SHA1
701cb80c55f859ad4a31c53aa744a00d61e467e5

SHA256
f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8

SHA512
6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35202\select.pyd

Filesize
25KB

MD5
78d421a4e6b06b5561c45b9a5c6f86b1

SHA1
c70747d3f2d26a92a0fe0b353f1d1d01693929ac

SHA256
f1694ce82da997faa89a9d22d469bfc94abb0f2063a69ec9b953bc085c2cb823

SHA512
83e02963c9726a40cd4608b69b4cdf697e41c9eedfb2d48f3c02c91500e212e7e0ab03e6b3f70f42e16e734e572593f27b016b901c8aa75f674b6e0fbb735012

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35202\unicodedata.pyd

Filesize
1.1MB

MD5
a40ff441b1b612b3b9f30f28fa3c680d

SHA1
42a309992bdbb68004e2b6b60b450e964276a8fc

SHA256
9b22d93f4db077a70a1d85ffc503980903f1a88e262068dd79c6190ec7a31b08

SHA512
5f9142b16ed7ffc0e5b17d6a4257d7249a21061fe5e928d3cde75265c2b87b723b2e7bd3109c30d2c8f83913134445e8672c98c187073368c244a476ac46c3ef

Download Submit
memory/1532-44-0x0000026067820000-0x0000026067821000-memory.dmp

Filesize
4KB

Download
memory/1532-43-0x0000026067820000-0x0000026067821000-memory.dmp

Filesize
4KB

Download
memory/1532-42-0x0000026067820000-0x0000026067821000-memory.dmp

Filesize
4KB

Download
memory/1532-54-0x0000026067820000-0x0000026067821000-memory.dmp

Filesize
4KB

Download
memory/1532-53-0x0000026067820000-0x0000026067821000-memory.dmp

Filesize
4KB

Download
memory/1532-52-0x0000026067820000-0x0000026067821000-memory.dmp

Filesize
4KB

Download
memory/1532-51-0x0000026067820000-0x0000026067821000-memory.dmp

Filesize
4KB

Download
memory/1532-50-0x0000026067820000-0x0000026067821000-memory.dmp

Filesize
4KB

Download
memory/1532-49-0x0000026067820000-0x0000026067821000-memory.dmp

Filesize
4KB

Download
memory/1532-48-0x0000026067820000-0x0000026067821000-memory.dmp

Filesize
4KB

Download