asyncrat | eb79368e3d08078cd2c59c4e4ad38ead9d44a79253cba084ab8013be126abf03

General

Target

RoyalKing Bootstraper.exe
Size

39KB
MD5

8c723a3169b077a877802649d7f8ad74
SHA1

16650c695bc5966c50229c976916464e36d083bc
SHA256

f9718b38ff60d7521a28816a474e2851537c67576c7c6c7b1c18f8ba3f84375b
SHA512

aaae12062e64f6f4c503d73912bc249e08d20b0caa1fca51236e46818edcd1b9a56467b02ef15376baeaac3dbf8c9d01637498284d144d73d60808b12dae7e9c
SSDEEP

768:cmQZqx1lYcJHNP1divdCxuoLZb69UJpJXbOfq1Ykjhm:c0lYXvIxJLZb6QzbO+jhm

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

172.204.136.22:1604

Mutex

ghbyTnUySCmF

Attributes

delay
3
install
false
install_file
RoyalKing.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x000d000000023b60-33.dat	family_asyncrat

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	RoyalKing Bootstraper.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sync.lnk	RoyalKing Bootstraper.exe

Executes dropped EXE 1 IoCs

pid	Process
3152	Sync.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
18	raw.githubusercontent.com
19	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sync.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
320	RoyalKing Bootstraper.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	320	RoyalKing Bootstraper.exe
Token: SeDebugPrivilege	3152	Sync.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 320 wrote to memory of 2656	320	RoyalKing Bootstraper.exe	83
PID 320 wrote to memory of 2656	320	RoyalKing Bootstraper.exe	83
PID 2656 wrote to memory of 2784	2656	csc.exe	85
PID 2656 wrote to memory of 2784	2656	csc.exe	85
PID 320 wrote to memory of 3152	320	RoyalKing Bootstraper.exe	95
PID 320 wrote to memory of 3152	320	RoyalKing Bootstraper.exe	95
PID 320 wrote to memory of 3152	320	RoyalKing Bootstraper.exe	95

C:\Users\Admin\AppData\Local\Temp\RoyalKing Bootstraper.exe
"C:\Users\Admin\AppData\Local\Temp\RoyalKing Bootstraper.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:320
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4kbakvyg\4kbakvyg.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES85CA.tmp" "c:\Users\Admin\AppData\Local\Temp\4kbakvyg\CSCA8975343FCFD4511B7BD836AAD86645E.TMP"
    3⤵
    PID:2784
- C:\Users\Admin\AppData\Local\Temp\Sync.exe
  "C:\Users\Admin\AppData\Local\Temp\Sync.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4kbakvyg\4kbakvyg.dll

Filesize
3KB

MD5
f800f30e4686f9040a3ed9ab693233b1

SHA1
2485a29579cc97785294d2db00dac84cd5c5992f

SHA256
bf31d881b19356a07b76362357608f8f1712901f6dd110ace00627b877d28fab

SHA512
c3fdf3395683a6678f359fc3895e7815e256cf09b6eaaa87a56bd4c3b007e45e73743278ac957ec9a391e3d5ddfea101bf32d78576541cf0e1b2f820dbfed7c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES85CA.tmp

Filesize
1KB

MD5
7b07ed27d3326158536599f30081b97b

SHA1
11f3fc3415130012be37d30a8677ec7d0b41e037

SHA256
920748a7176cbe98fed179c0bb0bb063b4297f8125785ce3c2bffe0a0b4affd4

SHA512
f5dede2a0a833ee89d99fa08b36ed3eabaeffb33c51f2e7d83b61c66e85bd248b883ca16ac460b113656b8d04665ccdec9696c90937c83f00f0b30363f1f5a91

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sync.exe

Filesize
45KB

MD5
4d5a086a9634eb694ec941e898fdc3ce

SHA1
3b4ce31fcc765f313c95c6844ae206997dc6702b

SHA256
149990fa6abd66bd9771383560a23894c70696aaeb3b2304768212be1be8f764

SHA512
16546b2d4f361ff0a32ef8314989e28f06bb2ec6b31276031bd7dec4c67ce30e97befb72e962d927cffb57fe283a8de7fa049725f488b3918968c011f9487468

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vysmpkzv.al3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4kbakvyg\4kbakvyg.0.cs

Filesize
298B

MD5
d2dd7b143c5631aa598407bbe81ef5db

SHA1
a5c77b81db6300d7a7eb424875c96e2611d42d83

SHA256
b3ccd5d9083909c89f8201c421434ec38280c051597b5414559c1df7fcf31cfe

SHA512
bd2cc89e16b2d9ffee6e8e32c9474acd2ba1f9db187b26aa0c9dbde8b7e58476e96756cb6d6d46e8b18b7e1c936d4febc093196e690e35f2002c7da6331fbb62

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4kbakvyg\4kbakvyg.cmdline

Filesize
369B

MD5
f32656198a80bdfe82b78802e4fd64fe

SHA1
2b0cc0197fe9e509e523f7fa7f865e57e8eb4fec

SHA256
d486f1acc095dd95487170c36dfd1e636008bfa8731b75fd21ec8b0aef8f44f1

SHA512
1e612d48b309ed26433425873d8de7d9df02ee95e747e57e15178d0e5036ea64b4dd8df27b25556da97031ff513c28d7fbe758b93de9381c4f6d03e397620cbb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4kbakvyg\CSCA8975343FCFD4511B7BD836AAD86645E.TMP

Filesize
652B

MD5
8c998f3c1168d944c4ec368bdbc90006

SHA1
63a64dc3bb90b80933fc8a709baa5f6dbb10bb01

SHA256
22c1d08a5e534ea26928b0d1bcabde97a415c1bf51512edfc6b5c5b57bf0f8a4

SHA512
d4eda61b4169b281f012c0db272de7a0063aee02e70912eccb9b894343934da07b647104b9ccbc67869496abbd24186af5584bf511615ffc60ced692325211bd

Download Submit
memory/320-12-0x00007FFCD54B0000-0x00007FFCD5F71000-memory.dmp

Filesize
10.8MB

Download
memory/320-0-0x00007FFCD54B3000-0x00007FFCD54B5000-memory.dmp

Filesize
8KB

Download
memory/320-25-0x000000001AC60000-0x000000001AC68000-memory.dmp

Filesize
32KB

Download
memory/320-11-0x000000001AC70000-0x000000001AC92000-memory.dmp

Filesize
136KB

Download
memory/320-27-0x00007FFCD54B0000-0x00007FFCD5F71000-memory.dmp

Filesize
10.8MB

Download
memory/320-28-0x00007FFCD54B0000-0x00007FFCD5F71000-memory.dmp

Filesize
10.8MB

Download
memory/320-1-0x0000000000130000-0x0000000000140000-memory.dmp

Filesize
64KB

Download
memory/320-42-0x00007FFCD54B0000-0x00007FFCD5F71000-memory.dmp

Filesize
10.8MB

Download
memory/3152-43-0x00000000009F0000-0x0000000000A02000-memory.dmp

Filesize
72KB

Download
memory/3152-46-0x0000000005A00000-0x0000000005A9C000-memory.dmp

Filesize
624KB

Download
memory/3152-47-0x0000000006050000-0x00000000065F4000-memory.dmp

Filesize
5.6MB

Download
memory/3152-48-0x0000000005B10000-0x0000000005B76000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing