asyncrat | 86ece09ea423f5fb3b176abcafdc0a38b6854b030918bb7341a65b2857481f6f

General

Target

ryetool.exe
Size

12.3MB
MD5

d584ab9351c9d9bfacd84e17b5eed194
SHA1

5218aed4e0a2ec12d6a85fa1ab61454b6dbe4f6e
SHA256

86ece09ea423f5fb3b176abcafdc0a38b6854b030918bb7341a65b2857481f6f
SHA512

452cb0759ab86af2f92395fdf59c221ba940d048664c8a5884bb0b541ad3179265e1c93fe89a034d0b9b0696b93dbf0937d00cb9f8cb2516ddcec779ba7645d0
SSDEEP

393216:8Sa2mgNe/2js3U8G2JJGzJxJhddkOnxsjM6WctX0Nw:8Sa2m+e/2+U8G2JJ8xfvsjM6/pGw

Score

10^/10

asyncrat default persistence rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

fojeweb571-45302.portmap.host:4782

fojeweb571-45302.portmap.host:45302

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
true
install_file
windows defender firewall.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x001d00000002aa61-7.dat	family_asyncrat

Executes dropped EXE 3 IoCs

pid	Process
2932	roaricle.exe
3856	disable-defender.exe
3044	windows defender firewall.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ryetool.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
672	timeout.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3436	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2932	roaricle.exe
2932	roaricle.exe
2932	roaricle.exe
2932	roaricle.exe
2932	roaricle.exe
2932	roaricle.exe
2932	roaricle.exe
2932	roaricle.exe
2932	roaricle.exe
2932	roaricle.exe
2932	roaricle.exe
2932	roaricle.exe
2932	roaricle.exe
2932	roaricle.exe
2932	roaricle.exe
2932	roaricle.exe
2932	roaricle.exe
3856	disable-defender.exe
3856	disable-defender.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2932	roaricle.exe
Token: SeDebugPrivilege	3856	disable-defender.exe
Token: SeImpersonatePrivilege	3856	disable-defender.exe
Token: SeDebugPrivilege	3044	windows defender firewall.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1456	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4072 wrote to memory of 2932	4072	ryetool.exe	77
PID 4072 wrote to memory of 2932	4072	ryetool.exe	77
PID 2932 wrote to memory of 4488	2932	roaricle.exe	78
PID 2932 wrote to memory of 4488	2932	roaricle.exe	78
PID 2932 wrote to memory of 3812	2932	roaricle.exe	80
PID 2932 wrote to memory of 3812	2932	roaricle.exe	80
PID 4072 wrote to memory of 3856	4072	ryetool.exe	82
PID 4072 wrote to memory of 3856	4072	ryetool.exe	82
PID 4488 wrote to memory of 3436	4488	cmd.exe	83
PID 4488 wrote to memory of 3436	4488	cmd.exe	83
PID 3812 wrote to memory of 672	3812	cmd.exe	85
PID 3812 wrote to memory of 672	3812	cmd.exe	85
PID 3812 wrote to memory of 3044	3812	cmd.exe	86
PID 3812 wrote to memory of 3044	3812	cmd.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ryetool.exe
"C:\Users\Admin\AppData\Local\Temp\ryetool.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\roaricle.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\roaricle.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windows defender firewall" /tr '"C:\Users\Admin\AppData\Roaming\windows defender firewall.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4488
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "windows defender firewall" /tr '"C:\Users\Admin\AppData\Roaming\windows defender firewall.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp850E.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3812
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:672
  - - C:\Users\Admin\AppData\Roaming\windows defender firewall.exe
      "C:\Users\Admin\AppData\Roaming\windows defender firewall.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3044
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\disable-defender.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\disable-defender.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3856

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
ad7a569bafd3a938fe348f531b8ef332

SHA1
7fdd2f52d07640047bb62e0f3d3c946ddd85c227

SHA256
f0e06109256d5577e9f62db2c398974c5002bd6d08892f20517760601b705309

SHA512
b762bae338690082d817b3008144926498a1bd2d6d99be33e513c43515808f9a3184bd10254e5c6a1ff90a9211653f066050249030ad9fe0460ec88335b3d423

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\disable-defender.exe

Filesize
294KB

MD5
10fc8b2915c43aa16b6a2e2b4529adc5

SHA1
0c15286457963eb86d61d83642870a3473ef38fe

SHA256
feb09cc39b1520d228e9e9274500b8c229016d6fc8018a2bf19aa9d3601492c5

SHA512
421631c06408c3be522953459228d2e1d45eeeafce29dba7746c8485a105b59c3a2c0d9e2ffc6d89126cd825ffd09ebe7eb82223a69d1f5caf441feb01e57897

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\roaricle.exe

Filesize
63KB

MD5
9f39043be09533636bbfdd4ec3101f6a

SHA1
1e964ba2a874c24a5fdc430c827a1ba82dc657ab

SHA256
179027517e90f9e8173f63ba247d7c0d414259fdef3a29a5692c85d84dce557d

SHA512
09c0573e2f4db331714d86d32abf9623b5a9560c1e7ac8359a0ef434cc79940143e837a2674aa5140b79e1b1302faf75df9959d184109aad231db78a90139233

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp850E.tmp.bat

Filesize
169B

MD5
23ce65f39715bed77d38fd1e6e2699bb

SHA1
ba18637aba83da322f2668aaf7d7fe34c7f23de5

SHA256
f98dfecb4c5e64b6e7a9f8fd66fef491cedf26f92c8c0f9cf17f4c385c6da677

SHA512
94d063e95eb737d5ffabe49146971cfe7a1861d65c7d2b53fa6fcdcf72bf9c9737c9a15431405ce2bc61f4bb537f602893afcd142f2283a16ef5bef1720ac509

Download Submit
memory/2932-9-0x00007FFBB1873000-0x00007FFBB1875000-memory.dmp

Filesize
8KB

Download
memory/2932-10-0x0000000000E10000-0x0000000000E26000-memory.dmp

Filesize
88KB

Download
memory/2932-11-0x00007FFBB1870000-0x00007FFBB2332000-memory.dmp

Filesize
10.8MB

Download
memory/2932-12-0x00007FFBB1870000-0x00007FFBB2332000-memory.dmp

Filesize
10.8MB

Download
memory/2932-17-0x00007FFBB1870000-0x00007FFBB2332000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads