asyncrat | 0a393957e15c85531debe65786b7758d1102f9f352223dd300703917f3161536

General

Target

3.exe
Size

63KB
MD5

33ea3434e9a9801f718c7b652166013c
SHA1

24f9421b607361865c05f1b5ce4e1e75ce89e064
SHA256

0a393957e15c85531debe65786b7758d1102f9f352223dd300703917f3161536
SHA512

3dd4fdb8e50d27f5a65d0ef2e28f393fadc41a3099ed0e9e293b8b2b8c0c34875abb8ad03a62d9ac975594505537ea24b64f509a252af6e9c4daf374c3a091d2
SSDEEP

1536:fJxFz3FI8Cwof4wJK7bkyyiNuGbb9wmsRIGBZVclN:fJxFz3FI8Cwo7JK7bky/AGbb96JzY

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

fojeweb571-59953.portmap.host:59953

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
true
install_file
windows defender firewall.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000b000000023c8c-11.dat	family_asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	3.exe

Executes dropped EXE 1 IoCs

pid	Process
464	windows defender firewall.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3496	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4860	schtasks.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
4380	3.exe
4380	3.exe
4380	3.exe
4380	3.exe
4380	3.exe
4380	3.exe
4380	3.exe
4380	3.exe
4380	3.exe
4380	3.exe
4380	3.exe
4380	3.exe
4380	3.exe
4380	3.exe
4380	3.exe
4380	3.exe
4380	3.exe
4380	3.exe
4380	3.exe
4380	3.exe
4380	3.exe
4380	3.exe
4380	3.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4380	3.exe
Token: SeDebugPrivilege	464	windows defender firewall.exe
Token: SeDebugPrivilege	4508	taskmgr.exe
Token: SeSystemProfilePrivilege	4508	taskmgr.exe
Token: SeCreateGlobalPrivilege	4508	taskmgr.exe
Token: 33	4508	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4508	taskmgr.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe
4508	taskmgr.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4380 wrote to memory of 2000	4380	3.exe	82
PID 4380 wrote to memory of 2000	4380	3.exe	82
PID 4380 wrote to memory of 4912	4380	3.exe	83
PID 4380 wrote to memory of 4912	4380	3.exe	83
PID 4912 wrote to memory of 3496	4912	cmd.exe	86
PID 4912 wrote to memory of 3496	4912	cmd.exe	86
PID 2000 wrote to memory of 4860	2000	cmd.exe	87
PID 2000 wrote to memory of 4860	2000	cmd.exe	87
PID 4912 wrote to memory of 464	4912	cmd.exe	88
PID 4912 wrote to memory of 464	4912	cmd.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3.exe
"C:\Users\Admin\AppData\Local\Temp\3.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4380
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windows defender firewall" /tr '"C:\Users\Admin\AppData\Roaming\windows defender firewall.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "windows defender firewall" /tr '"C:\Users\Admin\AppData\Roaming\windows defender firewall.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA6B0.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3496
- - C:\Users\Admin\AppData\Roaming\windows defender firewall.exe
    "C:\Users\Admin\AppData\Roaming\windows defender firewall.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:464

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA6B0.tmp.bat

Filesize
169B

MD5
77d910225b2482a362d707817e719c9d

SHA1
3db8e09026ca8b87ae5a662578039173de0d1815

SHA256
26599f79c120be3e5f387160e845f9dd7693e4f1140d4afdc74e7025a32449ff

SHA512
2870a9c50907f8c57089a400d7a9b3d63afd7a9df725e3738d45d1478f57bf4aa66370e56dd5729a60a0910e3e9cdd862219bf966f6992996615810d1dc32535

Download Submit
C:\Users\Admin\AppData\Roaming\windows defender firewall.exe

Filesize
63KB

MD5
33ea3434e9a9801f718c7b652166013c

SHA1
24f9421b607361865c05f1b5ce4e1e75ce89e064

SHA256
0a393957e15c85531debe65786b7758d1102f9f352223dd300703917f3161536

SHA512
3dd4fdb8e50d27f5a65d0ef2e28f393fadc41a3099ed0e9e293b8b2b8c0c34875abb8ad03a62d9ac975594505537ea24b64f509a252af6e9c4daf374c3a091d2

Download Submit
memory/4380-0-0x00007FFCE9D23000-0x00007FFCE9D25000-memory.dmp

Filesize
8KB

Download
memory/4380-1-0x0000000000EC0000-0x0000000000ED6000-memory.dmp

Filesize
88KB

Download
memory/4380-2-0x00007FFCE9D20000-0x00007FFCEA7E1000-memory.dmp

Filesize
10.8MB

Download
memory/4380-7-0x00007FFCE9D20000-0x00007FFCEA7E1000-memory.dmp

Filesize
10.8MB

Download
memory/4380-8-0x00007FFCE9D20000-0x00007FFCEA7E1000-memory.dmp

Filesize
10.8MB

Download
memory/4508-14-0x000001B5B1260000-0x000001B5B1261000-memory.dmp

Filesize
4KB

Download
memory/4508-13-0x000001B5B1260000-0x000001B5B1261000-memory.dmp

Filesize
4KB

Download
memory/4508-15-0x000001B5B1260000-0x000001B5B1261000-memory.dmp

Filesize
4KB

Download
memory/4508-24-0x000001B5B1260000-0x000001B5B1261000-memory.dmp

Filesize
4KB

Download
memory/4508-23-0x000001B5B1260000-0x000001B5B1261000-memory.dmp

Filesize
4KB

Download
memory/4508-22-0x000001B5B1260000-0x000001B5B1261000-memory.dmp

Filesize
4KB

Download
memory/4508-21-0x000001B5B1260000-0x000001B5B1261000-memory.dmp

Filesize
4KB

Download
memory/4508-20-0x000001B5B1260000-0x000001B5B1261000-memory.dmp

Filesize
4KB

Download
memory/4508-19-0x000001B5B1260000-0x000001B5B1261000-memory.dmp

Filesize
4KB

Download
memory/4508-25-0x000001B5B1260000-0x000001B5B1261000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads