asyncrat | 716b12fa63c467b57e24182ae3af25b738fc589f3f4f0aa5c516190f3eefbf00

General

Target

Client.exe
Size

48KB
MD5

77ca225fb7c84aad1e8ee9ead0110b4c
SHA1

b26e40f8e945f4db6621d7ca5a575a84c0565f91
SHA256

716b12fa63c467b57e24182ae3af25b738fc589f3f4f0aa5c516190f3eefbf00
SHA512

e8f2138cd82714ba58a30d9b48c7e61a6c42b17db297c332e078db544575404382ccf16dbd5bd0aced9342186b05b65a1da0426062b10729a40123a5887e3bbb
SSDEEP

768:ywpRILv+sx+LiEtelDSN+iV08YbygeYslsoo7RSYFr0bvEgK/JfZVc6KN:ywcpEtKDs4zb10rqjF4nkJfZVclN

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

127.0.0.1:8848

127.0.0.1:59953

fojeweb571-59953.portmap.host:8848

fojeweb571-59953.portmap.host:59953

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
true
install_file
windows defender firewall required.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0007000000023c97-11.dat	family_asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 1 IoCs

pid	Process
2864	windows defender firewall required.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1488	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2228	schtasks.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
2004	Client.exe
2004	Client.exe
2004	Client.exe
2004	Client.exe
2004	Client.exe
2004	Client.exe
2004	Client.exe
2004	Client.exe
2004	Client.exe
2004	Client.exe
2004	Client.exe
2004	Client.exe
2004	Client.exe
2004	Client.exe
2004	Client.exe
2004	Client.exe
2004	Client.exe
2004	Client.exe
2004	Client.exe
2004	Client.exe
2004	Client.exe
2004	Client.exe
2004	Client.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2004	Client.exe
Token: SeDebugPrivilege	2864	windows defender firewall required.exe
Token: SeDebugPrivilege	3564	taskmgr.exe
Token: SeSystemProfilePrivilege	3564	taskmgr.exe
Token: SeCreateGlobalPrivilege	3564	taskmgr.exe
Token: 33	3564	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3564	taskmgr.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe

Suspicious use of SendNotifyMessage 39 IoCs

pid	Process
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe
3564	taskmgr.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 4448	2004	Client.exe	83
PID 2004 wrote to memory of 4448	2004	Client.exe	83
PID 2004 wrote to memory of 2284	2004	Client.exe	85
PID 2004 wrote to memory of 2284	2004	Client.exe	85
PID 2284 wrote to memory of 1488	2284	cmd.exe	89
PID 2284 wrote to memory of 1488	2284	cmd.exe	89
PID 4448 wrote to memory of 2228	4448	cmd.exe	88
PID 4448 wrote to memory of 2228	4448	cmd.exe	88
PID 2284 wrote to memory of 2864	2284	cmd.exe	91
PID 2284 wrote to memory of 2864	2284	cmd.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windows defender firewall required" /tr '"C:\Users\Admin\AppData\Roaming\windows defender firewall required.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "windows defender firewall required" /tr '"C:\Users\Admin\AppData\Roaming\windows defender firewall required.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD699.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1488
- - C:\Users\Admin\AppData\Roaming\windows defender firewall required.exe
    "C:\Users\Admin\AppData\Roaming\windows defender firewall required.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2864

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD699.tmp.bat

Filesize
178B

MD5
c5f907aa1c85e0d3fa2598e5ef396b5a

SHA1
f72f666e4f67f992ec63d26f220da1dc3abd25e4

SHA256
60bc8dad9b426b82002eab9fec0748b60cb6cda6d1d1804f0f4e69c2e27ac864

SHA512
b5baecfb8330c54e80daf4ef8b7514e86c095243f763d119b1e1f3b96bc0b4fa3fd14a358894ad09e22dc9ba3e5042410e1bcf8eb6ff25120255d6b2e1e9c10d

Download Submit
C:\Users\Admin\AppData\Roaming\windows defender firewall required.exe

Filesize
48KB

MD5
77ca225fb7c84aad1e8ee9ead0110b4c

SHA1
b26e40f8e945f4db6621d7ca5a575a84c0565f91

SHA256
716b12fa63c467b57e24182ae3af25b738fc589f3f4f0aa5c516190f3eefbf00

SHA512
e8f2138cd82714ba58a30d9b48c7e61a6c42b17db297c332e078db544575404382ccf16dbd5bd0aced9342186b05b65a1da0426062b10729a40123a5887e3bbb

Download Submit
memory/2004-0-0x00007FFD0C0D3000-0x00007FFD0C0D5000-memory.dmp

Filesize
8KB

Download
memory/2004-1-0x00000000005D0000-0x00000000005E2000-memory.dmp

Filesize
72KB

Download
memory/2004-2-0x00007FFD0C0D0000-0x00007FFD0CB91000-memory.dmp

Filesize
10.8MB

Download
memory/2004-7-0x00007FFD0C0D0000-0x00007FFD0CB91000-memory.dmp

Filesize
10.8MB

Download
memory/3564-13-0x0000011F5B210000-0x0000011F5B211000-memory.dmp

Filesize
4KB

Download
memory/3564-14-0x0000011F5B210000-0x0000011F5B211000-memory.dmp

Filesize
4KB

Download
memory/3564-12-0x0000011F5B210000-0x0000011F5B211000-memory.dmp

Filesize
4KB

Download
memory/3564-24-0x0000011F5B210000-0x0000011F5B211000-memory.dmp

Filesize
4KB

Download
memory/3564-23-0x0000011F5B210000-0x0000011F5B211000-memory.dmp

Filesize
4KB

Download
memory/3564-22-0x0000011F5B210000-0x0000011F5B211000-memory.dmp

Filesize
4KB

Download
memory/3564-21-0x0000011F5B210000-0x0000011F5B211000-memory.dmp

Filesize
4KB

Download
memory/3564-20-0x0000011F5B210000-0x0000011F5B211000-memory.dmp

Filesize
4KB

Download
memory/3564-19-0x0000011F5B210000-0x0000011F5B211000-memory.dmp

Filesize
4KB

Download
memory/3564-18-0x0000011F5B210000-0x0000011F5B211000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads