asyncrat | 94d46e8b9788023fe37638002c39e84c3f00c473e69eb8a48efc4f4c058ff100

General

Target

lec.exe
Size

262KB
MD5

6afe340c4109d4dc85f4816047d7e036
SHA1

f1895f5c5e735ad4164f089567907350f4a0e093
SHA256

94d46e8b9788023fe37638002c39e84c3f00c473e69eb8a48efc4f4c058ff100
SHA512

9d0149848d18c3637d64b20457df098d2adf5f9d50ea4d591fa266d08083e253c9b81ae0aea8c930331aa32d992060817ccceda4a9fbb5e2b487a605e649ba50
SSDEEP

3072:STMdJz1z8Ub7OPk6JEYZTuSEzvi0oqn/YX+hYz:HdPbyPFEYZTuSEzvHvnAOS

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

Attributes

delay
1
install
true
install_file
update.exe
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/7FziSYnf

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x0008000000023c83-11.dat	family_asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	lec.exe

Executes dropped EXE 1 IoCs

pid	Process
4400	update.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
16	pastebin.com
17	pastebin.com
18	6.tcp.eu.ngrok.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2240	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1072	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1748	lec.exe
1748	lec.exe
1748	lec.exe
1748	lec.exe
1748	lec.exe
1748	lec.exe
1748	lec.exe
1748	lec.exe
1748	lec.exe
1748	lec.exe
1748	lec.exe
1748	lec.exe
1748	lec.exe
1748	lec.exe
1748	lec.exe
1748	lec.exe
1748	lec.exe
1748	lec.exe
1748	lec.exe
1748	lec.exe
1748	lec.exe
1748	lec.exe
1748	lec.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1748	lec.exe
Token: SeDebugPrivilege	1748	lec.exe
Token: SeDebugPrivilege	4400	update.exe
Token: SeDebugPrivilege	4400	update.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 2448	1748	lec.exe	84
PID 1748 wrote to memory of 2448	1748	lec.exe	84
PID 1748 wrote to memory of 2172	1748	lec.exe	86
PID 1748 wrote to memory of 2172	1748	lec.exe	86
PID 2172 wrote to memory of 2240	2172	cmd.exe	88
PID 2172 wrote to memory of 2240	2172	cmd.exe	88
PID 2448 wrote to memory of 1072	2448	cmd.exe	89
PID 2448 wrote to memory of 1072	2448	cmd.exe	89
PID 2172 wrote to memory of 4400	2172	cmd.exe	91
PID 2172 wrote to memory of 4400	2172	cmd.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\lec.exe
"C:\Users\Admin\AppData\Local\Temp\lec.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "update" /tr '"C:\Users\Admin\AppData\Roaming\update.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "update" /tr '"C:\Users\Admin\AppData\Roaming\update.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAB82.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2240
- - C:\Users\Admin\AppData\Roaming\update.exe
    "C:\Users\Admin\AppData\Roaming\update.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpAB82.tmp.bat

Filesize
150B

MD5
bbbc3237e527fc002dd7e4b53264db5c

SHA1
640b54d65976b5e6f8f1574b6c72d49418b916c2

SHA256
f9b43928b2a2a95fc1e85c83b8a31de1d299e37bb17e6ac0aca86308d961a3af

SHA512
6e1bf9dcc66bd444670b0035c97c3397902b26c4c6b0968e34c29258ad69985ed92a6864d28c26f119b52f4805b8b1548fcbad2274f6d7703ae6a355eaf87376

Download Submit
C:\Users\Admin\AppData\Roaming\update.exe

Filesize
262KB

MD5
6afe340c4109d4dc85f4816047d7e036

SHA1
f1895f5c5e735ad4164f089567907350f4a0e093

SHA256
94d46e8b9788023fe37638002c39e84c3f00c473e69eb8a48efc4f4c058ff100

SHA512
9d0149848d18c3637d64b20457df098d2adf5f9d50ea4d591fa266d08083e253c9b81ae0aea8c930331aa32d992060817ccceda4a9fbb5e2b487a605e649ba50

Download Submit
memory/1748-0-0x00007FFFA2C73000-0x00007FFFA2C75000-memory.dmp

Filesize
8KB

Download
memory/1748-1-0x0000000000DF0000-0x0000000000E38000-memory.dmp

Filesize
288KB

Download
memory/1748-2-0x00007FFFA2C70000-0x00007FFFA3731000-memory.dmp

Filesize
10.8MB

Download
memory/1748-7-0x00007FFFA2C70000-0x00007FFFA3731000-memory.dmp

Filesize
10.8MB

Download
memory/1748-8-0x00007FFFA2C70000-0x00007FFFA3731000-memory.dmp

Filesize
10.8MB

Download
memory/1748-15-0x00007FFFA2C70000-0x00007FFFA3731000-memory.dmp

Filesize
10.8MB

Download
memory/4400-16-0x000000001D020000-0x000000001D096000-memory.dmp

Filesize
472KB

Download
memory/4400-17-0x000000001ACF0000-0x000000001AD24000-memory.dmp

Filesize
208KB

Download
memory/4400-18-0x000000001B130000-0x000000001B14E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads