Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

AsyncClient.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    132s
  • max time network
    149s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    12/12/2024, 16:38 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AsyncClient.exe

  • Size

    47KB

  • MD5

    990d7fc3e6573a3622f530c3975a0d59

  • SHA1

    eb90ae84dd1416b431a352ce70c3146c7c7a311a

  • SHA256

    513105f291a41960b5e08f5e94dee377eae8f6b483e012cc835869b639e1fc5b

  • SHA512

    e92b36f8ea66ac7bcf07e7d45b0288f160513ddc40a0e414167748276cfcdee92b0eef0be1c580b4bde7a6c7e7547d93ba525d77e9b620698f033c8b8e695e49

  • SSDEEP

    768:cu4X9TskvpDWUPlNxmo2qbx4IV1Xz5PI6smtd0bngny0ZUVYhyDnRPJRcfBDZEx:cu4X9Tswb2+NK6smt6bngyiUqkpJ6dEx

Score
10/10
asyncratdefaultdiscoveryrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

192.168.100.96:6606

192.168.100.96:7707

192.168.100.96:8808
Mutex

EwG9PLMu7fcT

Attributes
  • delay

    3

  • install

    true

  • install_file

    Debugger.exe

  • install_folder

    %AppData%

aes.plain
1
P4Mdp27sqRfw7lETZ7KJOlmWWS49isph

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
    "C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3368
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Debugger" /tr '"C:\Users\Admin\AppData\Roaming\Debugger.exe"' & exit
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4368
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "Debugger" /tr '"C:\Users\Admin\AppData\Roaming\Debugger.exe"'
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2228
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8B67.tmp.bat""
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3572
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:5052
      • C:\Users\Admin\AppData\Roaming\Debugger.exe
        "C:\Users\Admin\AppData\Roaming\Debugger.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2800

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    nexusrules.officeapps.live.com
    Remote address:
    8.8.8.8:53
    Request
    nexusrules.officeapps.live.com
    IN A
    Response
    nexusrules.officeapps.live.com
    IN CNAME
    prod.nexusrules.live.com.akadns.net
    prod.nexusrules.live.com.akadns.net
    IN A
    52.111.229.43
  • flag-us
    DNS
    43.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.229.111.52.in-addr.arpa
    IN PTR
    Response
  • 127.0.0.1:7707
    Debugger.exe
  • 127.0.0.1:7707
    Debugger.exe
  • 192.168.100.96:8808
    Debugger.exe
    260 B
     5
  • 192.168.100.96:8808
    Debugger.exe
    260 B
     5
  • 127.0.0.1:7707
    Debugger.exe
  • 127.0.0.1:6606
    Debugger.exe
  • 127.0.0.1:6606
    Debugger.exe
  • 127.0.0.1:7707
    Debugger.exe
  • 192.168.100.96:8808
    Debugger.exe
    260 B
     5
  • 192.168.100.96:7707
    Debugger.exe
    260 B
     5
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    214 B
     389 B
     3
    3

    DNS Request

    8.8.8.8.in-addr.arpa

    DNS Request

    nexusrules.officeapps.live.com

    DNS Response

    52.111.229.43

    DNS Request

    43.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp8B67.tmp.bat
    Filesize

    152B

    MD5

    7f9c2c2b34f6211ac72d94dde63d9b4f

    SHA1

    c98e5581c045367d15777ad9b4159971c4358a71

    SHA256

    28dc820cb5204c4a92155fb5af60c619105598b079496f75c6e4c36c7060d0a2

    SHA512

    133cefab59c078a624b3d59755ee0ca3af9a7f886e241940141784fb7b5e7930491a8128a1c4b10ed1b183f8638648ae19c78bfa9a819faa0841b2753d1d5485

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Debugger.exe
    Filesize

    47KB

    MD5

    990d7fc3e6573a3622f530c3975a0d59

    SHA1

    eb90ae84dd1416b431a352ce70c3146c7c7a311a

    SHA256

    513105f291a41960b5e08f5e94dee377eae8f6b483e012cc835869b639e1fc5b

    SHA512

    e92b36f8ea66ac7bcf07e7d45b0288f160513ddc40a0e414167748276cfcdee92b0eef0be1c580b4bde7a6c7e7547d93ba525d77e9b620698f033c8b8e695e49

    Download Submit

  • memory/2800-14-0x0000000074690000-0x0000000074E41000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2800-15-0x0000000074690000-0x0000000074E41000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3368-0-0x000000007474E000-0x000000007474F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3368-1-0x0000000000F80000-0x0000000000F92000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3368-2-0x0000000074740000-0x0000000074EF1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3368-3-0x00000000059D0000-0x0000000005A36000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3368-4-0x0000000005E90000-0x0000000005F2C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3368-9-0x0000000074740000-0x0000000074EF1000-memory.dmp

    Filesize

    7.7MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.