asyncrat | e87744178fba28b505eccbf4847a77f84877a8bd8f50ce17f5f6f68a0ea41327

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18/12/2024, 03:00 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bro.exe
Size

47KB
MD5

83fc5776b79aad95fecd322f11f80187
SHA1

412ccb9ab9e743907eef7be3b47568decefbd15f
SHA256

e87744178fba28b505eccbf4847a77f84877a8bd8f50ce17f5f6f68a0ea41327
SHA512

1552e626f349c66f7e555326e68d97aa87a4971b6c4b912514f1bfa39036d17c9295e88e0f49c349cac2758974e060535044ea4d09a25f2949f45ab79f0c838b
SSDEEP

768:MuY69T3kH1jWUvTqRmo2qbRc4wmDPItjd0axq0bE6zrvtOoqJ/UBDZ0x:MuY69T34y2AwmMtjZHbE6/vgMd0x

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

desktop-ukmnq5d-wasda.at.remote.it:33006

Mutex

tTT9mCTiJnq9

Attributes

delay
3
install
true
install_file
roar.exe
install_folder
%AppData%

aes.plain

1
nOoJnAJLfFAb0QfeQ8ZK1PQhVn02XEKm

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0039000000018662-13.dat	family_asyncrat

Executes dropped EXE 1 IoCs

pid	Process
2612	roar.exe

Loads dropped DLL 1 IoCs

pid	Process
2724	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	roar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bro.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2372	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1748	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2708	bro.exe
2708	bro.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2708	bro.exe
Token: SeDebugPrivilege	2612	roar.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2688	2708	bro.exe	30
PID 2708 wrote to memory of 2688	2708	bro.exe	30
PID 2708 wrote to memory of 2688	2708	bro.exe	30
PID 2708 wrote to memory of 2688	2708	bro.exe	30
PID 2708 wrote to memory of 2724	2708	bro.exe	32
PID 2708 wrote to memory of 2724	2708	bro.exe	32
PID 2708 wrote to memory of 2724	2708	bro.exe	32
PID 2708 wrote to memory of 2724	2708	bro.exe	32
PID 2724 wrote to memory of 2372	2724	cmd.exe	35
PID 2724 wrote to memory of 2372	2724	cmd.exe	35
PID 2724 wrote to memory of 2372	2724	cmd.exe	35
PID 2724 wrote to memory of 2372	2724	cmd.exe	35
PID 2688 wrote to memory of 1748	2688	cmd.exe	34
PID 2688 wrote to memory of 1748	2688	cmd.exe	34
PID 2688 wrote to memory of 1748	2688	cmd.exe	34
PID 2688 wrote to memory of 1748	2688	cmd.exe	34
PID 2724 wrote to memory of 2612	2724	cmd.exe	36
PID 2724 wrote to memory of 2612	2724	cmd.exe	36
PID 2724 wrote to memory of 2612	2724	cmd.exe	36
PID 2724 wrote to memory of 2612	2724	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\bro.exe
"C:\Users\Admin\AppData\Local\Temp\bro.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "roar" /tr '"C:\Users\Admin\AppData\Roaming\roar.exe"' & exit
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "roar" /tr '"C:\Users\Admin\AppData\Roaming\roar.exe"'
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1748
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpFFF1.tmp.bat""
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2372
- - C:\Users\Admin\AppData\Roaming\roar.exe
    "C:\Users\Admin\AppData\Roaming\roar.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2612

Network

DNS

desktop-ukmnq5d-wasda.at.remote.it

roar.exe

Remote address:

8.8.8.8:53

Request

desktop-ukmnq5d-wasda.at.remote.it

IN A

Response

desktop-ukmnq5d-wasda.at.remote.it

IN A

127.0.0.1

127.0.0.1:33006

roar.exe
127.0.0.1:33006

roar.exe
127.0.0.1:33006

roar.exe
127.0.0.1:33006

roar.exe
127.0.0.1:33006

roar.exe
127.0.0.1:33006

roar.exe
127.0.0.1:33006

roar.exe
127.0.0.1:33006

roar.exe
127.0.0.1:33006

roar.exe
127.0.0.1:33006

roar.exe
127.0.0.1:33006

roar.exe
127.0.0.1:33006

roar.exe
127.0.0.1:33006

roar.exe
127.0.0.1:33006

roar.exe
127.0.0.1:33006

roar.exe
127.0.0.1:33006

roar.exe
127.0.0.1:33006

roar.exe
127.0.0.1:33006

roar.exe
127.0.0.1:33006

roar.exe
127.0.0.1:33006

roar.exe
127.0.0.1:33006

roar.exe
127.0.0.1:33006

roar.exe
127.0.0.1:33006

roar.exe
127.0.0.1:33006

roar.exe

8.8.8.8:53

desktop-ukmnq5d-wasda.at.remote.it

dns

roar.exe

80 B
96 B
1
1

DNS Request

desktop-ukmnq5d-wasda.at.remote.it

DNS Response

127.0.0.1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpFFF1.tmp.bat

Filesize
148B

MD5
20d85b4d92e175f3206eea269e5bf553

SHA1
53975723b24bcdfe46e7c9736c58d995a099f5dc

SHA256
8b956103b8077b2a42b20b14aaa6a4d1335702029565c33d13ea0f0e81c4a961

SHA512
c694cea4d9277e7df883b3eed63b663903ab349b34adb10d67bf0d9ccc3342913aa55774eab32ea4d89fbff76ecd33b4d1bf887f5b2ca53e49505370b6856c52

Download Submit
\Users\Admin\AppData\Roaming\roar.exe

Filesize
47KB

MD5
83fc5776b79aad95fecd322f11f80187

SHA1
412ccb9ab9e743907eef7be3b47568decefbd15f

SHA256
e87744178fba28b505eccbf4847a77f84877a8bd8f50ce17f5f6f68a0ea41327

SHA512
1552e626f349c66f7e555326e68d97aa87a4971b6c4b912514f1bfa39036d17c9295e88e0f49c349cac2758974e060535044ea4d09a25f2949f45ab79f0c838b

Download Submit
memory/2612-16-0x0000000000C70000-0x0000000000C82000-memory.dmp

Filesize
72KB

Download
memory/2708-0-0x00000000741FE000-0x00000000741FF000-memory.dmp

Filesize
4KB

Download
memory/2708-1-0x0000000000D70000-0x0000000000D82000-memory.dmp

Filesize
72KB

Download
memory/2708-2-0x00000000741F0000-0x00000000748DE000-memory.dmp

Filesize
6.9MB

Download
memory/2708-11-0x00000000741F0000-0x00000000748DE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.