Overview

overview

10

Static

static

10

AsyncClient.exe

windows7-x64

10

AsyncClient.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    18-12-2024 18:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AsyncClient.exe

  • Size

    52KB

  • MD5

    422b49a2404d8e67c9cd57d46acc97d0

  • SHA1

    89ca4038856c67d12d31750a799aa88b08acfb82

  • SHA256

    b7a9152f897cb11101d370f3b1ef30d411d4e4116a57ef31d340a58952cf4c1c

  • SHA512

    2d9a65aacce93def1829971071b3c02c64555c0e30deca5ff8b12d04202e4b0a5e85cce8c7e61dfad1d966fe027086e7d18e1bf1c23dbe9695f2a8e082fdc77c

  • SSDEEP

    1536:Ou4X9Tswb2vOnZH4fAzb03lKuIvLZQ7dqx:Ou4tTswb2vOnZH4fAb038L+7wx

Score
10/10
asyncratdefaultdiscoveryrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

x5sql-62870.portmap.host:62870

Mutex

c2VJpocLoXmn

Attributes
  • delay

    3

  • install

    true

  • install_file

    Defender.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
    "C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2248
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Defender" /tr '"C:\Users\Admin\AppData\Roaming\Defender.exe"' & exit
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3020
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "Defender" /tr '"C:\Users\Admin\AppData\Roaming\Defender.exe"'
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:308
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpF7C7.tmp.bat""
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2996
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:2616
      • C:\Users\Admin\AppData\Roaming\Defender.exe
        "C:\Users\Admin\AppData\Roaming\Defender.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2760

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpF7C7.tmp.bat
    Filesize

    152B

    MD5

    c9d76bd563ef67cb2eeeb8e441dd1e01

    SHA1

    a26a8d542fb520f6a32635a8504ac3b6853a77c4

    SHA256

    9ccbbf5665b569cd4984b9296654072e3ac8466026dc205e65d82fbbf21ffac4

    SHA512

    f87ca168b112050ccadc78d24367adc1cbfca5fb5ac3d38eb1f100f0f9179c593b1417d632b576cd1af616edd86e494dc15fd8c2a7cdbef852163fa4c2c98cf2

    Download Submit

  • \Users\Admin\AppData\Roaming\Defender.exe
    Filesize

    52KB

    MD5

    422b49a2404d8e67c9cd57d46acc97d0

    SHA1

    89ca4038856c67d12d31750a799aa88b08acfb82

    SHA256

    b7a9152f897cb11101d370f3b1ef30d411d4e4116a57ef31d340a58952cf4c1c

    SHA512

    2d9a65aacce93def1829971071b3c02c64555c0e30deca5ff8b12d04202e4b0a5e85cce8c7e61dfad1d966fe027086e7d18e1bf1c23dbe9695f2a8e082fdc77c

    Download Submit

  • memory/2248-0-0x00000000744DE000-0x00000000744DF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2248-1-0x0000000000F40000-0x0000000000F52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2248-2-0x00000000744D0000-0x0000000074BBE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2248-11-0x00000000744D0000-0x0000000074BBE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2760-16-0x0000000000210000-0x0000000000222000-memory.dmp

    Filesize

    72KB

    Download