asyncrat | ac411f526ad10937acd9adf0e2342b6cf807efc8da8ccb1efffbbc26baf0d5d3

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-01-2025 05:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Infected.exe
Size

63KB
MD5

465ede1eb1f9dc421b1a16fa413be9dc
SHA1

156743b43466b25ba4bcf80fa94fd69092a98e0a
SHA256

ac411f526ad10937acd9adf0e2342b6cf807efc8da8ccb1efffbbc26baf0d5d3
SHA512

9048d86d340d3cf10e958d5949b0ee41672a07c5244c34ea5d94542f27bd92f94babdda049573b866aa4b2cec0940b5724f932a7df35b640c57d7d3af6f48ec4
SSDEEP

768:SZzGUy/pr78PIC8A+XXlazcBRL5JTk1+T4KSBGHmDbD/ph0oXrPXpxmskXiSu0dP:YkphzdSJYUbdh9txmtXVu0dpqKmY7

Score

10^/10

asyncrat what rat

Malware Config

Extracted

Family

asyncrat

Botnet

What

127.0.0.1:1337

127.0.0.1:26550

147.185.221.24:1337

147.185.221.24:26550

Attributes

delay
3
install
true
install_file
Windows Defender.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000700000001211a-15.dat	family_asyncrat

Executes dropped EXE 1 IoCs

pid	Process
2292	Windows Defender.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1936	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1992	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2900	Infected.exe
2900	Infected.exe
2900	Infected.exe
2900	Infected.exe
2900	Infected.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe
2292	Windows Defender.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2900	Infected.exe
Token: SeDebugPrivilege	2900	Infected.exe
Token: SeDebugPrivilege	2292	Windows Defender.exe
Token: SeDebugPrivilege	2292	Windows Defender.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 2180	2900	Infected.exe	29
PID 2900 wrote to memory of 2180	2900	Infected.exe	29
PID 2900 wrote to memory of 2180	2900	Infected.exe	29
PID 2900 wrote to memory of 2408	2900	Infected.exe	31
PID 2900 wrote to memory of 2408	2900	Infected.exe	31
PID 2900 wrote to memory of 2408	2900	Infected.exe	31
PID 2408 wrote to memory of 1936	2408	cmd.exe	33
PID 2408 wrote to memory of 1936	2408	cmd.exe	33
PID 2408 wrote to memory of 1936	2408	cmd.exe	33
PID 2180 wrote to memory of 1992	2180	cmd.exe	34
PID 2180 wrote to memory of 1992	2180	cmd.exe	34
PID 2180 wrote to memory of 1992	2180	cmd.exe	34
PID 2408 wrote to memory of 2292	2408	cmd.exe	35
PID 2408 wrote to memory of 2292	2408	cmd.exe	35
PID 2408 wrote to memory of 2292	2408	cmd.exe	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Infected.exe
"C:\Users\Admin\AppData\Local\Temp\Infected.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Defender" /tr '"C:\Users\Admin\AppData\Roaming\Windows Defender.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "Windows Defender" /tr '"C:\Users\Admin\AppData\Roaming\Windows Defender.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1992
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpAE2A.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1936
- - C:\Users\Admin\AppData\Roaming\Windows Defender.exe
    "C:\Users\Admin\AppData\Roaming\Windows Defender.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabC9C7.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAE2A.tmp.bat

Filesize
160B

MD5
8d6b5e89298970fcff37b584b261c3e8

SHA1
e06c5e2d9ab0c58cdf19ffcf03dd817b2700da01

SHA256
b92a148e35d785981ec574507aeb53bc4e36c89ce313e72a2f27b29580d52285

SHA512
bd10808d6658bceaac237dae569f424f5ce8db0ca4d2596514426331567e87a18d275123d048e54937adf5f58e5caff5a2bdc7a0bb3a6f1a8ed97c939a4ac9c9

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Defender.exe

Filesize
63KB

MD5
465ede1eb1f9dc421b1a16fa413be9dc

SHA1
156743b43466b25ba4bcf80fa94fd69092a98e0a

SHA256
ac411f526ad10937acd9adf0e2342b6cf807efc8da8ccb1efffbbc26baf0d5d3

SHA512
9048d86d340d3cf10e958d5949b0ee41672a07c5244c34ea5d94542f27bd92f94babdda049573b866aa4b2cec0940b5724f932a7df35b640c57d7d3af6f48ec4

Download Submit
memory/2292-17-0x0000000000CD0000-0x0000000000CE6000-memory.dmp

Filesize
88KB

Download
memory/2900-0-0x000007FEF5583000-0x000007FEF5584000-memory.dmp

Filesize
4KB

Download
memory/2900-1-0x0000000000140000-0x0000000000156000-memory.dmp

Filesize
88KB

Download
memory/2900-2-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmp

Filesize
9.9MB

Download
memory/2900-3-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmp

Filesize
9.9MB

Download
memory/2900-12-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmp

Filesize
9.9MB

Download