asyncrat | da053d2b374fb1eed1c790240aa69223feac8890a2499d57cf2be651b199b839

Analysis

max time kernel
92s
max time network
93s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
05-01-2025 14:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Optimizer.exe
Size

141KB
MD5

08b7e95717e559eba913a4af26a893ab
SHA1

57ebdc63ea7b4773a34be646ec3d1f0862881ff9
SHA256

da053d2b374fb1eed1c790240aa69223feac8890a2499d57cf2be651b199b839
SHA512

338a1135b93ad0b98f77737ebd9c31b52cab99e598bdc9553dc29ffc6177014da3464b8c8980de2a99336903a2671d1a8b61d87471386dd5a361f89793f49caa
SSDEEP

3072:7hK4Uay3XrQ8habqgp9pC9Z6p5uf3C6k0xuZ04ntfxqhBuCgM:7hK4XycqgpfCup5sVxuZ04ihAO

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

win-five.gl.at.ply.gg:62867

Mutex

wSVzarUq9UtI

Attributes

delay
3
install
true
install_file
RuntimeBroker.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x001b00000002aae2-3.dat	family_asyncrat

Executes dropped EXE 3 IoCs

pid	Process
2052	RuntimeBroker.exe
4692	RuntimeBroker.exe
2348	RuntimeBroker.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\RuntimeBroker.exe	Optimizer.exe
File opened for modification	C:\Windows\Fonts\RuntimeBroker.exe	Optimizer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
4936	timeout.exe
2016	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1656	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2052	RuntimeBroker.exe
2052	RuntimeBroker.exe
2052	RuntimeBroker.exe
2052	RuntimeBroker.exe
2052	RuntimeBroker.exe
2052	RuntimeBroker.exe
2052	RuntimeBroker.exe
2052	RuntimeBroker.exe
2052	RuntimeBroker.exe
2052	RuntimeBroker.exe
2052	RuntimeBroker.exe
2052	RuntimeBroker.exe
2052	RuntimeBroker.exe
2052	RuntimeBroker.exe
2052	RuntimeBroker.exe
2052	RuntimeBroker.exe
2052	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2052	RuntimeBroker.exe
Token: SeDebugPrivilege	4692	RuntimeBroker.exe
Token: SeDebugPrivilege	4692	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 4284 wrote to memory of 2052	4284	Optimizer.exe	79
PID 4284 wrote to memory of 2052	4284	Optimizer.exe	79
PID 4284 wrote to memory of 2052	4284	Optimizer.exe	79
PID 2052 wrote to memory of 1756	2052	RuntimeBroker.exe	84
PID 2052 wrote to memory of 1756	2052	RuntimeBroker.exe	84
PID 2052 wrote to memory of 1756	2052	RuntimeBroker.exe	84
PID 2052 wrote to memory of 1584	2052	RuntimeBroker.exe	86
PID 2052 wrote to memory of 1584	2052	RuntimeBroker.exe	86
PID 2052 wrote to memory of 1584	2052	RuntimeBroker.exe	86
PID 1584 wrote to memory of 4936	1584	cmd.exe	89
PID 1584 wrote to memory of 4936	1584	cmd.exe	89
PID 1584 wrote to memory of 4936	1584	cmd.exe	89
PID 1756 wrote to memory of 1656	1756	cmd.exe	88
PID 1756 wrote to memory of 1656	1756	cmd.exe	88
PID 1756 wrote to memory of 1656	1756	cmd.exe	88
PID 1584 wrote to memory of 4692	1584	cmd.exe	90
PID 1584 wrote to memory of 4692	1584	cmd.exe	90
PID 1584 wrote to memory of 4692	1584	cmd.exe	90
PID 2236 wrote to memory of 3224	2236	cmd.exe	94
PID 2236 wrote to memory of 3224	2236	cmd.exe	94
PID 3224 wrote to memory of 2348	3224	Optimizer.exe	95
PID 3224 wrote to memory of 2348	3224	Optimizer.exe	95
PID 3224 wrote to memory of 2348	3224	Optimizer.exe	95
PID 4692 wrote to memory of 3580	4692	RuntimeBroker.exe	99
PID 4692 wrote to memory of 3580	4692	RuntimeBroker.exe	99
PID 4692 wrote to memory of 3580	4692	RuntimeBroker.exe	99
PID 4692 wrote to memory of 4560	4692	RuntimeBroker.exe	100
PID 4692 wrote to memory of 4560	4692	RuntimeBroker.exe	100
PID 4692 wrote to memory of 4560	4692	RuntimeBroker.exe	100
PID 4560 wrote to memory of 2016	4560	cmd.exe	104
PID 4560 wrote to memory of 2016	4560	cmd.exe	104
PID 4560 wrote to memory of 2016	4560	cmd.exe	104
PID 3580 wrote to memory of 1988	3580	cmd.exe	103
PID 3580 wrote to memory of 1988	3580	cmd.exe	103
PID 3580 wrote to memory of 1988	3580	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\Optimizer.exe
"C:\Users\Admin\AppData\Local\Temp\Optimizer.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Windows\Fonts\RuntimeBroker.exe
  "C:\Windows\Fonts\RuntimeBroker.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "RuntimeBroker" /tr '"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"' & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1756
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "RuntimeBroker" /tr '"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"'
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB41D.tmp.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1584
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:4936
  - - C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4692
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "RuntimeBroker"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3580
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /delete /f /tn "RuntimeBroker"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1988
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp50AB.tmp.bat""
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4560
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2016

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2288

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Local\Temp\Optimizer.exe
  optimizer
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3224
- - C:\Windows\Fonts\RuntimeBroker.exe
    "C:\Windows\Fonts\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RuntimeBroker.exe.log

Filesize
614B

MD5
fece27917067365b631bc648c66fe066

SHA1
f12c84b1c2b1296091ee06e8654c7065d22cbb44

SHA256
93e03593374ce40bc5d4c57832ebe96d3a6a532766eb6385f568a0383b426d10

SHA512
9b502a6d46b82ccc2c8aff650de664299f0131a82480eb9cec701546e9cd7f1647c0665014035c19da80a6cab267cf896645af827ecdd95287a70994c1ecb662

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp50AB.tmp.bat

Filesize
162B

MD5
2cc4908e8f6946a2da31fd45bdaa66f7

SHA1
8387a7b40e31bfbdcb61c411769daafb7df894f9

SHA256
2daa815a37c20c8fc1b744738a8453453e25bc4f1c9103697f895e758582ec3c

SHA512
7a27a365398c7ad2cfad9ff9bbac56a392051b212cb05d63db329ca03f5928a8464e3701cfcd48196955b69e2814f08e44fdb09aba5aa4dc86274517e55ea791

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB41D.tmp.bat

Filesize
157B

MD5
18055d8afd5aa6ce42bca44996ce375f

SHA1
25e0fc9f84057134cee7094885b6903bcd97f54d

SHA256
53c36e5ec69904e2979775ae749a1f96e0127adbd0229d02f0c47b7bd64b666d

SHA512
20b97ebc6f5f9da695ab40ca32e6a21ebaaa709378929a856ec2676422c8358fafb260109263b978065dce1d85f5b2dc60793900e6b38d880abf325b77c59d83

Download Submit
C:\Windows\Fonts\RuntimeBroker.exe

Filesize
48KB

MD5
d9a8b8d68e324839f69ece3a04575db8

SHA1
e62d94e7b067915645d8b6aed6222f90e44c5745

SHA256
98040733ac189b6a213b5ba69a758f205207beed0f0805ff99ea4566c50f6371

SHA512
4e5a0c660d2f0e2941c786c9f1490fef465c1ebf31ce4b76ffca659b1b22312b67632f76df5bf5f1717b46bf84949ded52506f337e8ff5c5806b8fc417743791

Download Submit
memory/2052-7-0x0000000005C00000-0x0000000005C66000-memory.dmp

Filesize
408KB

Download
memory/2052-8-0x0000000006080000-0x000000000611C000-memory.dmp

Filesize
624KB

Download
memory/2052-6-0x0000000000A70000-0x0000000000A82000-memory.dmp

Filesize
72KB

Download
memory/2052-5-0x000000007482E000-0x000000007482F000-memory.dmp

Filesize
4KB

Download
memory/4692-20-0x0000000006B00000-0x00000000070A6000-memory.dmp

Filesize
5.6MB

Download
memory/4692-27-0x0000000007370000-0x00000000073E6000-memory.dmp

Filesize
472KB

Download
memory/4692-28-0x00000000061B0000-0x00000000061BE000-memory.dmp

Filesize
56KB

Download
memory/4692-29-0x00000000072F0000-0x000000000730E000-memory.dmp

Filesize
120KB

Download