asyncrat | da053d2b374fb1eed1c790240aa69223feac8890a2499d57cf2be651b199b839

Analysis

max time kernel
95s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-01-2025 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Optimizer.exe
Size

141KB
MD5

08b7e95717e559eba913a4af26a893ab
SHA1

57ebdc63ea7b4773a34be646ec3d1f0862881ff9
SHA256

da053d2b374fb1eed1c790240aa69223feac8890a2499d57cf2be651b199b839
SHA512

338a1135b93ad0b98f77737ebd9c31b52cab99e598bdc9553dc29ffc6177014da3464b8c8980de2a99336903a2671d1a8b61d87471386dd5a361f89793f49caa
SSDEEP

3072:7hK4Uay3XrQ8habqgp9pC9Z6p5uf3C6k0xuZ04ntfxqhBuCgM:7hK4XycqgpfCup5sVxuZ04ihAO

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

win-five.gl.at.ply.gg:62867

Mutex

wSVzarUq9UtI

Attributes

delay
3
install
true
install_file
RuntimeBroker.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x0008000000023cad-2.dat	family_asyncrat

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 2 IoCs

pid	Process
4628	RuntimeBroker.exe
3012	RuntimeBroker.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\RuntimeBroker.exe	Optimizer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
1828	timeout.exe
3000	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3772	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
4628	RuntimeBroker.exe
4628	RuntimeBroker.exe
4628	RuntimeBroker.exe
4628	RuntimeBroker.exe
4628	RuntimeBroker.exe
4628	RuntimeBroker.exe
4628	RuntimeBroker.exe
4628	RuntimeBroker.exe
4628	RuntimeBroker.exe
4628	RuntimeBroker.exe
4628	RuntimeBroker.exe
4628	RuntimeBroker.exe
4628	RuntimeBroker.exe
4628	RuntimeBroker.exe
4628	RuntimeBroker.exe
4628	RuntimeBroker.exe
4628	RuntimeBroker.exe
4628	RuntimeBroker.exe
4628	RuntimeBroker.exe
4628	RuntimeBroker.exe
4628	RuntimeBroker.exe
4628	RuntimeBroker.exe
4628	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4628	RuntimeBroker.exe
Token: SeDebugPrivilege	3012	RuntimeBroker.exe
Token: SeDebugPrivilege	3012	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4136 wrote to memory of 4628	4136	Optimizer.exe	83
PID 4136 wrote to memory of 4628	4136	Optimizer.exe	83
PID 4136 wrote to memory of 4628	4136	Optimizer.exe	83
PID 4628 wrote to memory of 4696	4628	RuntimeBroker.exe	89
PID 4628 wrote to memory of 4696	4628	RuntimeBroker.exe	89
PID 4628 wrote to memory of 4696	4628	RuntimeBroker.exe	89
PID 4628 wrote to memory of 1460	4628	RuntimeBroker.exe	91
PID 4628 wrote to memory of 1460	4628	RuntimeBroker.exe	91
PID 4628 wrote to memory of 1460	4628	RuntimeBroker.exe	91
PID 4696 wrote to memory of 3772	4696	cmd.exe	93
PID 4696 wrote to memory of 3772	4696	cmd.exe	93
PID 4696 wrote to memory of 3772	4696	cmd.exe	93
PID 1460 wrote to memory of 1828	1460	cmd.exe	94
PID 1460 wrote to memory of 1828	1460	cmd.exe	94
PID 1460 wrote to memory of 1828	1460	cmd.exe	94
PID 1460 wrote to memory of 3012	1460	cmd.exe	95
PID 1460 wrote to memory of 3012	1460	cmd.exe	95
PID 1460 wrote to memory of 3012	1460	cmd.exe	95
PID 3012 wrote to memory of 4424	3012	RuntimeBroker.exe	102
PID 3012 wrote to memory of 4424	3012	RuntimeBroker.exe	102
PID 3012 wrote to memory of 4424	3012	RuntimeBroker.exe	102
PID 3012 wrote to memory of 856	3012	RuntimeBroker.exe	104
PID 3012 wrote to memory of 856	3012	RuntimeBroker.exe	104
PID 3012 wrote to memory of 856	3012	RuntimeBroker.exe	104
PID 4424 wrote to memory of 3724	4424	cmd.exe	106
PID 4424 wrote to memory of 3724	4424	cmd.exe	106
PID 4424 wrote to memory of 3724	4424	cmd.exe	106
PID 856 wrote to memory of 3000	856	cmd.exe	107
PID 856 wrote to memory of 3000	856	cmd.exe	107
PID 856 wrote to memory of 3000	856	cmd.exe	107

C:\Users\Admin\AppData\Local\Temp\Optimizer.exe
"C:\Users\Admin\AppData\Local\Temp\Optimizer.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4136
- C:\Windows\Fonts\RuntimeBroker.exe
  "C:\Windows\Fonts\RuntimeBroker.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4628
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "RuntimeBroker" /tr '"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"' & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4696
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "RuntimeBroker" /tr '"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"'
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:3772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC4C7.tmp.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1460
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:1828
  - - C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3012
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "RuntimeBroker"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4424
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /delete /f /tn "RuntimeBroker"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3724
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp635.tmp.bat""
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:856
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RuntimeBroker.exe.log

Filesize
614B

MD5
54920f388010333559bdff225040761d

SHA1
040972bf1fc83014f10c45832322c094f883ce30

SHA256
9ed5449a36700939987209c7a2974b9cc669b8b22c7c4e7936f35dda0a4dc359

SHA512
e17aa5d1328b3bfd3754d15b3c2eded98653d90c7b326f941522e0b3bd6f557880246a6bc69047facb42eb97d2e0ed6c46148dfe95a98669fc4e1d07c21a285c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp635.tmp.bat

Filesize
161B

MD5
b602d87fcefa2c68b291ec5639189c7b

SHA1
7be259920baed432e64d4e62ca73aecb4af237eb

SHA256
a4513367cd413d4404fe35924e52e5f51a633ef104ebff0e8647dea083bf54b8

SHA512
8fe56e32dbe5b9255e70889d604715e0ec2a7e8ff561562737897482b3b5dae76813ce04999747f686e6871eb9249d1f944ac84af731cdaa1d01cd82c55d9ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC4C7.tmp.bat

Filesize
157B

MD5
0666d09c3a0214e9003024b3bb0ef803

SHA1
a258b81b95615e62396d006a65396a78f2460c72

SHA256
1f700b1188417b5a721aab89685dfc3854fcad5d7dc48c7b7b3f0644687edf6f

SHA512
b849d854ab9f58c52d7063706c4f5d6ef51e62cdc913c6b13d9aa0a31730d09efb4797185cf8d6c17f23ec25ac748a3f30e07138e1f5a0381cf6d3aa73c5560d

Download Submit
C:\Windows\Fonts\RuntimeBroker.exe

Filesize
48KB

MD5
d9a8b8d68e324839f69ece3a04575db8

SHA1
e62d94e7b067915645d8b6aed6222f90e44c5745

SHA256
98040733ac189b6a213b5ba69a758f205207beed0f0805ff99ea4566c50f6371

SHA512
4e5a0c660d2f0e2941c786c9f1490fef465c1ebf31ce4b76ffca659b1b22312b67632f76df5bf5f1717b46bf84949ded52506f337e8ff5c5806b8fc417743791

Download Submit
memory/3012-20-0x00000000068F0000-0x0000000006E94000-memory.dmp

Filesize
5.6MB

Download
memory/3012-21-0x00000000070A0000-0x0000000007116000-memory.dmp

Filesize
472KB

Download
memory/3012-22-0x0000000005FF0000-0x0000000005FFE000-memory.dmp

Filesize
56KB

Download
memory/3012-23-0x0000000006880000-0x000000000689E000-memory.dmp

Filesize
120KB

Download
memory/4628-5-0x00000000745AE000-0x00000000745AF000-memory.dmp

Filesize
4KB

Download
memory/4628-6-0x0000000000FC0000-0x0000000000FD2000-memory.dmp

Filesize
72KB

Download
memory/4628-7-0x0000000006080000-0x00000000060E6000-memory.dmp

Filesize
408KB

Download
memory/4628-8-0x0000000006510000-0x00000000065AC000-memory.dmp

Filesize
624KB

Download