asyncrat | 57376a7ec745a40f662ce995d0180867e7fafec8b7b4dc3f2043a6cc526211bd

General

Target

kook.exe
Size

47KB
MD5

aa2b2113fe384872456513e6418257bb
SHA1

4051944b7241ac282a7f4de04cecd854ed8e45fd
SHA256

57376a7ec745a40f662ce995d0180867e7fafec8b7b4dc3f2043a6cc526211bd
SHA512

cb657f76da9c8a269c7c8cc4bb787fc660cda957c736d9f60b8867c74c74b4714fc6340afbbc8adafc81e5255e47fb44db6e4a4e3c78d7d3a3f69a6832b34451
SSDEEP

768:8uSBGTAo1wxWUpdj7mo2qLo8Yuyxu0/PIf1UXWk2tm9Z0bVMJRMNCSdCRPBDZox:8uSBGTA2g2Pqz0Yf1jtmsbVsICvR5dox

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

86.176.113.167:9112

Mutex

10CL9iR8lBDX

Attributes

delay
3
install
false
install_file
OBS Updater.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kook.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kook.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
3368	timeout.exe
4700	timeout.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3324	kook.exe
Token: SeDebugPrivilege	3324	kook.exe
Token: SeDebugPrivilege	2812	kook.exe
Token: SeDebugPrivilege	2812	kook.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3324 wrote to memory of 4920	3324	kook.exe	78
PID 3324 wrote to memory of 4920	3324	kook.exe	78
PID 3324 wrote to memory of 4920	3324	kook.exe	78
PID 4920 wrote to memory of 3368	4920	cmd.exe	80
PID 4920 wrote to memory of 3368	4920	cmd.exe	80
PID 4920 wrote to memory of 3368	4920	cmd.exe	80
PID 4920 wrote to memory of 2812	4920	cmd.exe	81
PID 4920 wrote to memory of 2812	4920	cmd.exe	81
PID 4920 wrote to memory of 2812	4920	cmd.exe	81
PID 2812 wrote to memory of 1792	2812	kook.exe	83
PID 2812 wrote to memory of 1792	2812	kook.exe	83
PID 2812 wrote to memory of 1792	2812	kook.exe	83
PID 1792 wrote to memory of 4700	1792	cmd.exe	85
PID 1792 wrote to memory of 4700	1792	cmd.exe	85
PID 1792 wrote to memory of 4700	1792	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\kook.exe
"C:\Users\Admin\AppData\Local\Temp\kook.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3324
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB38C.tmp.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:3368
- - C:\Users\Admin\AppData\Local\Temp\kook.exe
    "C:\Users\Admin\AppData\Local\Temp\kook.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEF7C.tmp.bat""
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1792
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:4700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\kook.exe.log

Filesize
1KB

MD5
405f5fd2e0aae476bf952e45c971938e

SHA1
26d11f0257eae74a791ed9affdf3040c33586b54

SHA256
4fb03d1d55cd44da3fd142349bcc091d4fc16932a5c8017f6cc2b3653faa7f28

SHA512
a47781c5da460c80db0519ec299a3d9d3a5fbd7e8e17aaf8b123b18de826829a3c0a65adbe9a05e745bd83997f6043b9e077798d3705a44968a836723c4544da

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB38C.tmp.bat

Filesize
151B

MD5
ce0c4e1bb1b1dc1f16d38c17a83cc61c

SHA1
8e6c907094720c61fd34312e14f2f7353f38c4ed

SHA256
d4d6c0656439ab876081282924d445ff1eb316ea14a4b690170392b75bdb10ac

SHA512
564f29965b24ec71afd0fcf47e9b136ffb5ff0e779b749747d12148864618fe761accda390bd0fe0adf42d636c7ed7a86e33a5fe780c47fb42db44950de2b05d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEF7C.tmp.bat

Filesize
156B

MD5
98dfeb3209f8fc31b2b2d1b7ab9e6403

SHA1
8d479b482a48e2435c011ac66bb35cf8d7691f09

SHA256
41da62a637ebec75393e88d89cd143d0275ddc020691bfe202b413b01a8a145c

SHA512
67ee38351e8ae70f4f4210ed259e1a643cd98b85859a8941c2868937c5594b2cc507afae213e16373e782a05a15d8bce2f66b2d9cf7740ed3a4fb34f271f983d

Download Submit
memory/2812-25-0x00000000744D0000-0x0000000074C81000-memory.dmp

Filesize
7.7MB

Download
memory/2812-21-0x00000000744D0000-0x0000000074C81000-memory.dmp

Filesize
7.7MB

Download
memory/2812-20-0x00000000744D0000-0x0000000074C81000-memory.dmp

Filesize
7.7MB

Download
memory/2812-19-0x00000000744D0000-0x0000000074C81000-memory.dmp

Filesize
7.7MB

Download
memory/3324-10-0x0000000001700000-0x0000000001776000-memory.dmp

Filesize
472KB

Download
memory/3324-0-0x00000000744DE000-0x00000000744DF000-memory.dmp

Filesize
4KB

Download
memory/3324-11-0x0000000001440000-0x00000000014A4000-memory.dmp

Filesize
400KB

Download
memory/3324-12-0x0000000001850000-0x000000000186E000-memory.dmp

Filesize
120KB

Download
memory/3324-9-0x00000000744D0000-0x0000000074C81000-memory.dmp

Filesize
7.7MB

Download
memory/3324-17-0x00000000744D0000-0x0000000074C81000-memory.dmp

Filesize
7.7MB

Download
memory/3324-8-0x00000000744DE000-0x00000000744DF000-memory.dmp

Filesize
4KB

Download
memory/3324-7-0x0000000006CB0000-0x0000000007256000-memory.dmp

Filesize
5.6MB

Download
memory/3324-4-0x0000000005D20000-0x0000000005DBC000-memory.dmp

Filesize
624KB

Download
memory/3324-3-0x0000000005880000-0x00000000058E6000-memory.dmp

Filesize
408KB

Download
memory/3324-2-0x00000000744D0000-0x0000000074C81000-memory.dmp

Filesize
7.7MB

Download
memory/3324-1-0x0000000000DE0000-0x0000000000DF2000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing