asyncrat | 00f0c2f3687ab8bf0990084d1e3af62246005c32084fa598aca1d65bdc0740c9

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-01-2025 07:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

192BCD791EAC82426C69C1496D9059E5.exe
Size

6.1MB
MD5

192bcd791eac82426c69c1496d9059e5
SHA1

036019f9b93f2b2cb80fa251fe769203994e0ae2
SHA256

00f0c2f3687ab8bf0990084d1e3af62246005c32084fa598aca1d65bdc0740c9
SHA512

e774a0a47ec7931a1928ac22f54c65089a340e24cb87fd9b59cf64e8ad203e0bd904da997318ff5c9f0aceddce70dfa415bfae053d97db374adff7cbbe03d3e0
SSDEEP

98304:66nonNZnR83jP+0g/7/DXj6Bi/cwIofEbo4P4HwsffoOX1g8:6WATR8zP/gD/DfP7WqfoOq8

Score

10^/10

asyncrat gurcu metasploit default backdoor defense_evasion discovery rat stealer trojan

Malware Config

Extracted

Family

metasploit

Version

metasploit_stager

5.75.234.8:5050

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

51.89.44.68:8848

Mutex

etb3t1tr5n

Attributes

delay
1
install
true
install_file
svchost.exe
install_folder
%Temp%

aes.plain

Extracted

Family

gurcu

https://api.telegram.org/bot7694252704:AAGfHKTqga3d5HbNfwWi6gV-IxgHteCjH7w/getM

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x000c000000023b98-88.dat	family_asyncrat

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	192BCD791EAC82426C69C1496D9059E5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CRInjector.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	build.exe

Executes dropped EXE 6 IoCs

pid	Process
2652	svchost.exe
1188	CRInjector.exe
3284	build.exe
5064	cr.exe
5032	svchost.exe
3908	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
14	raw.githubusercontent.com
15	raw.githubusercontent.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	192BCD791EAC82426C69C1496D9059E5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CRInjector.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4052	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4160	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4272	powershell.exe
4272	powershell.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeDebugPrivilege	4272	powershell.exe
Token: SeDebugPrivilege	3284	build.exe
Token: SeIncreaseQuotaPrivilege	5032	svchost.exe
Token: SeSecurityPrivilege	5032	svchost.exe
Token: SeTakeOwnershipPrivilege	5032	svchost.exe
Token: SeLoadDriverPrivilege	5032	svchost.exe
Token: SeSystemProfilePrivilege	5032	svchost.exe
Token: SeSystemtimePrivilege	5032	svchost.exe
Token: SeProfSingleProcessPrivilege	5032	svchost.exe
Token: SeIncBasePriorityPrivilege	5032	svchost.exe
Token: SeCreatePagefilePrivilege	5032	svchost.exe
Token: SeBackupPrivilege	5032	svchost.exe
Token: SeRestorePrivilege	5032	svchost.exe
Token: SeShutdownPrivilege	5032	svchost.exe
Token: SeDebugPrivilege	5032	svchost.exe
Token: SeSystemEnvironmentPrivilege	5032	svchost.exe
Token: SeRemoteShutdownPrivilege	5032	svchost.exe
Token: SeUndockPrivilege	5032	svchost.exe
Token: SeManageVolumePrivilege	5032	svchost.exe
Token: 33	5032	svchost.exe
Token: 34	5032	svchost.exe
Token: 35	5032	svchost.exe
Token: 36	5032	svchost.exe
Token: SeDebugPrivilege	4160	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3908	svchost.exe
Token: SeSecurityPrivilege	3908	svchost.exe
Token: SeTakeOwnershipPrivilege	3908	svchost.exe
Token: SeLoadDriverPrivilege	3908	svchost.exe
Token: SeSystemProfilePrivilege	3908	svchost.exe
Token: SeSystemtimePrivilege	3908	svchost.exe
Token: SeProfSingleProcessPrivilege	3908	svchost.exe
Token: SeIncBasePriorityPrivilege	3908	svchost.exe
Token: SeCreatePagefilePrivilege	3908	svchost.exe
Token: SeBackupPrivilege	3908	svchost.exe
Token: SeRestorePrivilege	3908	svchost.exe
Token: SeShutdownPrivilege	3908	svchost.exe
Token: SeDebugPrivilege	3908	svchost.exe
Token: SeSystemEnvironmentPrivilege	3908	svchost.exe
Token: SeRemoteShutdownPrivilege	3908	svchost.exe
Token: SeUndockPrivilege	3908	svchost.exe
Token: SeManageVolumePrivilege	3908	svchost.exe
Token: 33	3908	svchost.exe
Token: 34	3908	svchost.exe
Token: 35	3908	svchost.exe
Token: 36	3908	svchost.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 4272	4764	192BCD791EAC82426C69C1496D9059E5.exe	83
PID 4764 wrote to memory of 4272	4764	192BCD791EAC82426C69C1496D9059E5.exe	83
PID 4764 wrote to memory of 4272	4764	192BCD791EAC82426C69C1496D9059E5.exe	83
PID 4764 wrote to memory of 2652	4764	192BCD791EAC82426C69C1496D9059E5.exe	85
PID 4764 wrote to memory of 2652	4764	192BCD791EAC82426C69C1496D9059E5.exe	85
PID 4764 wrote to memory of 1188	4764	192BCD791EAC82426C69C1496D9059E5.exe	86
PID 4764 wrote to memory of 1188	4764	192BCD791EAC82426C69C1496D9059E5.exe	86
PID 4764 wrote to memory of 1188	4764	192BCD791EAC82426C69C1496D9059E5.exe	86
PID 1188 wrote to memory of 3284	1188	CRInjector.exe	87
PID 1188 wrote to memory of 3284	1188	CRInjector.exe	87
PID 1188 wrote to memory of 5064	1188	CRInjector.exe	88
PID 1188 wrote to memory of 5064	1188	CRInjector.exe	88
PID 3284 wrote to memory of 5032	3284	build.exe	91
PID 3284 wrote to memory of 5032	3284	build.exe	91
PID 3284 wrote to memory of 3908	3284	build.exe	98
PID 3284 wrote to memory of 3908	3284	build.exe	98
PID 3284 wrote to memory of 3696	3284	build.exe	102
PID 3284 wrote to memory of 3696	3284	build.exe	102
PID 3696 wrote to memory of 4440	3696	cmd.exe	104
PID 3696 wrote to memory of 4440	3696	cmd.exe	104
PID 3696 wrote to memory of 4160	3696	cmd.exe	105
PID 3696 wrote to memory of 4160	3696	cmd.exe	105
PID 3696 wrote to memory of 4052	3696	cmd.exe	106
PID 3696 wrote to memory of 4052	3696	cmd.exe	106

C:\Users\Admin\AppData\Local\Temp\192BCD791EAC82426C69C1496D9059E5.exe
"C:\Users\Admin\AppData\Local\Temp\192BCD791EAC82426C69C1496D9059E5.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAdQBzACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAawByACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAdgBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGIAdgBnACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4272
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Users\Admin\AppData\Local\Temp\CRInjector.exe
  "C:\Users\Admin\AppData\Local\Temp\CRInjector.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1188
- - C:\Users\Admin\AppData\Local\Temp\build.exe
    "C:\Users\Admin\AppData\Local\Temp\build.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3284
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:5032
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3908
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\678a18e6-c94e-4ebb-9858-38c70f740adb.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3696
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:4440
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3284
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4160
    - - C:\Windows\system32\timeout.exe
        
        timeout /T 2 /NOBREAK
        5⤵
        Delays execution with timeout.exe
        
        PID:4052
- - C:\Users\Admin\AppData\Local\Temp\cr.exe
    "C:\Users\Admin\AppData\Local\Temp\cr.exe"
    3⤵
    - Executes dropped EXE
    PID:5064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\678a18e6-c94e-4ebb-9858-38c70f740adb.bat

Filesize
152B

MD5
2230145362cec2d3310062046cec3a9b

SHA1
e2d2ad66ff2b32e39c9c908d35fc3c643a4fbc85

SHA256
2f3a7e88896bc8eab118fe92a7624420f5e4217b72c55f64269dc5c6654e1a5b

SHA512
54649c846bd1ae67bc05b00fb1fd00f1054570a6f84431c502c35fc9d36b3cdd2137dfd7e4718c254bc798d08bb371f98efc76bcfeb2c9e88c44da19a1bd8076

Download Submit
C:\Users\Admin\AppData\Local\Temp\CRInjector.exe

Filesize
6.1MB

MD5
1d0ddf1ad8614ed2bf87a911d3191880

SHA1
137566648a65e7627ca26e8c6fc5712b4b46a54c

SHA256
e6426e2874c427878a7aa4b1c771f72cfcf4d97da189c7f1c7eba802d412af96

SHA512
d91c1840094ab7cf1686b1df53e55fc7bf45a14da4526f396776d7ac3340c5d6f82cf56464fa87d2f0320a4d060644c463ef3eb110d8ebb355df312a46e25051

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

Filesize
1KB

MD5
9f29d0dddf80fb799cfdac694e4f02a0

SHA1
89caa5a34c97ddabbbd3a7349d9d55638c3ec19a

SHA256
094207b3dc094c19ee1a67d939f2f37dfc025506208e3b746a40e39859262e36

SHA512
6c74ec1990d151d33d243437fb8419f9e2cfa4766aa95ae7ddb9e2237b06b81cdad9298d3bcdf3df77b874ab64de043d36c73a53eb3b1850c864f6a2cee3fcd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

Filesize
2KB

MD5
366848a316d61a8544040f153f586a94

SHA1
8696a91e697013ce1cb431ef5870dc77f07415bb

SHA256
8535c06ebe047dbd8ef0caac4ba644d4825acff6c97d7d23841d6445e8a50a36

SHA512
344e91ae77dcb9e9883f9034ad33e162bf31582869f1fa3b6b0d9c89874245f4c8a05dec49d6c05ce29507cc6e979688c515c45e80c8c598218491108ce2144c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

Filesize
379B

MD5
0906cde841d4f9e7a63515213f471619

SHA1
ce19adc35d688319d886aaae7a884bdd0323afe6

SHA256
caccbff85704d7e854e1b18aaf64a2558a16f614cf7184118a9d6d41d6112db5

SHA512
0ace1d7fea24281d983a691288f1f80fa31a89eb65e1b711d17972de2066f15b1a73f4968fc5e58f9e91e539067e8daac0e946d928bbf62ad83b719b823f9564

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gg4tkkn4.c0o.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe

Filesize
6.1MB

MD5
2270f282eea0a6f4f9281a9fa22643e8

SHA1
809c81c4a672704b281cd4a858cac8a10df26207

SHA256
a23477faa272984c38dbf7533dcab6c12395a2a32845910ba1c2cccb6797880d

SHA512
4e9e33d34f51ab7940f686733959ce3b06e1fffe1418bd44be60b1f31762aa2f9eccaa8ec7525d496f0c50160c32252008b74f813ddbc1f4b9bc42c64a22416c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cr.exe

Filesize
23KB

MD5
84132b6ff67a2edc0086641076cbe74c

SHA1
82e5b836b6003635fb2c98a4851789ab093dfd30

SHA256
6061e0a08600cb5beb394bffd3ddfecd1699406f6709c7413962cb3881d845cf

SHA512
5096ffeb7f071a5811dca9a6088a99cdbb52240177094eaf9ecef9be27c84e46f4f56f197c0badd76f38cc79d5cbca68faea64c8060e589eab5d7e1dc7552548

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
7KB

MD5
073d78ce1468ecbeedc0afecb126e6cd

SHA1
5ea217f44b9775effac3c44da2d551294923ae9f

SHA256
8bdcaef5756f0e60fdb0fb0c71bff9ff6631b5ad74c3d04614cb09bc83d25c31

SHA512
78ffc25e65100488487411582b3d4d732d50ee17daedc84eb1ada44d12a708eb4cf6eb97c9772f74057ae6cc011b4358c454169d87156cd1295a4748162908e0

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
63KB

MD5
67ca41c73d556cc4cfc67fc5b425bbbd

SHA1
ada7f812cd581c493630eca83bf38c0f8b32b186

SHA256
23d2e491a8c7f2f7f344764e6879d9566c9a3e55a3788038e48b346c068dde5b

SHA512
0dceb6468147cd2497adf31843389a78460ed5abe2c5a13488fc55a2d202ee6ce0271821d3cf12bc1f09a4d6b79a737ea3bccfc2bb87f89b3fff6410fa85ec02

Download Submit
memory/2652-8-0x0000000140000000-0x0000000140004278-memory.dmp

Filesize
16KB

Download
memory/3284-44-0x00000187374D0000-0x0000018737AE6000-memory.dmp

Filesize
6.1MB

Download
memory/4272-57-0x0000000006EE0000-0x0000000006F12000-memory.dmp

Filesize
200KB

Download
memory/4272-21-0x00000000740C0000-0x0000000074870000-memory.dmp

Filesize
7.7MB

Download
memory/4272-54-0x0000000006340000-0x0000000006694000-memory.dmp

Filesize
3.3MB

Download
memory/4272-43-0x00000000062D0000-0x0000000006336000-memory.dmp

Filesize
408KB

Download
memory/4272-55-0x0000000006910000-0x000000000692E000-memory.dmp

Filesize
120KB

Download
memory/4272-56-0x0000000006940000-0x000000000698C000-memory.dmp

Filesize
304KB

Download
memory/4272-40-0x0000000005860000-0x0000000005882000-memory.dmp

Filesize
136KB

Download
memory/4272-58-0x00000000711D0000-0x000000007121C000-memory.dmp

Filesize
304KB

Download
memory/4272-68-0x0000000006F20000-0x0000000006F3E000-memory.dmp

Filesize
120KB

Download
memory/4272-69-0x0000000007B00000-0x0000000007BA3000-memory.dmp

Filesize
652KB

Download
memory/4272-70-0x0000000008280000-0x00000000088FA000-memory.dmp

Filesize
6.5MB

Download
memory/4272-71-0x0000000005680000-0x000000000569A000-memory.dmp

Filesize
104KB

Download
memory/4272-72-0x0000000007CD0000-0x0000000007CDA000-memory.dmp

Filesize
40KB

Download
memory/4272-42-0x0000000006260000-0x00000000062C6000-memory.dmp

Filesize
408KB

Download
memory/4272-80-0x0000000007EF0000-0x0000000007F86000-memory.dmp

Filesize
600KB

Download
memory/4272-83-0x0000000007E60000-0x0000000007E71000-memory.dmp

Filesize
68KB

Download
memory/4272-22-0x00000000740C0000-0x0000000074870000-memory.dmp

Filesize
7.7MB

Download
memory/4272-18-0x00000000740CE000-0x00000000740CF000-memory.dmp

Filesize
4KB

Download
memory/4272-96-0x0000000007EA0000-0x0000000007EAE000-memory.dmp

Filesize
56KB

Download
memory/4272-97-0x0000000007EB0000-0x0000000007EC4000-memory.dmp

Filesize
80KB

Download
memory/4272-98-0x0000000007F90000-0x0000000007FAA000-memory.dmp

Filesize
104KB

Download
memory/4272-99-0x0000000007EE0000-0x0000000007EE8000-memory.dmp

Filesize
32KB

Download
memory/4272-102-0x00000000740C0000-0x0000000074870000-memory.dmp

Filesize
7.7MB

Download
memory/4272-20-0x0000000005BC0000-0x00000000061E8000-memory.dmp

Filesize
6.2MB

Download
memory/4272-19-0x0000000002FE0000-0x0000000003016000-memory.dmp

Filesize
216KB

Download
memory/5032-95-0x0000000000CB0000-0x0000000000CC6000-memory.dmp

Filesize
88KB

Download