asyncrat | b718578e3c137f37d638bc715963c90559f78768092c2dcd59ba73dc6bf1cf7f

Analysis

max time kernel
30s
max time network
19s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
22/01/2025, 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AsyncMod.exe
Size

508KB
MD5

0b06b95ea006b8bd723acd6cf352fc06
SHA1

5607dc185430ec85e5b48cc59257589263d77f19
SHA256

b718578e3c137f37d638bc715963c90559f78768092c2dcd59ba73dc6bf1cf7f
SHA512

8aff62c083b9c8296f07b0c1ab0885d14353b1528fefe348091ed8494e772156195ad68589a99eaeba0bab9de0672472a9c9398f9102a47e328bc05c48523c6a
SSDEEP

12288:jL/KH0hB7a6n4zexn8ILg6qDwoMwIgtoHZ:jL/KszxndwwHZ

Score

10^/10

asyncrat discovery rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Executes dropped EXE 1 IoCs

pid	Process
2076	OneDriveStandaloneAPIMethod.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OneDriveStandaloneAPIMethod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsyncMod.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
412	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1148	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2076	OneDriveStandaloneAPIMethod.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2552	AsyncMod.exe
2552	AsyncMod.exe
2552	AsyncMod.exe
2552	AsyncMod.exe
2552	AsyncMod.exe
2552	AsyncMod.exe
2552	AsyncMod.exe
2552	AsyncMod.exe
2552	AsyncMod.exe
2552	AsyncMod.exe
2552	AsyncMod.exe
2552	AsyncMod.exe
2552	AsyncMod.exe
2552	AsyncMod.exe
2552	AsyncMod.exe
2552	AsyncMod.exe
2552	AsyncMod.exe
2552	AsyncMod.exe
2552	AsyncMod.exe
2552	AsyncMod.exe
2552	AsyncMod.exe
2552	AsyncMod.exe
2552	AsyncMod.exe
2552	AsyncMod.exe
2552	AsyncMod.exe
2552	AsyncMod.exe
2552	AsyncMod.exe
2552	AsyncMod.exe
2552	AsyncMod.exe
2552	AsyncMod.exe
2552	AsyncMod.exe
2552	AsyncMod.exe
2552	AsyncMod.exe
2552	AsyncMod.exe
2552	AsyncMod.exe
2552	AsyncMod.exe
2552	AsyncMod.exe
2552	AsyncMod.exe
2552	AsyncMod.exe
2552	AsyncMod.exe
2552	AsyncMod.exe
2552	AsyncMod.exe
2552	AsyncMod.exe
2552	AsyncMod.exe
2552	AsyncMod.exe
2552	AsyncMod.exe
2076	OneDriveStandaloneAPIMethod.exe
2076	OneDriveStandaloneAPIMethod.exe
2076	OneDriveStandaloneAPIMethod.exe
2076	OneDriveStandaloneAPIMethod.exe
2076	OneDriveStandaloneAPIMethod.exe
2076	OneDriveStandaloneAPIMethod.exe
2076	OneDriveStandaloneAPIMethod.exe
2076	OneDriveStandaloneAPIMethod.exe
2076	OneDriveStandaloneAPIMethod.exe
2076	OneDriveStandaloneAPIMethod.exe
2076	OneDriveStandaloneAPIMethod.exe
2076	OneDriveStandaloneAPIMethod.exe
2076	OneDriveStandaloneAPIMethod.exe
2076	OneDriveStandaloneAPIMethod.exe
2076	OneDriveStandaloneAPIMethod.exe
2076	OneDriveStandaloneAPIMethod.exe
2076	OneDriveStandaloneAPIMethod.exe
2076	OneDriveStandaloneAPIMethod.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2552	AsyncMod.exe
Token: SeDebugPrivilege	2076	OneDriveStandaloneAPIMethod.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 1148	2552	AsyncMod.exe	88
PID 2552 wrote to memory of 1148	2552	AsyncMod.exe	88
PID 2552 wrote to memory of 1148	2552	AsyncMod.exe	88
PID 2552 wrote to memory of 1680	2552	AsyncMod.exe	90
PID 2552 wrote to memory of 1680	2552	AsyncMod.exe	90
PID 2552 wrote to memory of 1680	2552	AsyncMod.exe	90
PID 1680 wrote to memory of 2076	1680	cmd.exe	92
PID 1680 wrote to memory of 2076	1680	cmd.exe	92
PID 1680 wrote to memory of 2076	1680	cmd.exe	92
PID 1680 wrote to memory of 412	1680	cmd.exe	94
PID 1680 wrote to memory of 412	1680	cmd.exe	94
PID 1680 wrote to memory of 412	1680	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\AsyncMod.exe
"C:\Users\Admin\AppData\Local\Temp\AsyncMod.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /create /tn OneDriveStandaloneAPIMethod /tr "C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe" /st 16:41 /du 23:59 /sc daily /ri 1 /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1148
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp93A5.tmp.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2076
- - C:\Windows\SysWOW64\timeout.exe
    timeout 4
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp93A5.tmp.bat

Filesize
255B

MD5
4ec26b47c02efc4ac46828f74107929e

SHA1
73927c56b72164ee0612abd16999c19a4c2fe72a

SHA256
1a6f2fa3fe7a2eda60dd697c160324d693a6f7b814e446f0e5f49c1b00ac50ba

SHA512
e55bbb6f31093804a09a215ff36443316208c528e9fa1d8527a4b7416a8f530f2dd159c2a5aed2eca4b683a78c7a2cc8bc6ecc4adc0b22b62146108a13e08798

Download Submit
memory/2076-31-0x0000000075120000-0x00000000758D1000-memory.dmp

Filesize
7.7MB

Download
memory/2076-25-0x0000000075120000-0x00000000758D1000-memory.dmp

Filesize
7.7MB

Download
memory/2076-39-0x0000000075120000-0x00000000758D1000-memory.dmp

Filesize
7.7MB

Download
memory/2076-38-0x0000000075120000-0x00000000758D1000-memory.dmp

Filesize
7.7MB

Download
memory/2076-37-0x0000000075120000-0x00000000758D1000-memory.dmp

Filesize
7.7MB

Download
memory/2076-36-0x0000000075120000-0x00000000758D1000-memory.dmp

Filesize
7.7MB

Download
memory/2076-35-0x0000000075120000-0x00000000758D1000-memory.dmp

Filesize
7.7MB

Download
memory/2076-34-0x0000000075120000-0x00000000758D1000-memory.dmp

Filesize
7.7MB

Download
memory/2076-24-0x0000000075120000-0x00000000758D1000-memory.dmp

Filesize
7.7MB

Download
memory/2076-33-0x0000000075120000-0x00000000758D1000-memory.dmp

Filesize
7.7MB

Download
memory/2076-32-0x0000000075120000-0x00000000758D1000-memory.dmp

Filesize
7.7MB

Download
memory/2076-30-0x0000000075120000-0x00000000758D1000-memory.dmp

Filesize
7.7MB

Download
memory/2076-29-0x0000000075120000-0x00000000758D1000-memory.dmp

Filesize
7.7MB

Download
memory/2076-28-0x0000000075120000-0x00000000758D1000-memory.dmp

Filesize
7.7MB

Download
memory/2076-27-0x0000000075120000-0x00000000758D1000-memory.dmp

Filesize
7.7MB

Download
memory/2076-26-0x0000000005150000-0x000000000515A000-memory.dmp

Filesize
40KB

Download
memory/2076-23-0x0000000075120000-0x00000000758D1000-memory.dmp

Filesize
7.7MB

Download
memory/2552-11-0x0000000075130000-0x00000000758E1000-memory.dmp

Filesize
7.7MB

Download
memory/2552-7-0x0000000075130000-0x00000000758E1000-memory.dmp

Filesize
7.7MB

Download
memory/2552-2-0x0000000005E80000-0x0000000006426000-memory.dmp

Filesize
5.6MB

Download
memory/2552-18-0x0000000075130000-0x00000000758E1000-memory.dmp

Filesize
7.7MB

Download
memory/2552-13-0x0000000075130000-0x00000000758E1000-memory.dmp

Filesize
7.7MB

Download
memory/2552-9-0x0000000075130000-0x00000000758E1000-memory.dmp

Filesize
7.7MB

Download
memory/2552-1-0x0000000000E10000-0x0000000000E96000-memory.dmp

Filesize
536KB

Download
memory/2552-0-0x000000007513E000-0x000000007513F000-memory.dmp

Filesize
4KB

Download
memory/2552-12-0x0000000075130000-0x00000000758E1000-memory.dmp

Filesize
7.7MB

Download
memory/2552-8-0x0000000075130000-0x00000000758E1000-memory.dmp

Filesize
7.7MB

Download
memory/2552-10-0x000000007513E000-0x000000007513F000-memory.dmp

Filesize
4KB

Download
memory/2552-6-0x0000000075130000-0x00000000758E1000-memory.dmp

Filesize
7.7MB

Download
memory/2552-4-0x0000000075130000-0x00000000758E1000-memory.dmp

Filesize
7.7MB

Download
memory/2552-5-0x0000000075130000-0x00000000758E1000-memory.dmp

Filesize
7.7MB

Download
memory/2552-3-0x00000000058D0000-0x0000000005962000-memory.dmp

Filesize
584KB

Download