asyncrat | d185431231967c0226a2ce764e4bc09b11a61fdbbcab964f1cd9b26ce3939501

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/01/2025, 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Infected.exe
Size

63KB
MD5

ae0079d1106188b3ff70467a0f60147a
SHA1

82b42a50dc33524447eb939a33f751d3f4f612f4
SHA256

d185431231967c0226a2ce764e4bc09b11a61fdbbcab964f1cd9b26ce3939501
SHA512

7c2aab21fa82f310a4f08b52af0894a94ee3b59bb179a667d4e4a04519b2fde80d460de2d5e330a1d04d71a90141f9f306cdc6d98a49d8840ee77ef46715ef77
SSDEEP

768:yfDDqjTNP7813C8A+XOSazcBRL5JTk1+T4KSBGHmDbD/ph0oXlTiINzDP1XSucdP:m6NmVdSJYUbdh9/BdCucdpqKmY7

Score

10^/10

asyncrat rs rat

Malware Config

Extracted

Family

asyncrat

Botnet

the-attractions.gl.at.ply.gg:59161

Attributes

delay
5
install
true
install_file
Application Frame Host.exe
install_folder
%Temp%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000b000000012259-15.dat	family_asyncrat

Executes dropped EXE 1 IoCs

pid	Process
3016	Application Frame Host.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 2 IoCs

defense_evasion

pid	Process
2592	timeout.exe
2140	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2624	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2696	Infected.exe
2696	Infected.exe
2696	Infected.exe
2696	Infected.exe
2696	Infected.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe
3016	Application Frame Host.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2696	Infected.exe
Token: SeDebugPrivilege	2696	Infected.exe
Token: SeDebugPrivilege	3016	Application Frame Host.exe
Token: SeDebugPrivilege	3016	Application Frame Host.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 2876	2696	Infected.exe	30
PID 2696 wrote to memory of 2876	2696	Infected.exe	30
PID 2696 wrote to memory of 2876	2696	Infected.exe	30
PID 2696 wrote to memory of 2620	2696	Infected.exe	32
PID 2696 wrote to memory of 2620	2696	Infected.exe	32
PID 2696 wrote to memory of 2620	2696	Infected.exe	32
PID 2620 wrote to memory of 2592	2620	cmd.exe	34
PID 2620 wrote to memory of 2592	2620	cmd.exe	34
PID 2620 wrote to memory of 2592	2620	cmd.exe	34
PID 2876 wrote to memory of 2624	2876	cmd.exe	35
PID 2876 wrote to memory of 2624	2876	cmd.exe	35
PID 2876 wrote to memory of 2624	2876	cmd.exe	35
PID 2620 wrote to memory of 3016	2620	cmd.exe	36
PID 2620 wrote to memory of 3016	2620	cmd.exe	36
PID 2620 wrote to memory of 3016	2620	cmd.exe	36
PID 3016 wrote to memory of 1420	3016	Application Frame Host.exe	39
PID 3016 wrote to memory of 1420	3016	Application Frame Host.exe	39
PID 3016 wrote to memory of 1420	3016	Application Frame Host.exe	39
PID 3016 wrote to memory of 1148	3016	Application Frame Host.exe	41
PID 3016 wrote to memory of 1148	3016	Application Frame Host.exe	41
PID 3016 wrote to memory of 1148	3016	Application Frame Host.exe	41
PID 1420 wrote to memory of 2136	1420	cmd.exe	43
PID 1420 wrote to memory of 2136	1420	cmd.exe	43
PID 1420 wrote to memory of 2136	1420	cmd.exe	43
PID 1148 wrote to memory of 2140	1148	cmd.exe	44
PID 1148 wrote to memory of 2140	1148	cmd.exe	44
PID 1148 wrote to memory of 2140	1148	cmd.exe	44

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Infected.exe
"C:\Users\Admin\AppData\Local\Temp\Infected.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Application Frame Host" /tr '"C:\Users\Admin\AppData\Local\Temp\Application Frame Host.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "Application Frame Host" /tr '"C:\Users\Admin\AppData\Local\Temp\Application Frame Host.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2624
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp79F1.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2592
- - C:\Users\Admin\AppData\Local\Temp\Application Frame Host.exe
    "C:\Users\Admin\AppData\Local\Temp\Application Frame Host.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3016
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Application Frame Host"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1420
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Application Frame Host"
        5⤵
        
        PID:2136
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpF188.tmp.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1148
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Application Frame Host.exe

Filesize
63KB

MD5
ae0079d1106188b3ff70467a0f60147a

SHA1
82b42a50dc33524447eb939a33f751d3f4f612f4

SHA256
d185431231967c0226a2ce764e4bc09b11a61fdbbcab964f1cd9b26ce3939501

SHA512
7c2aab21fa82f310a4f08b52af0894a94ee3b59bb179a667d4e4a04519b2fde80d460de2d5e330a1d04d71a90141f9f306cdc6d98a49d8840ee77ef46715ef77

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA20B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF0CA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp79F1.tmp.bat

Filesize
169B

MD5
e4fea890fb73aaf511a50627cb756983

SHA1
18c8cd2dee7effb47720122d17236af4f559f1e1

SHA256
b41d69587db3b0a4658a9d8eb60e12c476823530a1f9cda00cf78b3d2e67aab7

SHA512
b56c1066a1b529095557bc27e98998716a9187f6ce7f8f0253dc79a4744fb2ddb83f7c383e04ccc022864d0611df462c7d838128eaacc77601f9aa6e199214af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF188.tmp.bat

Filesize
174B

MD5
3f1d1c3400be4488aae097f99dc3f744

SHA1
ff5596730ef21c1cea82c2f0d62d4fd954abb884

SHA256
fec803c88ae2f339f9f7343a88ba60714bd241e3827f91436ca81906b35a48f2

SHA512
0dfd10672b469583d4c18d224a2068ccbb69124065e2a0a03b9e79ac5f626cca8a996dc6c19935df18876ac40f398e0fa14836f31d0a49c86b923e08f74e1e46

Download Submit
memory/2696-0-0x000007FEF4E83000-0x000007FEF4E84000-memory.dmp

Filesize
4KB

Download
memory/2696-1-0x00000000010C0000-0x00000000010D6000-memory.dmp

Filesize
88KB

Download
memory/2696-2-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

Filesize
9.9MB

Download
memory/2696-3-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

Filesize
9.9MB

Download
memory/2696-13-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

Filesize
9.9MB

Download
memory/3016-17-0x0000000000D50000-0x0000000000D66000-memory.dmp

Filesize
88KB

Download
memory/3016-34-0x000000001B9D0000-0x000000001BA82000-memory.dmp

Filesize
712KB

Download