asyncrat | ae3f87d64dc6c41c9a80287a3d58769b72730402d24e7389f1cdb8b836ebeae9

General

Target

Client.exe
Size

47KB
MD5

d5c9a99faec2ef972d47aa0a15cb4388
SHA1

8832d330806ca587fd9d0da341a530080ff98277
SHA256

ae3f87d64dc6c41c9a80287a3d58769b72730402d24e7389f1cdb8b836ebeae9
SHA512

83c2524d2947dbcd979d7d3e0b1b1b8b6d043668e8d88785bddaa3daab8263c82dbd62dbbd9c3a4ba9a9f72b03b8186ffbc7c5237dfc021eb9874070b074ba60
SSDEEP

768:p9umxLiIL1CaS+DiMtelDSN+iV08YbygekUHuZtbIr/IvEgK/JnZVc6KN:p9uAPWMtKDs4zb1lUuZta/InkJnZVclN

Score

10^/10

asyncrat default ransomware rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

127.0.0.1:8848

127.0.0.1:8085

127.0.0.1:65366

record-lopez.gl.at.ply.gg:8848

record-lopez.gl.at.ply.gg:8085

record-lopez.gl.at.ply.gg:65366

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/5104-32-0x0000000000B60000-0x0000000000B6E000-memory.dmp	disable_win_def

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpC1DB.tmp.jpg"	Client.exe

Modifies Control Panel 2 IoCs

defense_evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Control Panel\Desktop\WallpaperStyle = "2"	Client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Control Panel\Desktop\TileWallpaper = "0"	Client.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
5104	Client.exe
5104	Client.exe
5104	Client.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5104	Client.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5104	Client.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3172	MiniSearchHost.exe

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
1⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5104

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
b66799d715b113faf28da5aaba5528ef

SHA1
1b20576808d17c24f7abf2c49a7facfbc1480da4

SHA256
bb7ed85e7a1833e5a31d62882937ee6b094f2421b9d1c8d9b6e64b9845b29868

SHA512
93d4708a2f4bb3ca7b5bcb0f3dc13eb5e93bfa5e485845822d67770e4c0217797f330ab9395598b1d7452cc8191e4d3848a1b268a6cd1b7a5001266ce53794d6

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
77a8b2c86dd26c214bc11c989789b62d

SHA1
8b0f2d9d0ded2d7f9bff8aed6aefd6b3fdd1a499

SHA256
e288c02cbba393c9703519e660bf8709331f11978c6d994ea2a1346eef462cb8

SHA512
c287e3ae580343c43a5354347ca5444f54840fba127a2b1edc897b1dfea286fa37b5808f6e89f535c4022db8b3f29448aa4cc2f41ab0f308eec525a99fac4e5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC1DA.tmp.jpg

Filesize
1.1MB

MD5
daa756fda35cedf3d0f1318cb43edab6

SHA1
4ba5c772c6d096b4ce2a2146ae90b1aa5017dbca

SHA256
435d73ec39ef37851b96b0d896cff604abaec7abb8a03a61c8f698c9e2ad71e9

SHA512
86f2326f5e63b10ffd1d30d347d370f02009f8bba9f517b4b21cdfc8e68c253d34921d097682b7cea1ad4cb439fc7fa9cfad815c2b4873486d00069009e89514

Download Submit
memory/5104-6-0x00007FFABD6D0000-0x00007FFABE192000-memory.dmp

Filesize
10.8MB

Download
memory/5104-0-0x00007FFABD6D3000-0x00007FFABD6D5000-memory.dmp

Filesize
8KB

Download
memory/5104-8-0x000000001CAA0000-0x000000001CB08000-memory.dmp

Filesize
416KB

Download
memory/5104-7-0x000000001CB20000-0x000000001CB96000-memory.dmp

Filesize
472KB

Download
memory/5104-9-0x000000001B170000-0x000000001B18E000-memory.dmp

Filesize
120KB

Download
memory/5104-10-0x00007FFABD6D0000-0x00007FFABE192000-memory.dmp

Filesize
10.8MB

Download
memory/5104-11-0x00007FFABD6D0000-0x00007FFABE192000-memory.dmp

Filesize
10.8MB

Download
memory/5104-12-0x00007FFABD6D0000-0x00007FFABE192000-memory.dmp

Filesize
10.8MB

Download
memory/5104-3-0x00007FFABD6D3000-0x00007FFABD6D5000-memory.dmp

Filesize
8KB

Download
memory/5104-2-0x00007FFABD6D0000-0x00007FFABE192000-memory.dmp

Filesize
10.8MB

Download
memory/5104-32-0x0000000000B60000-0x0000000000B6E000-memory.dmp

Filesize
56KB

Download
memory/5104-1-0x0000000000460000-0x0000000000472000-memory.dmp

Filesize
72KB

Download
memory/5104-39-0x0000000000AF0000-0x0000000000AFE000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing