asyncrat | c93d11c96d20e8b20cff7cd018440fa16f6601c047890c48c7e72cb5e0077e02

General

Target

Windows Defenders.exe
Size

82KB
MD5

c83eee916e8a78f97511dd3bce5fd38c
SHA1

0748ee6c65a2c401b8641d39cfff57e087f62154
SHA256

c93d11c96d20e8b20cff7cd018440fa16f6601c047890c48c7e72cb5e0077e02
SHA512

de60264ce73d09266727d5b8be3cda669b8e5f2ae2c68c09dfc9e6f1cfcfc512a3abba459cd55a63bf7f0fa83136bb6d511a16ff7553813a799446faa27f5b51
SSDEEP

1536:gD9iBlgS19xE2VE8NVBxcEu6+rFanqNy7g4FY2qNlnw:gRU119rEMVAEX+4KoFRt

Score

10^/10

asyncrat xworm default persistence rat trojan

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

understanding-described.gl.at.ply.gg:3953

Attributes

delay
1
install
true
install_file
svchost.exe
install_folder
%AppData%

aes.plain

Extracted

Family

xworm

C2

understanding-described.gl.at.ply.gg:3953

Attributes

Install_directory
%AppData%
install_file
scvhost.exe

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023b82-18.dat	family_xworm
behavioral2/memory/912-26-0x0000000000EB0000-0x0000000000EC8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x000c000000023b7e-7.dat	family_asyncrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Windows Defenders.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	AVDG AntiVirus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Avast AntiVirus.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	Avast AntiVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	Avast AntiVirus.exe

Executes dropped EXE 18 IoCs

pid	Process
2292	AVDG AntiVirus.exe
912	Avast AntiVirus.exe
384	svchost.exe
1452	svchost
4836	svchost
2036	svchost
3864	svchost
528	svchost
2948	svchost
3812	svchost
2328	svchost
2952	svchost
4636	svchost
4464	svchost
2032	svchost
316	svchost
3068	svchost
2688	svchost

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost"	Avast AntiVirus.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
1188	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2264	schtasks.exe
5024	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2292	AVDG AntiVirus.exe
2292	AVDG AntiVirus.exe
2292	AVDG AntiVirus.exe
2292	AVDG AntiVirus.exe
2292	AVDG AntiVirus.exe
2292	AVDG AntiVirus.exe
2292	AVDG AntiVirus.exe
2292	AVDG AntiVirus.exe
2292	AVDG AntiVirus.exe
2292	AVDG AntiVirus.exe
2292	AVDG AntiVirus.exe
2292	AVDG AntiVirus.exe
2292	AVDG AntiVirus.exe
2292	AVDG AntiVirus.exe
2292	AVDG AntiVirus.exe
2292	AVDG AntiVirus.exe
2292	AVDG AntiVirus.exe
2292	AVDG AntiVirus.exe
2292	AVDG AntiVirus.exe
2292	AVDG AntiVirus.exe
2292	AVDG AntiVirus.exe
2292	AVDG AntiVirus.exe
2292	AVDG AntiVirus.exe
912	Avast AntiVirus.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	1388	Windows Defenders.exe
Token: SeDebugPrivilege	912	Avast AntiVirus.exe
Token: SeDebugPrivilege	2292	AVDG AntiVirus.exe
Token: SeDebugPrivilege	384	svchost.exe
Token: SeDebugPrivilege	912	Avast AntiVirus.exe
Token: SeDebugPrivilege	1452	svchost
Token: SeDebugPrivilege	4836	svchost
Token: SeDebugPrivilege	2036	svchost
Token: SeDebugPrivilege	3864	svchost
Token: SeDebugPrivilege	528	svchost
Token: SeDebugPrivilege	2948	svchost
Token: SeDebugPrivilege	3812	svchost
Token: SeDebugPrivilege	2328	svchost
Token: SeDebugPrivilege	2952	svchost
Token: SeDebugPrivilege	4636	svchost
Token: SeDebugPrivilege	4464	svchost
Token: SeDebugPrivilege	2032	svchost
Token: SeDebugPrivilege	316	svchost
Token: SeDebugPrivilege	3068	svchost
Token: SeDebugPrivilege	2688	svchost

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
912	Avast AntiVirus.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 2292	1388	Windows Defenders.exe	84
PID 1388 wrote to memory of 2292	1388	Windows Defenders.exe	84
PID 1388 wrote to memory of 912	1388	Windows Defenders.exe	85
PID 1388 wrote to memory of 912	1388	Windows Defenders.exe	85
PID 2292 wrote to memory of 1984	2292	AVDG AntiVirus.exe	86
PID 2292 wrote to memory of 1984	2292	AVDG AntiVirus.exe	86
PID 2292 wrote to memory of 2272	2292	AVDG AntiVirus.exe	88
PID 2292 wrote to memory of 2272	2292	AVDG AntiVirus.exe	88
PID 2272 wrote to memory of 1188	2272	cmd.exe	90
PID 2272 wrote to memory of 1188	2272	cmd.exe	90
PID 1984 wrote to memory of 2264	1984	cmd.exe	91
PID 1984 wrote to memory of 2264	1984	cmd.exe	91
PID 2272 wrote to memory of 384	2272	cmd.exe	92
PID 2272 wrote to memory of 384	2272	cmd.exe	92
PID 912 wrote to memory of 5024	912	Avast AntiVirus.exe	93
PID 912 wrote to memory of 5024	912	Avast AntiVirus.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Windows Defenders.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Defenders.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Users\Admin\AppData\Local\Temp\AVDG AntiVirus.exe
  "C:\Users\Admin\AppData\Local\Temp\AVDG AntiVirus.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1984
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA180.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2272
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1188
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:384
- C:\Users\Admin\AppData\Local\Temp\Avast AntiVirus.exe
  "C:\Users\Admin\AppData\Local\Temp\Avast AntiVirus.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:912
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5024

C:\Users\Admin\AppData\Roaming\svchost
C:\Users\Admin\AppData\Roaming\svchost
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Users\Admin\AppData\Roaming\svchost
C:\Users\Admin\AppData\Roaming\svchost
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4836

C:\Users\Admin\AppData\Roaming\svchost
C:\Users\Admin\AppData\Roaming\svchost
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Users\Admin\AppData\Roaming\svchost
C:\Users\Admin\AppData\Roaming\svchost
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3864

C:\Users\Admin\AppData\Roaming\svchost
C:\Users\Admin\AppData\Roaming\svchost
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:528

C:\Users\Admin\AppData\Roaming\svchost
C:\Users\Admin\AppData\Roaming\svchost
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\Users\Admin\AppData\Roaming\svchost
C:\Users\Admin\AppData\Roaming\svchost
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3812

C:\Users\Admin\AppData\Roaming\svchost
C:\Users\Admin\AppData\Roaming\svchost
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2328

C:\Users\Admin\AppData\Roaming\svchost
C:\Users\Admin\AppData\Roaming\svchost
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2952

C:\Users\Admin\AppData\Roaming\svchost
C:\Users\Admin\AppData\Roaming\svchost
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4636

C:\Users\Admin\AppData\Roaming\svchost
C:\Users\Admin\AppData\Roaming\svchost
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4464

C:\Users\Admin\AppData\Roaming\svchost
C:\Users\Admin\AppData\Roaming\svchost
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Users\Admin\AppData\Roaming\svchost
C:\Users\Admin\AppData\Roaming\svchost
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:316

C:\Users\Admin\AppData\Roaming\svchost
C:\Users\Admin\AppData\Roaming\svchost
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3068

C:\Users\Admin\AppData\Roaming\svchost
C:\Users\Admin\AppData\Roaming\svchost
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AVDG AntiVirus.exe

Filesize
63KB

MD5
014c308c9e085a5204d4af8651710143

SHA1
31499e284c9f4d8ede48e88512a89f0c5f68f896

SHA256
0e8ac5b96d7b8a6bef8052eaeb57c732dee119379f659cbe7249543dd225f33d

SHA512
058f38c23926fcad0367850ce9f91d489111d0bcb06903b9246295e335b6aca2b20cb84065408863d8aab866dfc527742e93d264d6ffa64a86d60c21934fd22f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Avast AntiVirus.exe

Filesize
67KB

MD5
e317647c04bfe18d171514c96d20a569

SHA1
4419cd2d51788d85ded8b8a110b186c10a09aefc

SHA256
f61f7e874d0aa814ab9799a363174a2f9ed4284a1537748c06d736070d2c20a6

SHA512
3da0e895f20188332db8c8a0562452d18e7676c4c461bab31e05c1d53202e38e0217804ec12d4d3aa68610e0573e8d54d16629d94dd7238f61925a2a3ca6319e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA180.tmp.bat

Filesize
151B

MD5
e3020834fb9f9eb0f48ef032eaa35f6c

SHA1
61c294efaaac804605fca1372a818217b85a8ebb

SHA256
5f3c9a7f166ef5eef92acbe25c028844468c93a7a2fe349d8b7f14141cefb9d4

SHA512
dfb421b8445b3a0140f28307c72d16c71e871772a62165d4d22df8b4562487076c81cf282ce1328cf4e84097ff28584a0e8d7cb732f4ea6f90c1b2e7bdcdfac3

Download Submit
memory/912-26-0x0000000000EB0000-0x0000000000EC8000-memory.dmp

Filesize
96KB

Download
memory/912-28-0x00007FFB5E6D0000-0x00007FFB5F191000-memory.dmp

Filesize
10.8MB

Download
memory/912-40-0x00007FFB5E6D0000-0x00007FFB5F191000-memory.dmp

Filesize
10.8MB

Download
memory/1388-0-0x00007FFB5E6D3000-0x00007FFB5E6D5000-memory.dmp

Filesize
8KB

Download
memory/1388-2-0x00007FFB5E6D0000-0x00007FFB5F191000-memory.dmp

Filesize
10.8MB

Download
memory/1388-36-0x00007FFB5E6D0000-0x00007FFB5F191000-memory.dmp

Filesize
10.8MB

Download
memory/1388-1-0x0000000000940000-0x000000000095A000-memory.dmp

Filesize
104KB

Download
memory/2292-25-0x0000000000100000-0x0000000000116000-memory.dmp

Filesize
88KB

Download
memory/2292-27-0x00007FFB5E6D0000-0x00007FFB5F191000-memory.dmp

Filesize
10.8MB

Download
memory/2292-33-0x00007FFB5E6D0000-0x00007FFB5F191000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads