asyncrat | 2b596a314c81f7d9f353e633cb8d749f754df91688a0ef33dea147a1b9133f48

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29/01/2025, 05:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fingertip.exe
Size

7.7MB
MD5

4c98942e7fe2d54c288d76823df76c8b
SHA1

37924bd8d1e986232a64d9f7aed3fe23066235b7
SHA256

2b596a314c81f7d9f353e633cb8d749f754df91688a0ef33dea147a1b9133f48
SHA512

f32fd2e0b8a038ea20517c873db96ef2b143849bc0ed2cba403aa7ef1247101051dc2ec1a3976bdf335550de904a72573ffce99cac4ce2848c57ed9f87751445
SSDEEP

196608:0qwHj0Okbl0DuTCixKP3Tg8pJ6HKi/f4Xlb28qkZwXMgyNyW:K0ewCCe3TNJ9kfY2jHk

Score

10^/10

asyncrat work discovery rat upx

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Work

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

999.0.0.2:6606

999.0.0.2:7707

999.0.0.2:8808

Mutex

oz6goIqD8qt9

Attributes

delay
3
install
true
install_file
tmp315C.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0009000000015d68-6.dat	family_asyncrat

Executes dropped EXE 4 IoCs

pid	Process
2240	Workv2.exe
2648	v2.exe
2340	v2.exe
1468	tmp315C.exe

Loads dropped DLL 4 IoCs

pid	Process
2364	Fingertip.exe
2648	v2.exe
2340	v2.exe
2196	cmd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001938b-56.dat	upx
behavioral1/memory/2340-58-0x000007FEF5810000-0x000007FEF5E00000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp315C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Workv2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
1860	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2980	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2240	Workv2.exe
2240	Workv2.exe
2240	Workv2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2240	Workv2.exe
Token: SeDebugPrivilege	1468	tmp315C.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2240	2364	Fingertip.exe	31
PID 2364 wrote to memory of 2240	2364	Fingertip.exe	31
PID 2364 wrote to memory of 2240	2364	Fingertip.exe	31
PID 2364 wrote to memory of 2240	2364	Fingertip.exe	31
PID 2240 wrote to memory of 2976	2240	Workv2.exe	32
PID 2240 wrote to memory of 2976	2240	Workv2.exe	32
PID 2240 wrote to memory of 2976	2240	Workv2.exe	32
PID 2240 wrote to memory of 2976	2240	Workv2.exe	32
PID 2240 wrote to memory of 2196	2240	Workv2.exe	34
PID 2240 wrote to memory of 2196	2240	Workv2.exe	34
PID 2240 wrote to memory of 2196	2240	Workv2.exe	34
PID 2240 wrote to memory of 2196	2240	Workv2.exe	34
PID 2976 wrote to memory of 2980	2976	cmd.exe	36
PID 2976 wrote to memory of 2980	2976	cmd.exe	36
PID 2976 wrote to memory of 2980	2976	cmd.exe	36
PID 2976 wrote to memory of 2980	2976	cmd.exe	36
PID 2364 wrote to memory of 2648	2364	Fingertip.exe	37
PID 2364 wrote to memory of 2648	2364	Fingertip.exe	37
PID 2364 wrote to memory of 2648	2364	Fingertip.exe	37
PID 2196 wrote to memory of 1860	2196	cmd.exe	38
PID 2196 wrote to memory of 1860	2196	cmd.exe	38
PID 2196 wrote to memory of 1860	2196	cmd.exe	38
PID 2196 wrote to memory of 1860	2196	cmd.exe	38
PID 2648 wrote to memory of 2340	2648	v2.exe	39
PID 2648 wrote to memory of 2340	2648	v2.exe	39
PID 2648 wrote to memory of 2340	2648	v2.exe	39
PID 2196 wrote to memory of 1468	2196	cmd.exe	40
PID 2196 wrote to memory of 1468	2196	cmd.exe	40
PID 2196 wrote to memory of 1468	2196	cmd.exe	40
PID 2196 wrote to memory of 1468	2196	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\Fingertip.exe
"C:\Users\Admin\AppData\Local\Temp\Fingertip.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Workv2.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Workv2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "tmp315C" /tr '"C:\Users\Admin\AppData\Roaming\tmp315C.exe"' & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "tmp315C" /tr '"C:\Users\Admin\AppData\Roaming\tmp315C.exe"'
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2980
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp7233.tmp.bat""
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:1860
  - - C:\Users\Admin\AppData\Roaming\tmp315C.exe
      "C:\Users\Admin\AppData\Roaming\tmp315C.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1468
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\v2.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\v2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\v2.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\v2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Workv2.exe

Filesize
71KB

MD5
1def2f48782ecc1923dd02c448812ca0

SHA1
d4b993306694cf14e9a8d76d6ef487abf23777f1

SHA256
9ec2a198611952fa252b39416afa05bf61e8f511005a3e61a23d31b8963d4554

SHA512
147b84da67ba11e9ef895d9d48f97ce113d9013f1a49178937bb3ac0f332f52710d50da0fc8dd84d8c0a686012fcc60bf559339e66caa35489b0555c5e00e8f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\v2.exe

Filesize
7.4MB

MD5
469219008ccc5581187650d157ab38c2

SHA1
ba9b103f2a91679dd12c01dac1ebce7b4d9af449

SHA256
5f698bb7c3fa9d70a1e682090c5fe0835ce1fb5b3981a8199e3955328d8ee8b9

SHA512
3abea412722931a97bd84474e49cf07d6afd1fae9a3b3573497bb46c102a6d52bcd66187afa4df2d592fd3ccd7709d3ed03836884b66d0c64e21e89d3f484fdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26482\python311.dll

Filesize
1.6MB

MD5
b167b98fc5c89d65cb1fa8df31c5de13

SHA1
3a6597007f572ea09ed233d813462e80e14c5444

SHA256
28eda3ba32f5247c1a7bd2777ead982c24175765c4e2c1c28a0ef708079f2c76

SHA512
40a1f5cd2af7e7c28d4c8e327310ea1982478a9f6d300950c7372634df0d9ad840f3c64fe35cc01db4c798bd153b210c0a8472ae0898bebf8cf9c25dd3638de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7233.tmp.bat

Filesize
151B

MD5
88dd95a0db59eb49015d35f9b2e666d4

SHA1
7ee1cde00fbe271fb63ad6fbf7d9e79e34e5811d

SHA256
93d7eff53c2f35d042d2f067f8e8123e3e72a6b5936c336887fb45d95c6ace95

SHA512
db63bd832cecb6fa206da4ba00fe6d1ad55152342dc9f1ea7dacf2ae7c2f063ee810aa5f691679dd3d3ab46d46dedce81af64b5e70caec1a10846b9e1d90f855

Download Submit
memory/1468-62-0x0000000000FD0000-0x0000000000FE8000-memory.dmp

Filesize
96KB

Download
memory/2240-14-0x000000007412E000-0x000000007412F000-memory.dmp

Filesize
4KB

Download
memory/2240-15-0x00000000012A0000-0x00000000012B8000-memory.dmp

Filesize
96KB

Download
memory/2240-16-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/2240-25-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/2340-58-0x000007FEF5810000-0x000007FEF5E00000-memory.dmp

Filesize
5.9MB

Download