asyncrat | 1ab7fef81e4a5325f70a7eb8f1e551edaa6344d16eb1aeca68974d89bb4e40db

Resubmissions

11/03/2025, 16:25

250311-txbamsxq12 10

10/03/2025, 16:59

250310-vhtzwastaz 10

Analysis

max time kernel
112s
max time network
129s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
10/03/2025, 16:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cdnmain/ef.exe
Size

54KB
MD5

0ed9406036832e40f6ace06478acdf44
SHA1

9a3ca883ec34bdfd1c21c61c6ca6d03c5365fa6e
SHA256

452e3305df1bf06c79301b9b87de1ec82561a793c4ef4ea5a02803123891b9f6
SHA512

9de32c71a4657d3e9ebd01fd1d933fd44b23c99809bbd0c8c423dcf8436d8c3f81e390ec34df8fb2e5a3a28974c864750ceaeb65693c04b1c5a1f8134eca69a5
SSDEEP

1536:de/mS9oEXN9p7aNJahXy4zGuH4XlqJaAIT+7bqhyX9qZ:d+mSawsLawqGMolq07i7bqMX9W

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

2.58.56.179:2035

Mutex

r4ttlesn4ke_ufog3f8u3egef978

Attributes

delay
1
install
true
install_file
Chrome.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral10/files/0x001d00000002ad2b-7.dat	family_asyncrat

Executes dropped EXE 2 IoCs

pid	Process
1600	chrome.exe
4264	Chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2592	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4512	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe
1600	chrome.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1600	chrome.exe
Token: SeDebugPrivilege	4264	Chrome.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3732 wrote to memory of 1600	3732	ef.exe	82
PID 3732 wrote to memory of 1600	3732	ef.exe	82
PID 1600 wrote to memory of 1708	1600	chrome.exe	83
PID 1600 wrote to memory of 1708	1600	chrome.exe	83
PID 1600 wrote to memory of 4120	1600	chrome.exe	85
PID 1600 wrote to memory of 4120	1600	chrome.exe	85
PID 4120 wrote to memory of 2592	4120	cmd.exe	88
PID 4120 wrote to memory of 2592	4120	cmd.exe	88
PID 1708 wrote to memory of 4512	1708	cmd.exe	87
PID 1708 wrote to memory of 4512	1708	cmd.exe	87
PID 4120 wrote to memory of 4264	4120	cmd.exe	89
PID 4120 wrote to memory of 4264	4120	cmd.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cdnmain\ef.exe
"C:\Users\Admin\AppData\Local\Temp\cdnmain\ef.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3732
- C:\Users\Admin\AppData\Local\Temp\chrome.exe
  "C:\Users\Admin\AppData\Local\Temp\chrome.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Chrome" /tr '"C:\Users\Admin\AppData\Roaming\Chrome.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1708
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Chrome" /tr '"C:\Users\Admin\AppData\Roaming\Chrome.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB873.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4120
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:2592
  - - C:\Users\Admin\AppData\Roaming\Chrome.exe
      "C:\Users\Admin\AppData\Roaming\Chrome.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Chrome.exe.log

Filesize
425B

MD5
de75c43a265d0848584ae05945570edf

SHA1
69f95177914f8d8b2f278a91f585a0024b8dffd3

SHA256
d9bdf6a2bfdd9b2b5c8593de17ade3d8d317dad331aa6ca0da7483dd06db1140

SHA512
365f29c693dd7aa2ade092d765a96f20bf1f7fa93bca7f3b25aeddf5700817b9fd388e8f7d9f1b781c8a876739b06ad16d61e7ed08a1c85ac4be4686a38c63bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome.exe

Filesize
48KB

MD5
560316acf1e4be6ee63f609da37e71b5

SHA1
5f22dcf7736356e24b92397162acb723010914fb

SHA256
44d97fbdb694ca55e3beec4ec031ef5162018bdbaff6a968ac25a21e078511b0

SHA512
38d185d48cf537162ef8302df31cdf723d7407765f21284492345cae914d38ec9e3a6cfee0080b5ff9ebef29f7ac54a505ea2e6fea5d65a60c4e6e1e67fb3361

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB873.tmp.bat

Filesize
150B

MD5
8467c56629b1bcb88212bdad2de927a3

SHA1
39bb782650fce3eb297bcd2bef6713ce50ae3e51

SHA256
a5166966dba898c339eaefc6c8ec362e98a3f201481891ca217cb06ac9567782

SHA512
5f4d4a4645ca1cd46f0751a4242b3c5ee6ddd885ad6c898429e29ba3185df7fd22b3231aea7993c2e09b8d9d2b28f75b6e94b2541a974cf7cfa13e9bb5615f4a

Download Submit
memory/1600-15-0x0000000000B70000-0x0000000000B82000-memory.dmp

Filesize
72KB

Download
memory/1600-17-0x00007FFAB9FC0000-0x00007FFABAA82000-memory.dmp

Filesize
10.8MB

Download
memory/1600-18-0x00007FFAB9FC0000-0x00007FFABAA82000-memory.dmp

Filesize
10.8MB

Download
memory/1600-23-0x00007FFAB9FC0000-0x00007FFABAA82000-memory.dmp

Filesize
10.8MB

Download
memory/3732-0-0x00007FFAB9FC3000-0x00007FFAB9FC5000-memory.dmp

Filesize
8KB

Download
memory/3732-1-0x0000000000B70000-0x0000000000B84000-memory.dmp

Filesize
80KB

Download
memory/3732-3-0x00007FFAB9FC0000-0x00007FFABAA82000-memory.dmp

Filesize
10.8MB

Download
memory/3732-16-0x00007FFAB9FC0000-0x00007FFABAA82000-memory.dmp

Filesize
10.8MB

Download