asyncrat | 7bddd8edf64a31b1eed5498d9b87a31e091e8ca494965b23e0f320b994540f1c

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2025, 01:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7bddd8edf64a31b1eed5498d9b87a31e091e8ca494965b23e0f320b994540f1c.exe
Size

9.0MB
MD5

c6e2b34b10109eebc3949f470129d332
SHA1

42549d7f961cbd2797a1386a3687b7e09fd7a98f
SHA256

7bddd8edf64a31b1eed5498d9b87a31e091e8ca494965b23e0f320b994540f1c
SHA512

485f4e81fdd9562fbc38ce309bf07a9e379761bbd1db15f3a0e5f56371eafe70ee644529205cb4d4967f17071d94006b6808ef0c911f8d767d6f825fa11bc710
SSDEEP

49152:NYWurNFmASdq+juphCxBBibfVG2UoLPKJepsSi7yuA84UMmbQpBo1f71F+fDDisV:NeNF

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

pydjnzwlm.localto.net:8472

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x000200000001e732-130.dat	family_asyncrat

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	yapmaya4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	yapmayaaaa2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	7bddd8edf64a31b1eed5498d9b87a31e091e8ca494965b23e0f320b994540f1c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	LocalSIsGKmIjDK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	yapmaya9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	yapmaya8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	yapmaya7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	yapmaya5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	yapmayaaaa3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	yapmaya6.exe

Executes dropped EXE 10 IoCs

pid	Process
3844	LocalSIsGKmIjDK.exe
2404	yapmaya9.exe
2980	yapmaya8.exe
2336	yapmaya7.exe
4108	yapmaya6.exe
2528	yapmaya5.exe
4592	yapmaya4.exe
4580	yapmayaaaa3.exe
2272	yapmayaaaa2.exe
3800	yapmayaaa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LocalSIsGKmIjDK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yapmaya9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yapmaya8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yapmaya5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yapmayaaaa2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yapmayaaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yapmaya7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yapmaya6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yapmaya4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yapmayaaaa3.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3356 wrote to memory of 3844	3356	7bddd8edf64a31b1eed5498d9b87a31e091e8ca494965b23e0f320b994540f1c.exe	88
PID 3356 wrote to memory of 3844	3356	7bddd8edf64a31b1eed5498d9b87a31e091e8ca494965b23e0f320b994540f1c.exe	88
PID 3356 wrote to memory of 3844	3356	7bddd8edf64a31b1eed5498d9b87a31e091e8ca494965b23e0f320b994540f1c.exe	88
PID 3844 wrote to memory of 2404	3844	LocalSIsGKmIjDK.exe	89
PID 3844 wrote to memory of 2404	3844	LocalSIsGKmIjDK.exe	89
PID 3844 wrote to memory of 2404	3844	LocalSIsGKmIjDK.exe	89
PID 2404 wrote to memory of 2980	2404	yapmaya9.exe	90
PID 2404 wrote to memory of 2980	2404	yapmaya9.exe	90
PID 2404 wrote to memory of 2980	2404	yapmaya9.exe	90
PID 2980 wrote to memory of 2336	2980	yapmaya8.exe	93
PID 2980 wrote to memory of 2336	2980	yapmaya8.exe	93
PID 2980 wrote to memory of 2336	2980	yapmaya8.exe	93
PID 2336 wrote to memory of 4108	2336	yapmaya7.exe	96
PID 2336 wrote to memory of 4108	2336	yapmaya7.exe	96
PID 2336 wrote to memory of 4108	2336	yapmaya7.exe	96
PID 4108 wrote to memory of 2528	4108	yapmaya6.exe	97
PID 4108 wrote to memory of 2528	4108	yapmaya6.exe	97
PID 4108 wrote to memory of 2528	4108	yapmaya6.exe	97
PID 2528 wrote to memory of 4592	2528	yapmaya5.exe	98
PID 2528 wrote to memory of 4592	2528	yapmaya5.exe	98
PID 2528 wrote to memory of 4592	2528	yapmaya5.exe	98
PID 4592 wrote to memory of 4580	4592	yapmaya4.exe	99
PID 4592 wrote to memory of 4580	4592	yapmaya4.exe	99
PID 4592 wrote to memory of 4580	4592	yapmaya4.exe	99
PID 4580 wrote to memory of 2272	4580	yapmayaaaa3.exe	101
PID 4580 wrote to memory of 2272	4580	yapmayaaaa3.exe	101
PID 4580 wrote to memory of 2272	4580	yapmayaaaa3.exe	101
PID 2272 wrote to memory of 3800	2272	yapmayaaaa2.exe	102
PID 2272 wrote to memory of 3800	2272	yapmayaaaa2.exe	102
PID 2272 wrote to memory of 3800	2272	yapmayaaaa2.exe	102

C:\Users\Admin\AppData\Local\Temp\7bddd8edf64a31b1eed5498d9b87a31e091e8ca494965b23e0f320b994540f1c.exe
"C:\Users\Admin\AppData\Local\Temp\7bddd8edf64a31b1eed5498d9b87a31e091e8ca494965b23e0f320b994540f1c.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3356
- C:\Users\Admin\AppData\LocalSIsGKmIjDK.exe
  "C:\Users\Admin\AppData\LocalSIsGKmIjDK.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3844
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\yapmaya9.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\yapmaya9.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2404
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\yapmaya8.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\yapmaya8.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2980
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\yapmaya7.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\yapmaya7.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2336
      - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\yapmaya6.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\yapmaya6.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\yapmaya5.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\yapmaya5.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\yapmaya4.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\yapmaya4.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\yapmayaaaa3.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\yapmayaaaa3.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\yapmayaaaa2.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\yapmayaaaa2.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\yapmayaaa.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\yapmayaaa.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalSIsGKmIjDK.exe

Filesize
8.7MB

MD5
a1bb98b19542315849784d31316c8caa

SHA1
91534237e04fb32b094fee643bae15c4d5350c56

SHA256
0e9e9d71d33888e475260d9447198b85136a8112ca8fad7636ee8e5d682fb86d

SHA512
71f3be1f115f2d6c2b9085f1e7dbedc379d9cf8c2ce194a6a8f0773797f0e25bbeca89e3a5dbda1d7a2f9d583fc749a1ce7bbdaaf0313fee4c0ff9fc3ea0df75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\yapmaya5.exe.log

Filesize
774B

MD5
fc93eb9acb036dc0adcb7e9203deae84

SHA1
f6180e425e36b03252e18d9edb38c853a0546226

SHA256
8da330d49f43e46c3c34a7283f168ab399a37280b490503d7e7ca8ff34eaddae

SHA512
8ed8c6f1199da12f71819be099b2f129eced45e27e7bd7e1efbb07b09c7102bd31aaa9c39de85c9a583963b9331248d53d76eec0eb2b8ba7173ab0fdef25a620

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\yapmaya4.exe

Filesize
1.0MB

MD5
c90aef7e6df6038f2f23cd2e1d0fb58c

SHA1
b99029001b08363d58decd4ffcda77da6fbe9e21

SHA256
4df6eba6f169816234767390297d6c7245fca8e9634f4f5ec9fb2c1ca739b665

SHA512
bd8a2e67963b0f84a10f2f3df96de7b18fed99aecafd26e1606540dac002903b03570543b60edece7d56fcc5b31098edb48fcd3ae61f46a0ac753cefad29c785

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\yapmaya5.exe

Filesize
1.6MB

MD5
f3a45f3cdaeb7b6526501350554594d2

SHA1
3c57a0fb28bf2d09113d61b47e9c824333243f9d

SHA256
c6d248125ce8228aa3f24d630fb7794f6b6ce62dc595d7803725866e5109ab87

SHA512
379757ab1283649afd8615cbb8004e8c8465f6ffd2f5e449ad5c648d5949430fa39fe762cd5a936418aa9a656ff44fbbfd6959ae8ab09031c9e51df9241aff69

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\yapmaya6.exe

Filesize
2.3MB

MD5
86aa34234e15ed802c7c22eed1dc9ca0

SHA1
de7183058c5991ab1b65a93cb1728543acb3d6e4

SHA256
82493fd6e1084725cd70680a84cf1d076d18aaf7fb2f67b228023772ce890e3a

SHA512
27149943511769b9b120ff4b5dc2301a8e5ea9888c19a1cddf64e119773e040cc0ea09c77aa5e0e96fef3984716d6d18858f3de4fcc7f1fb95ff111e2a40dd9b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\yapmaya7.exe

Filesize
3.3MB

MD5
bcdbd52ddfe4981f11e6ecaded4d54b2

SHA1
e2c17036349e821f32f04c28514aebc4e541de8c

SHA256
4908d812aa13e931a2700441740d7d30bc9969c793290b0fde3de404527ae0c5

SHA512
bb7d5d567b15df4f500dfdd31c95b88f8a2092b67564536d0b25187a8f39d6566e879c846c853c2f05c6bba5420c3ea91f624bcd1c57eeae422dd802d30864b0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\yapmaya8.exe

Filesize
4.6MB

MD5
87cf3db15ce64b9b208b7d3e7cba694b

SHA1
d6082cf0ba9ef633f6974d450ad2be5abf368bd3

SHA256
89a8b14f093b2a2f2ab5d2b23119d8678b20b22157dd951de2a92326532557d9

SHA512
b1970f32b31d3969fb0e354eb1b69c0aa879b206ecf97cce24f9fd0bc098d6537e41e7e2d637bb84550d31c3c803086425956a0bb809251cc19c794e83c29907

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\yapmaya9.exe

Filesize
6.3MB

MD5
bf36e6187212872f3f29f2aeb59b5b86

SHA1
c1421939ba37d59b69d5e6e599245fd42e01c4e9

SHA256
0f83abd9b5c1991f9600431c31ea962336341e5f78c2a871eef00bee51f7cdda

SHA512
550c56c89c3525b91d4f44a6c6cbecd25f3f85de99981a87a0a5d4a8135197975b50049587f5952598959732bf7d05e7cea18e668c32a6a647fda00b23b43212

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\yapmayaaa.exe

Filesize
45KB

MD5
db6ded982f65a66b11d87d14c2b92725

SHA1
e3f699244abc65f6d0987340fe175e1fa94c0275

SHA256
689f05d04a7b10fade6a297386a4477423d524bbb9672bc5f15ec0d1b08cbbb8

SHA512
519e0837f01c4cc057c0e4e8b11a106f5b036cf83734d484b13c4c9f99ef029f03bd46b31194899736327a5b5981c2e091bc7f7cb9326ea3f1a621ac8f37a4a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\yapmayaaaa2.exe

Filesize
283KB

MD5
6dcc316b65b326e7df1d08e5625ee2e6

SHA1
3f4fceae7968fee261550792a2631797a85fc23b

SHA256
e327db58ab491ae6480cf86febffb168cad44d5edc8809b6916477461b211284

SHA512
43b36c7487e5347c61ca182e769104326a8fd7913918463afdafd4887796b0d155550ff7ef3341837a27484839f31ae0ce9f8ae5662fd0a2a8364c55dff996f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\yapmayaaaa3.exe

Filesize
601KB

MD5
fb6590c1b6b7e3c860532dad867aeb1d

SHA1
f02f11db454bb25163a8e8810557d2ce8386f158

SHA256
4408fb6b99f90760639476f318e13d8b43b6bc96ada53aa423d4db04e70161cf

SHA512
2a78f1d7ef734ebb38c3b0e30a4f86109ec69d517ee2c4fa42d76432fceada2099b3b915865fc32133bf561f19fcc21f06d624d879cc6873459c5c8733bc64ef

Download Submit
memory/2404-33-0x0000000074670000-0x0000000074C21000-memory.dmp

Filesize
5.7MB

Download
memory/2404-47-0x0000000074670000-0x0000000074C21000-memory.dmp

Filesize
5.7MB

Download
memory/3356-0-0x00007FFAF1CB5000-0x00007FFAF1CB6000-memory.dmp

Filesize
4KB

Download
memory/3356-17-0x00007FFAF1A00000-0x00007FFAF23A1000-memory.dmp

Filesize
9.6MB

Download
memory/3356-3-0x00007FFAF1A00000-0x00007FFAF23A1000-memory.dmp

Filesize
9.6MB

Download
memory/3356-1-0x00007FFAF1A00000-0x00007FFAF23A1000-memory.dmp

Filesize
9.6MB

Download
memory/3800-132-0x00000000008D0000-0x00000000008E2000-memory.dmp

Filesize
72KB

Download
memory/3844-34-0x0000000074670000-0x0000000074C21000-memory.dmp

Filesize
5.7MB

Download
memory/3844-20-0x0000000074670000-0x0000000074C21000-memory.dmp

Filesize
5.7MB

Download
memory/3844-18-0x0000000074670000-0x0000000074C21000-memory.dmp

Filesize
5.7MB

Download
memory/3844-19-0x0000000074670000-0x0000000074C21000-memory.dmp

Filesize
5.7MB

Download
memory/3844-16-0x0000000074672000-0x0000000074673000-memory.dmp

Filesize
4KB

Download