asyncrat | 612e431982c6d73fe3bfdf91ab00670282bf4c721055bfa4712e489a4165ecfe

General

Target

Infected.exe
Size

63KB
MD5

83a8b226bcdf74373ded0f465220c861
SHA1

0a04b14ca442073e1aa5f18d7b3c87bc7126eea9
SHA256

612e431982c6d73fe3bfdf91ab00670282bf4c721055bfa4712e489a4165ecfe
SHA512

3f35b9f52e7c1f3dc25b8c9efbf833ecbeb66fb551f20848feb735ceb6f57add20342c6398d7e62578ad54d2c2887169ff6fe660700be2d50c012141616b0fc4
SSDEEP

768:Qv0M2UM/978aQC8A+XjlazcBRL5JTk1+T4KSBGHmDbD/ph0oXL0KXuSu0dpqKYhg:b1/k/dSJYUbdh9vJu0dpqKmY7

Score

10^/10

asyncrat stealerium default collection discovery persistence privilege_escalation rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:3111

127.0.0.1:51413

paul-nw.gl.at.ply.gg:3111

paul-nw.gl.at.ply.gg:51413

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Stealerium
An open source info stealer written in C# first seen in May 2022.
stealer stealerium
Stealerium family
stealerium
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Infected.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Infected.exe
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Infected.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
41	icanhazip.com
43	ip-api.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
5540	netsh.exe
1612	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Infected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Infected.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
4392	Infected.exe
4392	Infected.exe
4392	Infected.exe
4392	Infected.exe
4392	Infected.exe
4392	Infected.exe
4392	Infected.exe
4392	Infected.exe
4392	Infected.exe
4392	Infected.exe
4392	Infected.exe
4392	Infected.exe
4392	Infected.exe
4392	Infected.exe
4392	Infected.exe
4392	Infected.exe
4392	Infected.exe
4392	Infected.exe
4392	Infected.exe
4392	Infected.exe
4392	Infected.exe
4392	Infected.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4392	Infected.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4392 wrote to memory of 1612	4392	Infected.exe	91
PID 4392 wrote to memory of 1612	4392	Infected.exe	91
PID 1612 wrote to memory of 2060	1612	cmd.exe	93
PID 1612 wrote to memory of 2060	1612	cmd.exe	93
PID 1612 wrote to memory of 5540	1612	cmd.exe	94
PID 1612 wrote to memory of 5540	1612	cmd.exe	94
PID 1612 wrote to memory of 1756	1612	cmd.exe	95
PID 1612 wrote to memory of 1756	1612	cmd.exe	95
PID 4392 wrote to memory of 1644	4392	Infected.exe	96
PID 4392 wrote to memory of 1644	4392	Infected.exe	96
PID 1644 wrote to memory of 1836	1644	cmd.exe	98
PID 1644 wrote to memory of 1836	1644	cmd.exe	98
PID 1644 wrote to memory of 5796	1644	cmd.exe	99
PID 1644 wrote to memory of 5796	1644	cmd.exe	99

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Infected.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Infected.exe

C:\Users\Admin\AppData\Local\Temp\Infected.exe
"C:\Users\Admin\AppData\Local\Temp\Infected.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4392
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
  2⤵
  - System Network Configuration Discovery: Wi-Fi Discovery
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2060
- - C:\Windows\system32\netsh.exe
    netsh wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:5540
- - C:\Windows\system32\findstr.exe
    findstr All
    3⤵
    PID:1756
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1836
- - C:\Windows\system32\netsh.exe
    netsh wlan show networks mode=bssid
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:5796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

1

T1082

System Network Configuration Discovery

1

T1016

Wi-Fi Discovery

1

T1016.002

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\a6d277597c96762ede77823362c467c1\Admin@ALDSPQOO_en-US\Browsers\Mozilla\Firefox\Bookmarks.txt

Filesize
81B

MD5
ea511fc534efd031f852fcf490b76104

SHA1
573e5fa397bc953df5422abbeb1a52bf94f7cf00

SHA256
e5fe7f327ae62df007bd1117aa7f522dbbcd371ec67953f66d786424cb1d7995

SHA512
f7d8e575a2332b0fbd491b5e092b7ed6b0942a5165557fcc5d215d873b05103aa6ba01843133871c1c7ac81b10182a15895be49885c98d1a379dd55f88004fae

Download Submit
C:\Users\Admin\AppData\Local\a6d277597c96762ede77823362c467c1\Admin@ALDSPQOO_en-US\System\Process.txt

Filesize
4KB

MD5
52a203777874760764cf3486734a2370

SHA1
0877a933838bd41840797f8c8df063326cabf91e

SHA256
3403793dc5285e1b8f4efaacf8be6f6aa6f93974fb2b886d0b33d92947302840

SHA512
77a5174409e475cb8073c091591d2636505acb23e126cde9c4c54fdca5f3200878b55638a3ae444656949216eaab74b4abfaf0bfd712470a8294b6fdb61bf65a

Download Submit
C:\Users\Admin\AppData\Local\a6d277597c96762ede77823362c467c1\Admin@ALDSPQOO_en-US\System\Process.txt

Filesize
807B

MD5
5aa87dee56e18575bc58fcdcdabf9331

SHA1
5bd776154ca032c8fde2e62ef850492d28b28e91

SHA256
cd3c2a533e0f4f7afbbeb3a300b47298cf79ad8f59eedadf7304bbd8910b0082

SHA512
d39bdaa6aa31978399435f4da098db125068ddfb83fc6785830feb9a86fd8746f09e06db19e646e76241cdf051eb92bdf738b25a5f2e3d65cc598208600d7962

Download Submit
C:\Users\Admin\AppData\Local\a6d277597c96762ede77823362c467c1\Admin@ALDSPQOO_en-US\System\Process.txt

Filesize
1KB

MD5
4731a438570a84860b9fa8afaada6cfd

SHA1
321b92a4d15599e70dc41edfab9517c36df63aae

SHA256
44e2d7c4cfb2f89bbf9324e6c3f43602f6a8d948f3408c0d1f91bc7785a3b5bc

SHA512
5509540a533a9682044949a038bbc35e01bb7522c7e3a4212b8f4afbf242f3994b7dba1f3afb4bfb2613d8bcb99a40f3f9a2b0ef35d463c5e1ae1ec4dad13116

Download Submit
memory/4392-16-0x00000000012B0000-0x00000000012BA000-memory.dmp

Filesize
40KB

Download
memory/4392-4-0x00007FF915DC3000-0x00007FF915DC5000-memory.dmp

Filesize
8KB

Download
memory/4392-6-0x00007FF915DC0000-0x00007FF916881000-memory.dmp

Filesize
10.8MB

Download
memory/4392-7-0x000000001D650000-0x000000001D6C6000-memory.dmp

Filesize
472KB

Download
memory/4392-8-0x0000000002C00000-0x0000000002C34000-memory.dmp

Filesize
208KB

Download
memory/4392-9-0x0000000002C50000-0x0000000002C6E000-memory.dmp

Filesize
120KB

Download
memory/4392-10-0x0000000002DA0000-0x0000000002DBC000-memory.dmp

Filesize
112KB

Download
memory/4392-11-0x000000001D980000-0x000000001DB08000-memory.dmp

Filesize
1.5MB

Download
memory/4392-1-0x0000000000AC0000-0x0000000000AD6000-memory.dmp

Filesize
88KB

Download
memory/4392-5-0x00007FF915DC0000-0x00007FF916881000-memory.dmp

Filesize
10.8MB

Download
memory/4392-3-0x00007FF915DC0000-0x00007FF916881000-memory.dmp

Filesize
10.8MB

Download
memory/4392-2-0x00007FF915DC0000-0x00007FF916881000-memory.dmp

Filesize
10.8MB

Download
memory/4392-150-0x00007FF915DC0000-0x00007FF916881000-memory.dmp

Filesize
10.8MB

Download
memory/4392-151-0x00007FF915DC0000-0x00007FF916881000-memory.dmp

Filesize
10.8MB

Download
memory/4392-154-0x00007FF915DC0000-0x00007FF916881000-memory.dmp

Filesize
10.8MB

Download
memory/4392-164-0x000000001DF10000-0x000000001DF8A000-memory.dmp

Filesize
488KB

Download
memory/4392-0-0x00007FF915DC3000-0x00007FF915DC5000-memory.dmp

Filesize
8KB

Download
memory/4392-199-0x00007FF915DC0000-0x00007FF916881000-memory.dmp

Filesize
10.8MB

Download
memory/4392-200-0x00007FF915DC0000-0x00007FF916881000-memory.dmp

Filesize
10.8MB

Download
memory/4392-201-0x00007FF915DC0000-0x00007FF916881000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads