asyncrat | b08ab7f2566b8d9d5de71faa1eb1bcea350ef22061341b36426ce7dcb47cd461

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2025, 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AsyncRAT v2.1/AsyncRAT.exe
Size

6.0MB
MD5

34c62e8ffbe11193392c51872444deaa
SHA1

b7920bb0a3f068f0a261f643c968895b858f04ef
SHA256

e35bf51c40c50f326fb71764c23679be6df7bf8f67616bd5329c9948901a251e
SHA512

f2ebde604b43e96e24c5107a25383f720990bbe7ff808f0b1a51ec8b0d660cf8fd4b4417ace05e6181fc05cafde1b30d3e074b0c3f0ea31926d80c8d2e813a6b
SSDEEP

98304:7arL7Q+u1R8ubXx4dUeG3wBPKS8IbwIFcNZLQMe3tTJ0HZGCFgM:0A+u1R8OGdm3m+rQD9F0kCFgM

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

mimihard.ddns.net:5353

mimihard.ddns.net:1900

mimihard.ddns.net:5355

mimihard.ddns.net:61025

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
taskhostw.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral4/files/0x000700000002425c-18.dat	family_asyncrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	Scinhgekba.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	AsyncRAT.exe

Executes dropped EXE 3 IoCs

pid	Process
5180	Tojulvfveuxe.exe
3704	Scinhgekba.exe
4428	taskhostw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Scinhgekba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhostw.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
464	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
232	schtasks.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
5180	Tojulvfveuxe.exe
5180	Tojulvfveuxe.exe
5180	Tojulvfveuxe.exe
5180	Tojulvfveuxe.exe
5180	Tojulvfveuxe.exe
5180	Tojulvfveuxe.exe
3704	Scinhgekba.exe
3704	Scinhgekba.exe
3704	Scinhgekba.exe
3704	Scinhgekba.exe
3704	Scinhgekba.exe
3704	Scinhgekba.exe
3704	Scinhgekba.exe
3704	Scinhgekba.exe
3704	Scinhgekba.exe
3704	Scinhgekba.exe
3704	Scinhgekba.exe
3704	Scinhgekba.exe
3704	Scinhgekba.exe
3704	Scinhgekba.exe
3704	Scinhgekba.exe
3704	Scinhgekba.exe
3704	Scinhgekba.exe
3704	Scinhgekba.exe
3704	Scinhgekba.exe
3704	Scinhgekba.exe
3704	Scinhgekba.exe
3704	Scinhgekba.exe
3704	Scinhgekba.exe
5180	Tojulvfveuxe.exe
5180	Tojulvfveuxe.exe
5180	Tojulvfveuxe.exe
5180	Tojulvfveuxe.exe
5180	Tojulvfveuxe.exe
5180	Tojulvfveuxe.exe
5180	Tojulvfveuxe.exe
5180	Tojulvfveuxe.exe
5180	Tojulvfveuxe.exe
5180	Tojulvfveuxe.exe
5180	Tojulvfveuxe.exe
5180	Tojulvfveuxe.exe
5180	Tojulvfveuxe.exe
5180	Tojulvfveuxe.exe
5180	Tojulvfveuxe.exe
5180	Tojulvfveuxe.exe
5180	Tojulvfveuxe.exe
5180	Tojulvfveuxe.exe
5180	Tojulvfveuxe.exe
5180	Tojulvfveuxe.exe
5180	Tojulvfveuxe.exe
5180	Tojulvfveuxe.exe
5180	Tojulvfveuxe.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3704	Scinhgekba.exe
Token: SeDebugPrivilege	4428	taskhostw.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5180	Tojulvfveuxe.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
5180	Tojulvfveuxe.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 5900 wrote to memory of 5180	5900	AsyncRAT.exe	88
PID 5900 wrote to memory of 5180	5900	AsyncRAT.exe	88
PID 5900 wrote to memory of 3704	5900	AsyncRAT.exe	89
PID 5900 wrote to memory of 3704	5900	AsyncRAT.exe	89
PID 5900 wrote to memory of 3704	5900	AsyncRAT.exe	89
PID 3704 wrote to memory of 5004	3704	Scinhgekba.exe	95
PID 3704 wrote to memory of 5004	3704	Scinhgekba.exe	95
PID 3704 wrote to memory of 5004	3704	Scinhgekba.exe	95
PID 3704 wrote to memory of 3808	3704	Scinhgekba.exe	97
PID 3704 wrote to memory of 3808	3704	Scinhgekba.exe	97
PID 3704 wrote to memory of 3808	3704	Scinhgekba.exe	97
PID 5004 wrote to memory of 232	5004	cmd.exe	99
PID 5004 wrote to memory of 232	5004	cmd.exe	99
PID 5004 wrote to memory of 232	5004	cmd.exe	99
PID 3808 wrote to memory of 464	3808	cmd.exe	100
PID 3808 wrote to memory of 464	3808	cmd.exe	100
PID 3808 wrote to memory of 464	3808	cmd.exe	100
PID 3808 wrote to memory of 4428	3808	cmd.exe	104
PID 3808 wrote to memory of 4428	3808	cmd.exe	104
PID 3808 wrote to memory of 4428	3808	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\AsyncRAT v2.1\AsyncRAT.exe
"C:\Users\Admin\AppData\Local\Temp\AsyncRAT v2.1\AsyncRAT.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5900
- C:\Users\Admin\AppData\Local\Temp\Tojulvfveuxe.exe
  "C:\Users\Admin\AppData\Local\Temp\Tojulvfveuxe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5180
- C:\Users\Admin\AppData\Local\Temp\Scinhgekba.exe
  "C:\Users\Admin\AppData\Local\Temp\Scinhgekba.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3704
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "taskhostw" /tr '"C:\Users\Admin\AppData\Roaming\taskhostw.exe"' & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5004
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "taskhostw" /tr '"C:\Users\Admin\AppData\Roaming\taskhostw.exe"'
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5E9B.tmp.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3808
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:464
  - - C:\Users\Admin\AppData\Roaming\taskhostw.exe
      "C:\Users\Admin\AppData\Roaming\taskhostw.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4428

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Scinhgekba.exe

Filesize
1024KB

MD5
8904b6100dd8e7d1f9d42a7fdc8c936a

SHA1
53e9a52df26a038e9282ca49be93698d6041f622

SHA256
3a3d7f82a905d2577fb5cdbb29e00805500b80ce0703bf2baf6ccd21996fa47c

SHA512
b2dbac867df4a00717c717aaca7025b439110514723bb846ea7929d5a006dfca406aa7d57cd434c7ab424ecfc617dfc4f1f94f1fef66e2ddefda62f9f392f8e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tojulvfveuxe.exe

Filesize
6.4MB

MD5
36e71813a30b96f64943eb8cea2c52ec

SHA1
838f8938ff5f6e2daa8975bbd2af3e785bf4cd8b

SHA256
bb1f2c2c9b279790b67eaea6ab0bbce3a4d4432bbe1bd716750f2f9ba3337f7e

SHA512
953bc81e1f6c27763f84a1599cd92e3f30aed9217589b4c47bd0ca802df7ceff903e14f87a96f2247cde8e8ed0ebfa3dbd840abb6c243b798cc0a19791296b85

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5E9B.tmp.bat

Filesize
153B

MD5
60e6b51bbba751eb66111337f070abfc

SHA1
e69226e7de47397fc92d9ae4d8f2e30e0b2c19cd

SHA256
36eabd80a4d0b0f814ee03b3b27415a9738ea60e093c9e7615434a2a1a5c092f

SHA512
fdce93905387267851165307c3780004bf642998f7fc89cf592f0b12e96db11d3c2712dc25503d2d17d6ef2a276454d85c3477de704e50c38cdf0f5bd334846f

Download Submit
memory/3704-34-0x0000000004DC0000-0x0000000004E5C000-memory.dmp

Filesize
624KB

Download
memory/3704-28-0x000000007453E000-0x000000007453F000-memory.dmp

Filesize
4KB

Download
memory/3704-32-0x00000000004F0000-0x0000000000502000-memory.dmp

Filesize
72KB

Download
memory/5180-26-0x00007FFC3A650000-0x00007FFC3B111000-memory.dmp

Filesize
10.8MB

Download
memory/5180-27-0x0000025A39830000-0x0000025A39E96000-memory.dmp

Filesize
6.4MB

Download
memory/5180-31-0x0000025A544C0000-0x0000025A544D0000-memory.dmp

Filesize
64KB

Download
memory/5180-33-0x0000025A544D0000-0x0000025A54722000-memory.dmp

Filesize
2.3MB

Download
memory/5180-44-0x0000025A54A40000-0x0000025A54BE9000-memory.dmp

Filesize
1.7MB

Download
memory/5180-45-0x00007FFC3A650000-0x00007FFC3B111000-memory.dmp

Filesize
10.8MB

Download
memory/5900-2-0x00007FFC3A650000-0x00007FFC3B111000-memory.dmp

Filesize
10.8MB

Download
memory/5900-30-0x00007FFC3A650000-0x00007FFC3B111000-memory.dmp

Filesize
10.8MB

Download
memory/5900-0-0x00007FFC3A653000-0x00007FFC3A655000-memory.dmp

Filesize
8KB

Download
memory/5900-1-0x0000000000020000-0x00000000004B6000-memory.dmp

Filesize
4.6MB

Download