asyncrat | 79eaed7c6847d7559c9f001cb27e14f8aa12cc09d267ec81080f6751b040fd60

Analysis

max time kernel
57s
max time network
58s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30/03/2025, 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

skiware.exe
Size

80KB
MD5

da6c964475c82cdefdb25e5ed1ef3f0a
SHA1

a99eccf95abe1004ef929008f035868146c969b1
SHA256

7c96e4b744b17878e2b05e514a084efcfd251f07452c6118f310a8352ccd9acb
SHA512

a7f2a029afa26afd1b8a82ad6ceb5f7606b31f3927c09565cc91e0b10a2a4491d736251d3370e8569a8c38bc26deee5a5eaacd378211a8a42a9dc30a3e57d3ec
SSDEEP

1536:3uK59THfe2SaCkE3bnXSs8MmsWCSdf3DBIYGUHerbqYwMyr:3uK3THfe2SZkE3bnPWCS1KYWwtr

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

Mutex

LY0OE31KAfUb

Attributes

delay
3
install
false
install_file
skiware.exe
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/iuwY0WYh

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
5	pastebin.com

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skiware.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3048	skiware.exe

C:\Users\Admin\AppData\Local\Temp\skiware.exe
"C:\Users\Admin\AppData\Local\Temp\skiware.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3048-0-0x00000000740CE000-0x00000000740CF000-memory.dmp

Filesize
4KB

Download
memory/3048-1-0x0000000001070000-0x000000000108A000-memory.dmp

Filesize
104KB

Download
memory/3048-2-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/3048-3-0x00000000740CE000-0x00000000740CF000-memory.dmp

Filesize
4KB

Download
memory/3048-4-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download