asyncrat | dd68a4a8e4d269d9a785c02a5c8c65813007f8a0c2762a06e9069ff7f77739b0

Analysis

max time kernel
37s
max time network
43s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31/03/2025, 00:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

merged.exe
Size

30.0MB
MD5

1828b02b97d21e257f5f31fba43c92e9
SHA1

35d8309d87dc1abab6f1c808f5753960cdc50c04
SHA256

dd68a4a8e4d269d9a785c02a5c8c65813007f8a0c2762a06e9069ff7f77739b0
SHA512

36370eaaf8af10fce118e929d12f21287ba1e2d8d777d09b2e5041cb1dd9ebce254935354f15a39b12f008c92ca29dc4a9e78992f26dc4b5d04a31104daa0a1c
SSDEEP

786432:imFxGF3khP1kGYJh5WcR0SGnCP+BuTAzEyI4EETn:iUGUPCJnWqDP+3f3j

Score

10^/10

asyncrat quasar default office04 discovery pyinstaller rat spyware trojan upx

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

102.41.58.213:5505

Mutex

1e97a2db-0622-4c39-84ac-2f640c70aaf5

Attributes

encryption_key
1F6CCF154B4C85A58D675CA9A482E9C7A041C879
install_name
svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svchost
subdirectory
SubDir

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

197.48.105.157:5505

41.233.14.164:5505

197.48.230.161:5505

102.41.58.213:5505

Mutex

q0nJ1vo1fsSD

Attributes

delay
3
install
true
install_file
svchost.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000016c89-44.dat	family_quasar
behavioral1/memory/2560-199-0x0000000000B30000-0x0000000000E54000-memory.dmp	family_quasar

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x00330000000164de-15.dat	family_asyncrat

Executes dropped EXE 8 IoCs

pid	Process
2768	main.exe
2580	svchost.exe
2560	v2.exe
2068	Built.exe
2968	Built.exe
2188	main.exe
1156	Process not Found
1712	svchost.exe

Loads dropped DLL 9 IoCs

pid	Process
1780	merged.exe
1780	merged.exe
2068	Built.exe
2968	Built.exe
2768	main.exe
2188	main.exe
1156	Process not Found
1156	Process not Found
2456	cmd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\SubDir\svchost.exe	v2.exe
File opened for modification	C:\Windows\system32\SubDir\svchost.exe	v2.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0005000000019a85-99.dat	upx
behavioral1/memory/2968-115-0x000007FEF5780000-0x000007FEF5DE4000-memory.dmp	upx
behavioral1/files/0x000500000001c780-195.dat	upx
behavioral1/memory/2188-197-0x000007FEF3D80000-0x000007FEF41EE000-memory.dmp	upx

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000a0000000120f9-9.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2444	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1992	schtasks.exe
1396	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2580	svchost.exe
2580	svchost.exe
2580	svchost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2560	v2.exe
Token: SeDebugPrivilege	2580	svchost.exe
Token: SeDebugPrivilege	1712	svchost.exe
Token: SeDebugPrivilege	1712	svchost.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 2768	1780	merged.exe	30
PID 1780 wrote to memory of 2768	1780	merged.exe	30
PID 1780 wrote to memory of 2768	1780	merged.exe	30
PID 1780 wrote to memory of 2580	1780	merged.exe	31
PID 1780 wrote to memory of 2580	1780	merged.exe	31
PID 1780 wrote to memory of 2580	1780	merged.exe	31
PID 1780 wrote to memory of 2580	1780	merged.exe	31
PID 1780 wrote to memory of 2560	1780	merged.exe	32
PID 1780 wrote to memory of 2560	1780	merged.exe	32
PID 1780 wrote to memory of 2560	1780	merged.exe	32
PID 1780 wrote to memory of 2068	1780	merged.exe	33
PID 1780 wrote to memory of 2068	1780	merged.exe	33
PID 1780 wrote to memory of 2068	1780	merged.exe	33
PID 2068 wrote to memory of 2968	2068	Built.exe	34
PID 2068 wrote to memory of 2968	2068	Built.exe	34
PID 2068 wrote to memory of 2968	2068	Built.exe	34
PID 2768 wrote to memory of 2188	2768	main.exe	35
PID 2768 wrote to memory of 2188	2768	main.exe	35
PID 2768 wrote to memory of 2188	2768	main.exe	35
PID 2560 wrote to memory of 1992	2560	v2.exe	36
PID 2560 wrote to memory of 1992	2560	v2.exe	36
PID 2560 wrote to memory of 1992	2560	v2.exe	36
PID 2580 wrote to memory of 1152	2580	svchost.exe	39
PID 2580 wrote to memory of 1152	2580	svchost.exe	39
PID 2580 wrote to memory of 1152	2580	svchost.exe	39
PID 2580 wrote to memory of 1152	2580	svchost.exe	39
PID 2580 wrote to memory of 2456	2580	svchost.exe	41
PID 2580 wrote to memory of 2456	2580	svchost.exe	41
PID 2580 wrote to memory of 2456	2580	svchost.exe	41
PID 2580 wrote to memory of 2456	2580	svchost.exe	41
PID 2456 wrote to memory of 2444	2456	cmd.exe	44
PID 2456 wrote to memory of 2444	2456	cmd.exe	44
PID 2456 wrote to memory of 2444	2456	cmd.exe	44
PID 2456 wrote to memory of 2444	2456	cmd.exe	44
PID 1152 wrote to memory of 1396	1152	cmd.exe	43
PID 1152 wrote to memory of 1396	1152	cmd.exe	43
PID 1152 wrote to memory of 1396	1152	cmd.exe	43
PID 1152 wrote to memory of 1396	1152	cmd.exe	43
PID 2456 wrote to memory of 1712	2456	cmd.exe	45
PID 2456 wrote to memory of 1712	2456	cmd.exe	45
PID 2456 wrote to memory of 1712	2456	cmd.exe	45
PID 2456 wrote to memory of 1712	2456	cmd.exe	45

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\merged.exe
"C:\Users\Admin\AppData\Local\Temp\merged.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Users\Admin\AppData\Local\Temp\main.exe
  "C:\Users\Admin\AppData\Local\Temp\main.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Users\Admin\AppData\Local\Temp\main.exe
    "C:\Users\Admin\AppData\Local\Temp\main.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2188
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1152
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1396
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp7C51.tmp.bat""
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2444
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1712
- C:\Users\Admin\AppData\Local\Temp\v2.exe
  "C:\Users\Admin\AppData\Local\Temp\v2.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Windows\system32\SubDir\svchost.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1992
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Users\Admin\AppData\Local\Temp\Built.exe
    "C:\Users\Admin\AppData\Local\Temp\Built.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
7.6MB

MD5
87955e082fa9276925d051fe0cf04374

SHA1
d913ea62f3a3de054005827146396354b9cf109c

SHA256
57c34ddd4dac10f0bd1298fb601622a83c29b682da1da865b6c3e75f7822778c

SHA512
6afce8e9ddc6a1dd410b4e0ccc948a47279a38827dccaff4c6e5e77c7c6a1822ac4f350b5109c172d14a293d2ba513a179c1ba03eba8e2fadfc37878792e4409

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20682\python313.dll

Filesize
1.8MB

MD5
2a4aad7818d527bbea76e9e81077cc21

SHA1
4db3b39874c01bf3ba1ab8659957bbc28aab1ab2

SHA256
4712a6bb81b862fc292fcd857cef931ca8e4c142e70eaa4fd7a8d0a96aff5e7e

SHA512
d10631b7fc25a8b9cc038514e9db1597cec0580ee34a56ce5cfc5a33e7010b5e1df7f15ec30ebb351356e2b815528fb4161956f26b5bfaf3dce7bc6701b79c68

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27682\python310.dll

Filesize
1.4MB

MD5
69d4f13fbaeee9b551c2d9a4a94d4458

SHA1
69540d8dfc0ee299a7ff6585018c7db0662aa629

SHA256
801317463bd116e603878c7c106093ba7db2bece11e691793e93065223fc7046

SHA512
8e632f141daf44bc470f8ee677c6f0fdcbcacbfce1472d928576bf7b9f91d6b76639d18e386d5e1c97e538a8fe19dd2d22ea47ae1acf138a0925e3c6dd156378

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27682\setuptools-65.5.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
45KB

MD5
7a358df346afcd7c4202a27469d3bc3f

SHA1
721cba1692ce475b90bb07509e122bba225676d6

SHA256
49d72d7fc3ea35487f53feb6fb2b874ca43c441867b04e775c785e9c1637abad

SHA512
336bc9ff4526424296045a60298c1713d2818d4fea434cfefa8771215bc1ba82d814158b699ffa497247f5185ba56f24724626086eef14bf83e58deb5286684f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7C51.tmp.bat

Filesize
151B

MD5
10ca5383a840d555492685c3416aa115

SHA1
d780931f1bdbf26c0a683770db4e5901657d11f2

SHA256
9f59cc7942c4d53f60039908a5c2aa66c8af2be73daa334a24a605a4e9cb54ac

SHA512
0912e4f53f6cc6160675eb47a5731a2bebc494bf53e9113a6c62b9c7f4774a22d0c209745b57d70666e2e3aa44364809e566f261e3119b43dec084cc31d708f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\v2.exe

Filesize
3.1MB

MD5
44bf522a553e8fde9a377f75fde20442

SHA1
0f9cb72fe60c334f6aa0c6ae642f5d9867a4ff8e

SHA256
1467681b3b224b5447b70e54088ded2dd27ca04ea5f27f14dfe6ce8369ad73b7

SHA512
f72c59872ed8954d7ec4ab3e109c19bb7b2a750b1e7041a0aff9b38f0726d5bbaedc364f549a401c9f827d988521204f5c765ef286ff8d9d609ca4e1e5886879

Download Submit
\Users\Admin\AppData\Local\Temp\main.exe

Filesize
21.3MB

MD5
515af45a33fa20e3ca9c2dd8af26173a

SHA1
2808e1c0abbe4ceb5f6dbc28d3ae7324a4a916b4

SHA256
26e339ac703a76ffe511176ecd7cf51507ed1510fdb28bf5b43cde652cf133cb

SHA512
539a3eefef4d5514d6e04d5aa17aa143a985b6d80d7926eb8d2f0be279aeac05c47ab5693a6fcdbfd26ac8b57ae564b0f77c725300cdd94943804ab1469b7e90

Download Submit
memory/1712-363-0x00000000011D0000-0x00000000011E2000-memory.dmp

Filesize
72KB

Download
memory/2188-197-0x000007FEF3D80000-0x000007FEF41EE000-memory.dmp

Filesize
4.4MB

Download
memory/2560-199-0x0000000000B30000-0x0000000000E54000-memory.dmp

Filesize
3.1MB

Download
memory/2580-198-0x00000000003B0000-0x00000000003C2000-memory.dmp

Filesize
72KB

Download
memory/2968-115-0x000007FEF5780000-0x000007FEF5DE4000-memory.dmp

Filesize
6.4MB

Download