asyncrat | 33f30f4d6e8cd97f6bf5a1224dbcaf7927c0745ddb867174806bd56ed1963ac3

Analysis

max time kernel
146s
max time network
150s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
31/03/2025, 03:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Downloads.exe
Size

1.6MB
MD5

5b932b7539c1c070a3c4bcc36b17ee76
SHA1

c97e12d44f6ba85e9f8de6c25c364ab70a583c41
SHA256

33f30f4d6e8cd97f6bf5a1224dbcaf7927c0745ddb867174806bd56ed1963ac3
SHA512

294f30708cc1f4f52300648fcc83e2de4a796434383c6121cf92fea2cbbdfe9746dcb7c23c64a907c78afe10a6ebb561ec81c84fa81e18dcdf8aff5d866f1dd2
SSDEEP

24576:jngHKYfXTkXy0Z0UplrOlyyXEwlKhgoCY9X8jOlC3rocE/0sED5cHI:zgqKIXzr7OMoBlKRCgvA5P

Score

10^/10

asyncrat quasar umbral default office04 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

102.41.58.213:5505

Mutex

1e97a2db-0622-4c39-84ac-2f640c70aaf5

Attributes

encryption_key
1F6CCF154B4C85A58D675CA9A482E9C7A041C879
install_name
svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svchost
subdirectory
SubDir

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

197.48.105.157:5505

41.233.14.164:5505

197.48.230.161:5505

102.41.58.213:5505

Mutex

RW4mawavalFO

Attributes

delay
3
install
true
install_file
svchost.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00090000000120fe-17.dat	family_umbral
behavioral1/memory/2836-35-0x00000000008B0000-0x00000000008F0000-memory.dmp	family_umbral

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000019cba-8.dat	family_quasar
behavioral1/memory/2884-36-0x0000000000F70000-0x0000000001294000-memory.dmp	family_quasar
behavioral1/memory/2240-44-0x00000000000B0000-0x00000000003D4000-memory.dmp	family_quasar

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0007000000019c57-26.dat	family_asyncrat

Executes dropped EXE 5 IoCs

pid	Process
2884	v2.exe
2836	Umbral.exe
3060	svchost.exe
2240	svchost.exe
2780	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
316	cmd.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SubDir\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system32\SubDir	svchost.exe
File created	C:\Windows\system32\SubDir\svchost.exe	v2.exe
File opened for modification	C:\Windows\system32\SubDir\svchost.exe	v2.exe
File opened for modification	C:\Windows\system32\SubDir	v2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
3028	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2764	schtasks.exe
1344	schtasks.exe
2428	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3060	svchost.exe
3060	svchost.exe
3060	svchost.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeDebugPrivilege	2884	v2.exe
Token: SeDebugPrivilege	2836	Umbral.exe
Token: SeDebugPrivilege	2240	svchost.exe
Token: SeIncreaseQuotaPrivilege	2444	wmic.exe
Token: SeSecurityPrivilege	2444	wmic.exe
Token: SeTakeOwnershipPrivilege	2444	wmic.exe
Token: SeLoadDriverPrivilege	2444	wmic.exe
Token: SeSystemProfilePrivilege	2444	wmic.exe
Token: SeSystemtimePrivilege	2444	wmic.exe
Token: SeProfSingleProcessPrivilege	2444	wmic.exe
Token: SeIncBasePriorityPrivilege	2444	wmic.exe
Token: SeCreatePagefilePrivilege	2444	wmic.exe
Token: SeBackupPrivilege	2444	wmic.exe
Token: SeRestorePrivilege	2444	wmic.exe
Token: SeShutdownPrivilege	2444	wmic.exe
Token: SeDebugPrivilege	2444	wmic.exe
Token: SeSystemEnvironmentPrivilege	2444	wmic.exe
Token: SeRemoteShutdownPrivilege	2444	wmic.exe
Token: SeUndockPrivilege	2444	wmic.exe
Token: SeManageVolumePrivilege	2444	wmic.exe
Token: 33	2444	wmic.exe
Token: 34	2444	wmic.exe
Token: 35	2444	wmic.exe
Token: SeIncreaseQuotaPrivilege	2444	wmic.exe
Token: SeSecurityPrivilege	2444	wmic.exe
Token: SeTakeOwnershipPrivilege	2444	wmic.exe
Token: SeLoadDriverPrivilege	2444	wmic.exe
Token: SeSystemProfilePrivilege	2444	wmic.exe
Token: SeSystemtimePrivilege	2444	wmic.exe
Token: SeProfSingleProcessPrivilege	2444	wmic.exe
Token: SeIncBasePriorityPrivilege	2444	wmic.exe
Token: SeCreatePagefilePrivilege	2444	wmic.exe
Token: SeBackupPrivilege	2444	wmic.exe
Token: SeRestorePrivilege	2444	wmic.exe
Token: SeShutdownPrivilege	2444	wmic.exe
Token: SeDebugPrivilege	2444	wmic.exe
Token: SeSystemEnvironmentPrivilege	2444	wmic.exe
Token: SeRemoteShutdownPrivilege	2444	wmic.exe
Token: SeUndockPrivilege	2444	wmic.exe
Token: SeManageVolumePrivilege	2444	wmic.exe
Token: 33	2444	wmic.exe
Token: 34	2444	wmic.exe
Token: 35	2444	wmic.exe
Token: SeDebugPrivilege	3060	svchost.exe
Token: SeDebugPrivilege	2780	svchost.exe
Token: SeDebugPrivilege	2780	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2240	svchost.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2884	1704	Downloads.exe	30
PID 1704 wrote to memory of 2884	1704	Downloads.exe	30
PID 1704 wrote to memory of 2884	1704	Downloads.exe	30
PID 1704 wrote to memory of 2836	1704	Downloads.exe	31
PID 1704 wrote to memory of 2836	1704	Downloads.exe	31
PID 1704 wrote to memory of 2836	1704	Downloads.exe	31
PID 1704 wrote to memory of 3060	1704	Downloads.exe	32
PID 1704 wrote to memory of 3060	1704	Downloads.exe	32
PID 1704 wrote to memory of 3060	1704	Downloads.exe	32
PID 1704 wrote to memory of 3060	1704	Downloads.exe	32
PID 2884 wrote to memory of 2764	2884	v2.exe	33
PID 2884 wrote to memory of 2764	2884	v2.exe	33
PID 2884 wrote to memory of 2764	2884	v2.exe	33
PID 2884 wrote to memory of 2240	2884	v2.exe	35
PID 2884 wrote to memory of 2240	2884	v2.exe	35
PID 2884 wrote to memory of 2240	2884	v2.exe	35
PID 2240 wrote to memory of 1344	2240	svchost.exe	36
PID 2240 wrote to memory of 1344	2240	svchost.exe	36
PID 2240 wrote to memory of 1344	2240	svchost.exe	36
PID 2836 wrote to memory of 2444	2836	Umbral.exe	38
PID 2836 wrote to memory of 2444	2836	Umbral.exe	38
PID 2836 wrote to memory of 2444	2836	Umbral.exe	38
PID 3060 wrote to memory of 2960	3060	svchost.exe	41
PID 3060 wrote to memory of 2960	3060	svchost.exe	41
PID 3060 wrote to memory of 2960	3060	svchost.exe	41
PID 3060 wrote to memory of 2960	3060	svchost.exe	41
PID 3060 wrote to memory of 316	3060	svchost.exe	43
PID 3060 wrote to memory of 316	3060	svchost.exe	43
PID 3060 wrote to memory of 316	3060	svchost.exe	43
PID 3060 wrote to memory of 316	3060	svchost.exe	43
PID 2960 wrote to memory of 2428	2960	cmd.exe	45
PID 2960 wrote to memory of 2428	2960	cmd.exe	45
PID 2960 wrote to memory of 2428	2960	cmd.exe	45
PID 2960 wrote to memory of 2428	2960	cmd.exe	45
PID 316 wrote to memory of 3028	316	cmd.exe	46
PID 316 wrote to memory of 3028	316	cmd.exe	46
PID 316 wrote to memory of 3028	316	cmd.exe	46
PID 316 wrote to memory of 3028	316	cmd.exe	46
PID 316 wrote to memory of 2780	316	cmd.exe	47
PID 316 wrote to memory of 2780	316	cmd.exe	47
PID 316 wrote to memory of 2780	316	cmd.exe	47
PID 316 wrote to memory of 2780	316	cmd.exe	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Downloads.exe
"C:\Users\Admin\AppData\Local\Temp\Downloads.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\AppData\Local\Temp\v2.exe
  "C:\Users\Admin\AppData\Local\Temp\v2.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Windows\system32\SubDir\svchost.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2764
- - C:\Windows\system32\SubDir\svchost.exe
    "C:\Windows\system32\SubDir\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Windows\system32\SubDir\svchost.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1344
- C:\Users\Admin\AppData\Local\Temp\Umbral.exe
  "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2444
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2428
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpBB05.tmp.bat""
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:316
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:3028
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Umbral.exe

Filesize
231KB

MD5
cb74e74c04357a7f8c0df2277c4248f0

SHA1
1bc3fedce9f5e6a71b7e493699cb3774b8042c18

SHA256
d1734e1266ee9ae362168458054123674211b0bd40ca93732114735886a12895

SHA512
c62322e61bcec1f2efe4736f73df73fd256c8a2361599b7c270521966cdba38a800a8f30b67748a06753c46904f470c087f748c85f1251ace0cab888e5b4af31

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
45KB

MD5
c4484c446e4151680918c3564a6e7eca

SHA1
ad142d75ffd178efbf556726392d69f735506466

SHA256
f4d8d8829ff73a9c12e508a6f37d8a2e97f8cd9673d2d471d2c9c7af843db3a0

SHA512
1726d8493d8897c8165c2e1aeee1df699e1cc3b42836345af0f9b4e486daaea679421f26908518d57bb5ca3c7ff7460c914233847719909119519fa9175de247

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBB05.tmp.bat

Filesize
151B

MD5
4d37d7844ae91075d9b7c3d40412a082

SHA1
7c8b409fb22ff3febe9b918228c0deea5a0a10c2

SHA256
2c48cac85086c80b2608803b96ac67b35d8c396842c22f738367d101cf827e8f

SHA512
45d5711d5fe5e37567b60b384e5d4998ffe1639d1d91cab2826f014ddc00c36c1e48dc92e18fd2c05c603a12e5ec6185a16d156e1116e5a6240fb15ec9d5992e

Download Submit
C:\Users\Admin\AppData\Local\Temp\v2.exe

Filesize
3.1MB

MD5
44bf522a553e8fde9a377f75fde20442

SHA1
0f9cb72fe60c334f6aa0c6ae642f5d9867a4ff8e

SHA256
1467681b3b224b5447b70e54088ded2dd27ca04ea5f27f14dfe6ce8369ad73b7

SHA512
f72c59872ed8954d7ec4ab3e109c19bb7b2a750b1e7041a0aff9b38f0726d5bbaedc364f549a401c9f827d988521204f5c765ef286ff8d9d609ca4e1e5886879

Download Submit
memory/2240-44-0x00000000000B0000-0x00000000003D4000-memory.dmp

Filesize
3.1MB

Download
memory/2780-58-0x0000000000D90000-0x0000000000DA2000-memory.dmp

Filesize
72KB

Download
memory/2836-34-0x000007FEF5763000-0x000007FEF5764000-memory.dmp

Filesize
4KB

Download
memory/2836-35-0x00000000008B0000-0x00000000008F0000-memory.dmp

Filesize
256KB

Download
memory/2884-36-0x0000000000F70000-0x0000000001294000-memory.dmp

Filesize
3.1MB

Download
memory/2884-38-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

Filesize
9.9MB

Download
memory/2884-45-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

Filesize
9.9MB

Download
memory/3060-37-0x0000000000D00000-0x0000000000D12000-memory.dmp

Filesize
72KB

Download