asyncrat | dd68a4a8e4d269d9a785c02a5c8c65813007f8a0c2762a06e9069ff7f77739b0

Analysis

max time kernel
145s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31/03/2025, 06:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-31_1828b02b97d21e257f5f31fba43c92e9_black-basta_cobalt-strike_satacom.exe
Size

30.0MB
MD5

1828b02b97d21e257f5f31fba43c92e9
SHA1

35d8309d87dc1abab6f1c808f5753960cdc50c04
SHA256

dd68a4a8e4d269d9a785c02a5c8c65813007f8a0c2762a06e9069ff7f77739b0
SHA512

36370eaaf8af10fce118e929d12f21287ba1e2d8d777d09b2e5041cb1dd9ebce254935354f15a39b12f008c92ca29dc4a9e78992f26dc4b5d04a31104daa0a1c
SSDEEP

786432:imFxGF3khP1kGYJh5WcR0SGnCP+BuTAzEyI4EETn:iUGUPCJnWqDP+3f3j

Score

10^/10

asyncrat quasar default office04 discovery pyinstaller rat spyware trojan upx

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

197.48.105.157:5505

41.233.14.164:5505

197.48.230.161:5505

102.41.58.213:5505

Mutex

q0nJ1vo1fsSD

Attributes

delay
3
install
true
install_file
svchost.exe
install_folder
%AppData%

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

102.41.58.213:5505

Mutex

1e97a2db-0622-4c39-84ac-2f640c70aaf5

Attributes

encryption_key
1F6CCF154B4C85A58D675CA9A482E9C7A041C879
install_name
svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svchost
subdirectory
SubDir

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/files/0x00070000000171a8-96.dat	family_quasar
behavioral1/memory/3056-200-0x00000000001E0000-0x0000000000504000-memory.dmp	family_quasar
behavioral1/memory/676-206-0x0000000000CD0000-0x0000000000FF4000-memory.dmp	family_quasar

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x00070000000173a7-24.dat	family_asyncrat

Executes dropped EXE 9 IoCs

pid	Process
1644	main.exe
344	svchost.exe
3056	v2.exe
1528	main.exe
268	Built.exe
2312	Built.exe
676	svchost.exe
1200	Process not Found
2296	svchost.exe

Loads dropped DLL 8 IoCs

pid	Process
2424	2025-03-31_1828b02b97d21e257f5f31fba43c92e9_black-basta_cobalt-strike_satacom.exe
1644	main.exe
2424	2025-03-31_1828b02b97d21e257f5f31fba43c92e9_black-basta_cobalt-strike_satacom.exe
1528	main.exe
268	Built.exe
2312	Built.exe
2064	cmd.exe
1200	Process not Found

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SubDir	svchost.exe
File created	C:\Windows\system32\SubDir\svchost.exe	v2.exe
File opened for modification	C:\Windows\system32\SubDir\svchost.exe	v2.exe
File opened for modification	C:\Windows\system32\SubDir	v2.exe
File opened for modification	C:\Windows\system32\SubDir\svchost.exe	svchost.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001a520-170.dat	upx
behavioral1/memory/1528-180-0x000007FEF5810000-0x000007FEF5C7E000-memory.dmp	upx
behavioral1/files/0x000400000001cbc1-196.dat	upx
behavioral1/memory/2312-198-0x000007FEF3C10000-0x000007FEF4274000-memory.dmp	upx
behavioral1/memory/1528-221-0x000007FEF5810000-0x000007FEF5C7E000-memory.dmp	upx
behavioral1/memory/2312-223-0x000007FEF3C10000-0x000007FEF4274000-memory.dmp	upx

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000e00000001227f-9.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2508	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2196	schtasks.exe
2104	schtasks.exe
2176	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
344	svchost.exe
344	svchost.exe
344	svchost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3056	v2.exe
Token: SeDebugPrivilege	676	svchost.exe
Token: SeDebugPrivilege	344	svchost.exe
Token: SeDebugPrivilege	2296	svchost.exe
Token: SeDebugPrivilege	2296	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
676	svchost.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 1644	2424	2025-03-31_1828b02b97d21e257f5f31fba43c92e9_black-basta_cobalt-strike_satacom.exe	31
PID 2424 wrote to memory of 1644	2424	2025-03-31_1828b02b97d21e257f5f31fba43c92e9_black-basta_cobalt-strike_satacom.exe	31
PID 2424 wrote to memory of 1644	2424	2025-03-31_1828b02b97d21e257f5f31fba43c92e9_black-basta_cobalt-strike_satacom.exe	31
PID 2424 wrote to memory of 344	2424	2025-03-31_1828b02b97d21e257f5f31fba43c92e9_black-basta_cobalt-strike_satacom.exe	32
PID 2424 wrote to memory of 344	2424	2025-03-31_1828b02b97d21e257f5f31fba43c92e9_black-basta_cobalt-strike_satacom.exe	32
PID 2424 wrote to memory of 344	2424	2025-03-31_1828b02b97d21e257f5f31fba43c92e9_black-basta_cobalt-strike_satacom.exe	32
PID 2424 wrote to memory of 344	2424	2025-03-31_1828b02b97d21e257f5f31fba43c92e9_black-basta_cobalt-strike_satacom.exe	32
PID 2424 wrote to memory of 3056	2424	2025-03-31_1828b02b97d21e257f5f31fba43c92e9_black-basta_cobalt-strike_satacom.exe	33
PID 2424 wrote to memory of 3056	2424	2025-03-31_1828b02b97d21e257f5f31fba43c92e9_black-basta_cobalt-strike_satacom.exe	33
PID 2424 wrote to memory of 3056	2424	2025-03-31_1828b02b97d21e257f5f31fba43c92e9_black-basta_cobalt-strike_satacom.exe	33
PID 1644 wrote to memory of 1528	1644	main.exe	34
PID 1644 wrote to memory of 1528	1644	main.exe	34
PID 1644 wrote to memory of 1528	1644	main.exe	34
PID 2424 wrote to memory of 268	2424	2025-03-31_1828b02b97d21e257f5f31fba43c92e9_black-basta_cobalt-strike_satacom.exe	35
PID 2424 wrote to memory of 268	2424	2025-03-31_1828b02b97d21e257f5f31fba43c92e9_black-basta_cobalt-strike_satacom.exe	35
PID 2424 wrote to memory of 268	2424	2025-03-31_1828b02b97d21e257f5f31fba43c92e9_black-basta_cobalt-strike_satacom.exe	35
PID 268 wrote to memory of 2312	268	Built.exe	36
PID 268 wrote to memory of 2312	268	Built.exe	36
PID 268 wrote to memory of 2312	268	Built.exe	36
PID 3056 wrote to memory of 2196	3056	v2.exe	37
PID 3056 wrote to memory of 2196	3056	v2.exe	37
PID 3056 wrote to memory of 2196	3056	v2.exe	37
PID 3056 wrote to memory of 676	3056	v2.exe	39
PID 3056 wrote to memory of 676	3056	v2.exe	39
PID 3056 wrote to memory of 676	3056	v2.exe	39
PID 676 wrote to memory of 2104	676	svchost.exe	40
PID 676 wrote to memory of 2104	676	svchost.exe	40
PID 676 wrote to memory of 2104	676	svchost.exe	40
PID 344 wrote to memory of 1780	344	svchost.exe	43
PID 344 wrote to memory of 1780	344	svchost.exe	43
PID 344 wrote to memory of 1780	344	svchost.exe	43
PID 344 wrote to memory of 1780	344	svchost.exe	43
PID 344 wrote to memory of 2064	344	svchost.exe	45
PID 344 wrote to memory of 2064	344	svchost.exe	45
PID 344 wrote to memory of 2064	344	svchost.exe	45
PID 344 wrote to memory of 2064	344	svchost.exe	45
PID 1780 wrote to memory of 2176	1780	cmd.exe	47
PID 1780 wrote to memory of 2176	1780	cmd.exe	47
PID 1780 wrote to memory of 2176	1780	cmd.exe	47
PID 1780 wrote to memory of 2176	1780	cmd.exe	47
PID 2064 wrote to memory of 2508	2064	cmd.exe	48
PID 2064 wrote to memory of 2508	2064	cmd.exe	48
PID 2064 wrote to memory of 2508	2064	cmd.exe	48
PID 2064 wrote to memory of 2508	2064	cmd.exe	48
PID 2064 wrote to memory of 2296	2064	cmd.exe	49
PID 2064 wrote to memory of 2296	2064	cmd.exe	49
PID 2064 wrote to memory of 2296	2064	cmd.exe	49
PID 2064 wrote to memory of 2296	2064	cmd.exe	49

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2025-03-31_1828b02b97d21e257f5f31fba43c92e9_black-basta_cobalt-strike_satacom.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-31_1828b02b97d21e257f5f31fba43c92e9_black-basta_cobalt-strike_satacom.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Users\Admin\AppData\Local\Temp\main.exe
  "C:\Users\Admin\AppData\Local\Temp\main.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Users\Admin\AppData\Local\Temp\main.exe
    "C:\Users\Admin\AppData\Local\Temp\main.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1528
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:344
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1780
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2176
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpF3A2.tmp.bat""
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2508
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2296
- C:\Users\Admin\AppData\Local\Temp\v2.exe
  "C:\Users\Admin\AppData\Local\Temp\v2.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Windows\system32\SubDir\svchost.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2196
- - C:\Windows\system32\SubDir\svchost.exe
    "C:\Windows\system32\SubDir\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:676
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Windows\system32\SubDir\svchost.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2104
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:268
- - C:\Users\Admin\AppData\Local\Temp\Built.exe
    "C:\Users\Admin\AppData\Local\Temp\Built.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
7.6MB

MD5
87955e082fa9276925d051fe0cf04374

SHA1
d913ea62f3a3de054005827146396354b9cf109c

SHA256
57c34ddd4dac10f0bd1298fb601622a83c29b682da1da865b6c3e75f7822778c

SHA512
6afce8e9ddc6a1dd410b4e0ccc948a47279a38827dccaff4c6e5e77c7c6a1822ac4f350b5109c172d14a293d2ba513a179c1ba03eba8e2fadfc37878792e4409

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16442\python310.dll

Filesize
1.4MB

MD5
69d4f13fbaeee9b551c2d9a4a94d4458

SHA1
69540d8dfc0ee299a7ff6585018c7db0662aa629

SHA256
801317463bd116e603878c7c106093ba7db2bece11e691793e93065223fc7046

SHA512
8e632f141daf44bc470f8ee677c6f0fdcbcacbfce1472d928576bf7b9f91d6b76639d18e386d5e1c97e538a8fe19dd2d22ea47ae1acf138a0925e3c6dd156378

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI16442\setuptools-65.5.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2682\python313.dll

Filesize
1.8MB

MD5
2a4aad7818d527bbea76e9e81077cc21

SHA1
4db3b39874c01bf3ba1ab8659957bbc28aab1ab2

SHA256
4712a6bb81b862fc292fcd857cef931ca8e4c142e70eaa4fd7a8d0a96aff5e7e

SHA512
d10631b7fc25a8b9cc038514e9db1597cec0580ee34a56ce5cfc5a33e7010b5e1df7f15ec30ebb351356e2b815528fb4161956f26b5bfaf3dce7bc6701b79c68

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
45KB

MD5
7a358df346afcd7c4202a27469d3bc3f

SHA1
721cba1692ce475b90bb07509e122bba225676d6

SHA256
49d72d7fc3ea35487f53feb6fb2b874ca43c441867b04e775c785e9c1637abad

SHA512
336bc9ff4526424296045a60298c1713d2818d4fea434cfefa8771215bc1ba82d814158b699ffa497247f5185ba56f24724626086eef14bf83e58deb5286684f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF3A2.tmp.bat

Filesize
151B

MD5
accdb9c74876e5e5e04feda5d540dfbe

SHA1
f972e93fde3fba60fc242ee2ef8d106ecbedcee3

SHA256
cc2a5d262f25ae6d719a8a0101012f913a6c7abe102f4db172749423f901a78b

SHA512
355e1049f2357874c21a076419b1009e13074dd32001bf828b940c82db1147ad24d5a20d673dca756ed370916c0b9b9f1863e459a6e545445e010e6e4694108a

Download Submit
C:\Users\Admin\AppData\Local\Temp\v2.exe

Filesize
3.1MB

MD5
44bf522a553e8fde9a377f75fde20442

SHA1
0f9cb72fe60c334f6aa0c6ae642f5d9867a4ff8e

SHA256
1467681b3b224b5447b70e54088ded2dd27ca04ea5f27f14dfe6ce8369ad73b7

SHA512
f72c59872ed8954d7ec4ab3e109c19bb7b2a750b1e7041a0aff9b38f0726d5bbaedc364f549a401c9f827d988521204f5c765ef286ff8d9d609ca4e1e5886879

Download Submit
\Users\Admin\AppData\Local\Temp\main.exe

Filesize
21.3MB

MD5
515af45a33fa20e3ca9c2dd8af26173a

SHA1
2808e1c0abbe4ceb5f6dbc28d3ae7324a4a916b4

SHA256
26e339ac703a76ffe511176ecd7cf51507ed1510fdb28bf5b43cde652cf133cb

SHA512
539a3eefef4d5514d6e04d5aa17aa143a985b6d80d7926eb8d2f0be279aeac05c47ab5693a6fcdbfd26ac8b57ae564b0f77c725300cdd94943804ab1469b7e90

Download Submit
memory/344-199-0x00000000011A0000-0x00000000011B2000-memory.dmp

Filesize
72KB

Download
memory/344-155-0x0000000074ADE000-0x0000000074ADF000-memory.dmp

Filesize
4KB

Download
memory/676-206-0x0000000000CD0000-0x0000000000FF4000-memory.dmp

Filesize
3.1MB

Download
memory/1528-180-0x000007FEF5810000-0x000007FEF5C7E000-memory.dmp

Filesize
4.4MB

Download
memory/1528-221-0x000007FEF5810000-0x000007FEF5C7E000-memory.dmp

Filesize
4.4MB

Download
memory/2296-220-0x0000000000E20000-0x0000000000E32000-memory.dmp

Filesize
72KB

Download
memory/2312-198-0x000007FEF3C10000-0x000007FEF4274000-memory.dmp

Filesize
6.4MB

Download
memory/2312-223-0x000007FEF3C10000-0x000007FEF4274000-memory.dmp

Filesize
6.4MB

Download
memory/3056-200-0x00000000001E0000-0x0000000000504000-memory.dmp

Filesize
3.1MB

Download