asyncrat | 1942639c541470539b15b8fea26b1a02b2182ced0f42f22af143c5170bb01cc6

Analysis

max time kernel
140s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31/03/2025, 06:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-31_ec06a1b0ea6f4debdc9778b59b63ec30_black-basta_cobalt-strike_satacom.exe
Size

30.0MB
MD5

ec06a1b0ea6f4debdc9778b59b63ec30
SHA1

9d40cf615c4d9f4c21b892fa5506a8f852cb3e1d
SHA256

1942639c541470539b15b8fea26b1a02b2182ced0f42f22af143c5170bb01cc6
SHA512

d62b9c59d933cda1879fd00d997deb60b952c1573d385638306ecdfdb8604aae56fcc0437566818b688fa694769948b4b8cadcb33e7bce98e69f15f753d973b6
SSDEEP

786432:zuTAzEyI4EETMmFxGF3khP1kGYJh5WcR0SGnCP+W:Rf3QUGUPCJnWqDP+W

Score

10^/10

asyncrat quasar default office04 discovery pyinstaller rat spyware trojan upx

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

102.41.58.213:5505

Mutex

1e97a2db-0622-4c39-84ac-2f640c70aaf5

Attributes

encryption_key
1F6CCF154B4C85A58D675CA9A482E9C7A041C879
install_name
svchost.exe
log_directory
Logs
reconnect_delay
3000
startup_key
svchost
subdirectory
SubDir

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

197.48.105.157:5505

41.233.14.164:5505

197.48.230.161:5505

102.41.58.213:5505

Mutex

q0nJ1vo1fsSD

Attributes

delay
3
install
true
install_file
svchost.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0004000000012000-20.dat	family_quasar
behavioral1/memory/2712-70-0x0000000000DF0000-0x0000000001114000-memory.dmp	family_quasar
behavioral1/memory/1000-216-0x0000000001380000-0x00000000016A4000-memory.dmp	family_quasar

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x00370000000193e1-29.dat	family_asyncrat

Executes dropped EXE 8 IoCs

pid	Process
2712	v2.exe
2556	svchost.exe
3012	Built.exe
2904	Built.exe
2380	main.exe
1388	main.exe
1000	svchost.exe
1732	svchost.exe

Loads dropped DLL 10 IoCs

pid	Process
2228	2025-03-31_ec06a1b0ea6f4debdc9778b59b63ec30_black-basta_cobalt-strike_satacom.exe
3012	Built.exe
2904	Built.exe
2228	2025-03-31_ec06a1b0ea6f4debdc9778b59b63ec30_black-basta_cobalt-strike_satacom.exe
2380	main.exe
1388	main.exe
1196	Process not Found
2316	cmd.exe
1196	Process not Found
1196	Process not Found

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\SubDir\svchost.exe	v2.exe
File opened for modification	C:\Windows\system32\SubDir\svchost.exe	v2.exe
File opened for modification	C:\Windows\system32\SubDir	v2.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0005000000019dc0-68.dat	upx
behavioral1/memory/2904-71-0x000007FEF2550000-0x000007FEF2BB4000-memory.dmp	upx
behavioral1/files/0x000500000001c8f1-208.dat	upx
behavioral1/memory/1388-210-0x000007FEF1DC0000-0x000007FEF222E000-memory.dmp	upx
behavioral1/memory/2904-231-0x000007FEF2550000-0x000007FEF2BB4000-memory.dmp	upx
behavioral1/memory/1388-233-0x000007FEF1DC0000-0x000007FEF222E000-memory.dmp	upx

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0006000000019582-74.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
708	timeout.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	2025-03-31_ec06a1b0ea6f4debdc9778b59b63ec30_black-basta_cobalt-strike_satacom.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2496	schtasks.exe
2984	schtasks.exe
2304	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2712	v2.exe
Token: SeDebugPrivilege	1000	svchost.exe
Token: SeDebugPrivilege	2556	svchost.exe
Token: SeDebugPrivilege	1732	svchost.exe
Token: SeDebugPrivilege	1732	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2228	2025-03-31_ec06a1b0ea6f4debdc9778b59b63ec30_black-basta_cobalt-strike_satacom.exe
2228	2025-03-31_ec06a1b0ea6f4debdc9778b59b63ec30_black-basta_cobalt-strike_satacom.exe
1000	svchost.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2712	2228	2025-03-31_ec06a1b0ea6f4debdc9778b59b63ec30_black-basta_cobalt-strike_satacom.exe	30
PID 2228 wrote to memory of 2712	2228	2025-03-31_ec06a1b0ea6f4debdc9778b59b63ec30_black-basta_cobalt-strike_satacom.exe	30
PID 2228 wrote to memory of 2712	2228	2025-03-31_ec06a1b0ea6f4debdc9778b59b63ec30_black-basta_cobalt-strike_satacom.exe	30
PID 2228 wrote to memory of 2556	2228	2025-03-31_ec06a1b0ea6f4debdc9778b59b63ec30_black-basta_cobalt-strike_satacom.exe	31
PID 2228 wrote to memory of 2556	2228	2025-03-31_ec06a1b0ea6f4debdc9778b59b63ec30_black-basta_cobalt-strike_satacom.exe	31
PID 2228 wrote to memory of 2556	2228	2025-03-31_ec06a1b0ea6f4debdc9778b59b63ec30_black-basta_cobalt-strike_satacom.exe	31
PID 2228 wrote to memory of 2556	2228	2025-03-31_ec06a1b0ea6f4debdc9778b59b63ec30_black-basta_cobalt-strike_satacom.exe	31
PID 2228 wrote to memory of 3012	2228	2025-03-31_ec06a1b0ea6f4debdc9778b59b63ec30_black-basta_cobalt-strike_satacom.exe	32
PID 2228 wrote to memory of 3012	2228	2025-03-31_ec06a1b0ea6f4debdc9778b59b63ec30_black-basta_cobalt-strike_satacom.exe	32
PID 2228 wrote to memory of 3012	2228	2025-03-31_ec06a1b0ea6f4debdc9778b59b63ec30_black-basta_cobalt-strike_satacom.exe	32
PID 3012 wrote to memory of 2904	3012	Built.exe	33
PID 3012 wrote to memory of 2904	3012	Built.exe	33
PID 3012 wrote to memory of 2904	3012	Built.exe	33
PID 2228 wrote to memory of 2380	2228	2025-03-31_ec06a1b0ea6f4debdc9778b59b63ec30_black-basta_cobalt-strike_satacom.exe	34
PID 2228 wrote to memory of 2380	2228	2025-03-31_ec06a1b0ea6f4debdc9778b59b63ec30_black-basta_cobalt-strike_satacom.exe	34
PID 2228 wrote to memory of 2380	2228	2025-03-31_ec06a1b0ea6f4debdc9778b59b63ec30_black-basta_cobalt-strike_satacom.exe	34
PID 2380 wrote to memory of 1388	2380	main.exe	35
PID 2380 wrote to memory of 1388	2380	main.exe	35
PID 2380 wrote to memory of 1388	2380	main.exe	35
PID 2712 wrote to memory of 2496	2712	v2.exe	36
PID 2712 wrote to memory of 2496	2712	v2.exe	36
PID 2712 wrote to memory of 2496	2712	v2.exe	36
PID 2712 wrote to memory of 1000	2712	v2.exe	38
PID 2712 wrote to memory of 1000	2712	v2.exe	38
PID 2712 wrote to memory of 1000	2712	v2.exe	38
PID 1000 wrote to memory of 2984	1000	svchost.exe	39
PID 1000 wrote to memory of 2984	1000	svchost.exe	39
PID 1000 wrote to memory of 2984	1000	svchost.exe	39
PID 2556 wrote to memory of 1584	2556	svchost.exe	42
PID 2556 wrote to memory of 1584	2556	svchost.exe	42
PID 2556 wrote to memory of 1584	2556	svchost.exe	42
PID 2556 wrote to memory of 1584	2556	svchost.exe	42
PID 2556 wrote to memory of 2316	2556	svchost.exe	44
PID 2556 wrote to memory of 2316	2556	svchost.exe	44
PID 2556 wrote to memory of 2316	2556	svchost.exe	44
PID 2556 wrote to memory of 2316	2556	svchost.exe	44
PID 1584 wrote to memory of 2304	1584	cmd.exe	46
PID 1584 wrote to memory of 2304	1584	cmd.exe	46
PID 1584 wrote to memory of 2304	1584	cmd.exe	46
PID 1584 wrote to memory of 2304	1584	cmd.exe	46
PID 2316 wrote to memory of 708	2316	cmd.exe	47
PID 2316 wrote to memory of 708	2316	cmd.exe	47
PID 2316 wrote to memory of 708	2316	cmd.exe	47
PID 2316 wrote to memory of 708	2316	cmd.exe	47
PID 2316 wrote to memory of 1732	2316	cmd.exe	48
PID 2316 wrote to memory of 1732	2316	cmd.exe	48
PID 2316 wrote to memory of 1732	2316	cmd.exe	48
PID 2316 wrote to memory of 1732	2316	cmd.exe	48

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2025-03-31_ec06a1b0ea6f4debdc9778b59b63ec30_black-basta_cobalt-strike_satacom.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-31_ec06a1b0ea6f4debdc9778b59b63ec30_black-basta_cobalt-strike_satacom.exe"
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Users\Admin\AppData\Local\Temp\v2.exe
  "C:\Users\Admin\AppData\Local\Temp\v2.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Windows\system32\SubDir\svchost.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2496
- - C:\Windows\system32\SubDir\svchost.exe
    "C:\Windows\system32\SubDir\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1000
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Windows\system32\SubDir\svchost.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2984
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1584
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2304
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp450C.tmp.bat""
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:708
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1732
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Users\Admin\AppData\Local\Temp\Built.exe
    "C:\Users\Admin\AppData\Local\Temp\Built.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2904
- C:\Users\Admin\AppData\Local\Temp\main.exe
  "C:\Users\Admin\AppData\Local\Temp\main.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Users\Admin\AppData\Local\Temp\main.exe
    "C:\Users\Admin\AppData\Local\Temp\main.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
7.6MB

MD5
87955e082fa9276925d051fe0cf04374

SHA1
d913ea62f3a3de054005827146396354b9cf109c

SHA256
57c34ddd4dac10f0bd1298fb601622a83c29b682da1da865b6c3e75f7822778c

SHA512
6afce8e9ddc6a1dd410b4e0ccc948a47279a38827dccaff4c6e5e77c7c6a1822ac4f350b5109c172d14a293d2ba513a179c1ba03eba8e2fadfc37878792e4409

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23802\python310.dll

Filesize
1.4MB

MD5
69d4f13fbaeee9b551c2d9a4a94d4458

SHA1
69540d8dfc0ee299a7ff6585018c7db0662aa629

SHA256
801317463bd116e603878c7c106093ba7db2bece11e691793e93065223fc7046

SHA512
8e632f141daf44bc470f8ee677c6f0fdcbcacbfce1472d928576bf7b9f91d6b76639d18e386d5e1c97e538a8fe19dd2d22ea47ae1acf138a0925e3c6dd156378

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23802\setuptools-65.5.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30122\python313.dll

Filesize
1.8MB

MD5
2a4aad7818d527bbea76e9e81077cc21

SHA1
4db3b39874c01bf3ba1ab8659957bbc28aab1ab2

SHA256
4712a6bb81b862fc292fcd857cef931ca8e4c142e70eaa4fd7a8d0a96aff5e7e

SHA512
d10631b7fc25a8b9cc038514e9db1597cec0580ee34a56ce5cfc5a33e7010b5e1df7f15ec30ebb351356e2b815528fb4161956f26b5bfaf3dce7bc6701b79c68

Download Submit
C:\Users\Admin\AppData\Local\Temp\main.exe

Filesize
21.3MB

MD5
515af45a33fa20e3ca9c2dd8af26173a

SHA1
2808e1c0abbe4ceb5f6dbc28d3ae7324a4a916b4

SHA256
26e339ac703a76ffe511176ecd7cf51507ed1510fdb28bf5b43cde652cf133cb

SHA512
539a3eefef4d5514d6e04d5aa17aa143a985b6d80d7926eb8d2f0be279aeac05c47ab5693a6fcdbfd26ac8b57ae564b0f77c725300cdd94943804ab1469b7e90

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
45KB

MD5
7a358df346afcd7c4202a27469d3bc3f

SHA1
721cba1692ce475b90bb07509e122bba225676d6

SHA256
49d72d7fc3ea35487f53feb6fb2b874ca43c441867b04e775c785e9c1637abad

SHA512
336bc9ff4526424296045a60298c1713d2818d4fea434cfefa8771215bc1ba82d814158b699ffa497247f5185ba56f24724626086eef14bf83e58deb5286684f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp450C.tmp.bat

Filesize
151B

MD5
526e99d29a9dc25033d1b9ebbb036238

SHA1
e33f6bdedb334d644ede90349e2cfd1604e95c64

SHA256
5f936d4cf9028a72e126c438c08f318f4212db26d7cfbc2ad8224b09eae26443

SHA512
d89a143d0f12ad76830cfa16a232eb80015630fcf746c911b11483019719e06224aace2d8370e706f77e1a73fa03e28ce01f914e0e568760cf71d5aa7110e99a

Download Submit
C:\Users\Admin\AppData\Local\Temp\v2.exe

Filesize
3.1MB

MD5
44bf522a553e8fde9a377f75fde20442

SHA1
0f9cb72fe60c334f6aa0c6ae642f5d9867a4ff8e

SHA256
1467681b3b224b5447b70e54088ded2dd27ca04ea5f27f14dfe6ce8369ad73b7

SHA512
f72c59872ed8954d7ec4ab3e109c19bb7b2a750b1e7041a0aff9b38f0726d5bbaedc364f549a401c9f827d988521204f5c765ef286ff8d9d609ca4e1e5886879

Download Submit
memory/1000-216-0x0000000001380000-0x00000000016A4000-memory.dmp

Filesize
3.1MB

Download
memory/1388-210-0x000007FEF1DC0000-0x000007FEF222E000-memory.dmp

Filesize
4.4MB

Download
memory/1388-233-0x000007FEF1DC0000-0x000007FEF222E000-memory.dmp

Filesize
4.4MB

Download
memory/1732-230-0x00000000000C0000-0x00000000000D2000-memory.dmp

Filesize
72KB

Download
memory/2556-125-0x0000000000C50000-0x0000000000C62000-memory.dmp

Filesize
72KB

Download
memory/2712-70-0x0000000000DF0000-0x0000000001114000-memory.dmp

Filesize
3.1MB

Download
memory/2712-35-0x000007FEF4253000-0x000007FEF4254000-memory.dmp

Filesize
4KB

Download
memory/2904-71-0x000007FEF2550000-0x000007FEF2BB4000-memory.dmp

Filesize
6.4MB

Download
memory/2904-231-0x000007FEF2550000-0x000007FEF2BB4000-memory.dmp

Filesize
6.4MB

Download