asyncrat | 4f213ab47d27a65804ea21290d330c85037124e9b7f77f03cde447b9db7b2664

General

Target

4f213ab47d27a65804ea21290d330c85037124e9b7f77f03cde447b9db7b2664.exe
Size

158KB
MD5

eb756258e1322cd4b060dcdfc085ebe7
SHA1

b759aa7f5e5bec72de79285807abc2a70edfc6b4
SHA256

4f213ab47d27a65804ea21290d330c85037124e9b7f77f03cde447b9db7b2664
SHA512

45e1c54e3b58bac98d1419f861fedeabc6492f749b3b3a33ea29f6b909980717b08fa7eaffa58b89325e4104ece0188195e8ec969dca8aad193ba6dae1a7f74d
SSDEEP

3072:XTXjVWYUbX3ThRwQTY7/s2uxw6XnZOQ6PGy1vIowkWh9TAHec8MUO/z:ULbHluQk/sFxNpOQ+dbwXvvc8Vu

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:2284

127.0.0.1:44844

boards-essential.gl.at.ply.gg:2284

boards-essential.gl.at.ply.gg:44844

Attributes

delay
1
install
true
install_file
Svhost.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x001d00000002b252-11.dat	family_asyncrat

Executes dropped EXE 1 IoCs

pid	Process
1324	Svhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2164	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1224	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2360	4f213ab47d27a65804ea21290d330c85037124e9b7f77f03cde447b9db7b2664.exe
2360	4f213ab47d27a65804ea21290d330c85037124e9b7f77f03cde447b9db7b2664.exe
2360	4f213ab47d27a65804ea21290d330c85037124e9b7f77f03cde447b9db7b2664.exe
2360	4f213ab47d27a65804ea21290d330c85037124e9b7f77f03cde447b9db7b2664.exe
2360	4f213ab47d27a65804ea21290d330c85037124e9b7f77f03cde447b9db7b2664.exe
2360	4f213ab47d27a65804ea21290d330c85037124e9b7f77f03cde447b9db7b2664.exe
2360	4f213ab47d27a65804ea21290d330c85037124e9b7f77f03cde447b9db7b2664.exe
2360	4f213ab47d27a65804ea21290d330c85037124e9b7f77f03cde447b9db7b2664.exe
2360	4f213ab47d27a65804ea21290d330c85037124e9b7f77f03cde447b9db7b2664.exe
2360	4f213ab47d27a65804ea21290d330c85037124e9b7f77f03cde447b9db7b2664.exe
2360	4f213ab47d27a65804ea21290d330c85037124e9b7f77f03cde447b9db7b2664.exe
2360	4f213ab47d27a65804ea21290d330c85037124e9b7f77f03cde447b9db7b2664.exe
2360	4f213ab47d27a65804ea21290d330c85037124e9b7f77f03cde447b9db7b2664.exe
2360	4f213ab47d27a65804ea21290d330c85037124e9b7f77f03cde447b9db7b2664.exe
2360	4f213ab47d27a65804ea21290d330c85037124e9b7f77f03cde447b9db7b2664.exe
2360	4f213ab47d27a65804ea21290d330c85037124e9b7f77f03cde447b9db7b2664.exe
2360	4f213ab47d27a65804ea21290d330c85037124e9b7f77f03cde447b9db7b2664.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2360	4f213ab47d27a65804ea21290d330c85037124e9b7f77f03cde447b9db7b2664.exe
Token: SeDebugPrivilege	1324	Svhost.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 5012	2360	4f213ab47d27a65804ea21290d330c85037124e9b7f77f03cde447b9db7b2664.exe	78
PID 2360 wrote to memory of 5012	2360	4f213ab47d27a65804ea21290d330c85037124e9b7f77f03cde447b9db7b2664.exe	78
PID 2360 wrote to memory of 3360	2360	4f213ab47d27a65804ea21290d330c85037124e9b7f77f03cde447b9db7b2664.exe	80
PID 2360 wrote to memory of 3360	2360	4f213ab47d27a65804ea21290d330c85037124e9b7f77f03cde447b9db7b2664.exe	80
PID 5012 wrote to memory of 1224	5012	cmd.exe	82
PID 5012 wrote to memory of 1224	5012	cmd.exe	82
PID 3360 wrote to memory of 2164	3360	cmd.exe	83
PID 3360 wrote to memory of 2164	3360	cmd.exe	83
PID 3360 wrote to memory of 1324	3360	cmd.exe	84
PID 3360 wrote to memory of 1324	3360	cmd.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4f213ab47d27a65804ea21290d330c85037124e9b7f77f03cde447b9db7b2664.exe
"C:\Users\Admin\AppData\Local\Temp\4f213ab47d27a65804ea21290d330c85037124e9b7f77f03cde447b9db7b2664.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Svhost" /tr '"C:\Users\Admin\AppData\Roaming\Svhost.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "Svhost" /tr '"C:\Users\Admin\AppData\Roaming\Svhost.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7F90.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3360
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2164
- - C:\Users\Admin\AppData\Roaming\Svhost.exe
    "C:\Users\Admin\AppData\Roaming\Svhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1324

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7F90.tmp.bat

Filesize
150B

MD5
639791a1a4a2f3089607ac2c76cac78d

SHA1
07641a6c919babf829b9add25c3f290558bc35ed

SHA256
4dfd56f38a8d081ceab5beb24d2d9dfde54fdab6edf68f689cb8f2a0d0c76f54

SHA512
bb110381e7b0650e0491350f915df9442bac84a16d4dfb421246d4db77df5ee618585076c370d352836fe032371b917c2df1d1d7427491a4b09fc0e7b8b14970

Download Submit
C:\Users\Admin\AppData\Roaming\Svhost.exe

Filesize
158KB

MD5
eb756258e1322cd4b060dcdfc085ebe7

SHA1
b759aa7f5e5bec72de79285807abc2a70edfc6b4

SHA256
4f213ab47d27a65804ea21290d330c85037124e9b7f77f03cde447b9db7b2664

SHA512
45e1c54e3b58bac98d1419f861fedeabc6492f749b3b3a33ea29f6b909980717b08fa7eaffa58b89325e4104ece0188195e8ec969dca8aad193ba6dae1a7f74d

Download Submit
memory/2360-0-0x00007FFF37713000-0x00007FFF37715000-memory.dmp

Filesize
8KB

Download
memory/2360-1-0x00000000004B0000-0x00000000004DE000-memory.dmp

Filesize
184KB

Download
memory/2360-2-0x00007FFF37710000-0x00007FFF381D2000-memory.dmp

Filesize
10.8MB

Download
memory/2360-3-0x00007FFF37710000-0x00007FFF381D2000-memory.dmp

Filesize
10.8MB

Download
memory/2360-8-0x00007FFF37710000-0x00007FFF381D2000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads