Overview

overview

10

Static

static

10

AsyncClient.exe

windows10-2004-x64

AsyncClient.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    38s
  • max time network
    40s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250410-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/04/2025, 15:33

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    AsyncClient.exe

  • Size

    45KB

  • MD5

    9d2593f72d9e9fb74f6e3ad33d43384d

  • SHA1

    f249c1c871fcf3872458b3c59b3b71f27a55d8e3

  • SHA256

    58ef711fa31584a80ae7deb28920aacecd518d43d26b45a11b5d09797d04df5c

  • SHA512

    64ba71e5e6ea6bfee65683223e5c7f4741d1535eca67cd7265b4f82e5d7761626a7911ff446534f005d4e77c1063055807b7199685d9988bb57ccb41c8f82187

  • SSDEEP

    768:DuwpFTAY3IQWUe9jqmo2qLoKjPGaG6PIyzjbFgX3i8+Nwd1pZKNoSD0FABDZni:DuwpFTA4/2xKTkDy3bCXS3KpENi4dni

Score
10/10
asyncratdefaultdiscoveryrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

197.48.124.155:5505

Mutex

yntVTgixvhf0

Attributes
  • delay

    3

  • install

    true

  • install_file

    svchost.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 17 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
    "C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5780
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4988
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:1660
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp77D0.tmp.bat""
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3452
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:2708
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:5772
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c Shutdown /s /f /t 00
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1772
          • C:\Windows\SysWOW64\shutdown.exe
            Shutdown /s /f /t 00
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:5568
  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4624
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffd8628dcf8,0x7ffd8628dd04,0x7ffd8628dd10
      2⤵
        PID:3184
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1944,i,15780432460144410047,16553984914871668514,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2032 /prefetch:2
        2⤵
          PID:5020
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1628,i,15780432460144410047,16553984914871668514,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2168 /prefetch:3
          2⤵
            PID:2884
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2432,i,15780432460144410047,16553984914871668514,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2592 /prefetch:8
            2⤵
              PID:6008
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,15780432460144410047,16553984914871668514,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3108 /prefetch:1
              2⤵
                PID:2520
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,15780432460144410047,16553984914871668514,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3264 /prefetch:1
                2⤵
                  PID:4800
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4288,i,15780432460144410047,16553984914871668514,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4308 /prefetch:2
                  2⤵
                    PID:2380
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4700,i,15780432460144410047,16553984914871668514,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4688 /prefetch:1
                    2⤵
                      PID:2916
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5412,i,15780432460144410047,16553984914871668514,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5420 /prefetch:8
                      2⤵
                        PID:5528
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5496,i,15780432460144410047,16553984914871668514,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5492 /prefetch:8
                        2⤵
                          PID:1204
                      • C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
                        "C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
                        1⤵
                          PID:1936
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                          1⤵
                            PID:3976
                          • C:\Windows\system32\LogonUI.exe
                            "LogonUI.exe" /flags:0x4 /state0:0xa3918055 /state1:0x41c64e6d
                            1⤵
                            • Modifies data under HKEY_USERS
                            • Suspicious use of SetWindowsHookEx
                            PID:4188

                          Network

                          MITRE ATT&CK Enterprise v16

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\6b418a2f-415e-4b34-bf32-64c02537970c.tmp
                            Filesize

                            151KB

                            MD5

                            6bcc9867cee6e8006ccf2f4ebb2da1fc

                            SHA1

                            fc1932ba08d682520c0c497a5cde775acc60d797

                            SHA256

                            318da03c4c2e4353e4d924eb5f125b77895f0a642a9833e8a9ad98b89f687c0c

                            SHA512

                            da86b43a47654c447be6c38ccf3ad1f00e80ec8dfc7f8ace04f6b68e40e051172b9dc93e94b5a5d3232af78c0e3ed48784c6ec3a5a6626dbbbb6fbafd5dea126

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
                            Filesize

                            649B

                            MD5

                            d83a161574c077213c5002838ab94c40

                            SHA1

                            6a6cbb4991892f43a324b4cadc310d142d78aea1

                            SHA256

                            1b52b2d4ea539e2a8cd4a4248ca95a74ef51670fc40ab0dea10316ed2d0a66f8

                            SHA512

                            0b128fb4c97313700070a52ac318a9b055abd43f462c1b390899da77eb6a5ad8022913ed404d4896ae4500ee1afd292f5548ab25793b269e19c7f5aecfd82d42

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                            Filesize

                            2B

                            MD5

                            d751713988987e9331980363e24189ce

                            SHA1

                            97d170e1550eee4afc0af065b78cda302a97674c

                            SHA256

                            4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                            SHA512

                            b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                            Filesize

                            10KB

                            MD5

                            ca41e2755518c5e4937ec83a3c74249d

                            SHA1

                            0f61cbd4cb92efa831ec922a4d56c6996c2ccb71

                            SHA256

                            94dd65bcb5aa00716f5e53e070a88249d7cb78bd4930e667db65b8df569bdfa7

                            SHA512

                            be008b72eecfd84f2836c573599de1cfcd241e4f1a28ac2fda248ce083e5709a20c6a515a0a8f403bdb7d36f13951b28ac415e4386a879d6e9e85c47842a9077

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
                            Filesize

                            15KB

                            MD5

                            6093b56ccbcea5488c119b0ef11e3241

                            SHA1

                            a7b09e85a6e9096b26824b9d5a88ea9b779d562c

                            SHA256

                            6f49d12e114cdbf33a31243145c52e92ea2aede7606a24d7bd59fafb7704734a

                            SHA512

                            2368aba6e0e64def74fe559d7e0a2c757c40a292ebdf7ce59982e9e032e46b6a0a973828f52f1d65a66bd31097960735ad3dd25eb99de8958a78df25aa9ae74d

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                            Filesize

                            78KB

                            MD5

                            ac1a5e7cebc8daad1797ebe9579a168e

                            SHA1

                            a859d160bef1f659ed16619d9d22330f5d4d36d3

                            SHA256

                            c6f728b852da033e5b5c13f97f2b4aa2f00cd31b7a276300559379cd76a114c9

                            SHA512

                            669f3630eb75e7e55781493793d8640914b8e51d074978a7dfd07074517067913ef81bd5fb022b9db5ed87a70ad3d87d2bdb66901a70d37c927ab6258dd06190

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\tmp77D0.tmp.bat
                            Filesize

                            151B

                            MD5

                            932621698711a31985dc6f109c590f51

                            SHA1

                            4d855fa0300750f480143d2b3f7fa299acd22bee

                            SHA256

                            97dd8e129588aa2b7078b7c9519b593b62a9d13af51e6f2495f1635a78583f90

                            SHA512

                            2f74525c6a447f965ba3729e90593685f38aaea9ec808648c92b2ee4d9cdcfef61a6e9df833865aacbaba8129913a5192b5de05ed2593952771cb8781fa68815

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\svchost.exe
                            Filesize

                            45KB

                            MD5

                            9d2593f72d9e9fb74f6e3ad33d43384d

                            SHA1

                            f249c1c871fcf3872458b3c59b3b71f27a55d8e3

                            SHA256

                            58ef711fa31584a80ae7deb28920aacecd518d43d26b45a11b5d09797d04df5c

                            SHA512

                            64ba71e5e6ea6bfee65683223e5c7f4741d1535eca67cd7265b4f82e5d7761626a7911ff446534f005d4e77c1063055807b7199685d9988bb57ccb41c8f82187

                            Download Submit

                          • memory/5772-20-0x0000000007070000-0x00000000070D8000-memory.dmp

                            Filesize

                            416KB

                            Download

                          • memory/5772-17-0x0000000005D90000-0x0000000005DF6000-memory.dmp

                            Filesize

                            408KB

                            Download

                          • memory/5772-19-0x00000000070F0000-0x0000000007166000-memory.dmp

                            Filesize

                            472KB

                            Download

                          • memory/5772-16-0x0000000006640000-0x0000000006BE4000-memory.dmp

                            Filesize

                            5.6MB

                            Download

                          • memory/5772-21-0x00000000071D0000-0x00000000071EE000-memory.dmp

                            Filesize

                            120KB

                            Download

                          • memory/5772-22-0x00000000074E0000-0x0000000007572000-memory.dmp

                            Filesize

                            584KB

                            Download

                          • memory/5772-18-0x0000000075390000-0x0000000075B40000-memory.dmp

                            Filesize

                            7.7MB

                            Download

                          • memory/5772-104-0x0000000075390000-0x0000000075B40000-memory.dmp

                            Filesize

                            7.7MB

                            Download

                          • memory/5772-13-0x0000000075390000-0x0000000075B40000-memory.dmp

                            Filesize

                            7.7MB

                            Download

                          • memory/5772-84-0x00000000073D0000-0x0000000007434000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/5780-0-0x000000007539E000-0x000000007539F000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/5780-2-0x0000000075390000-0x0000000075B40000-memory.dmp

                            Filesize

                            7.7MB

                            Download

                          • memory/5780-1-0x0000000000C20000-0x0000000000C32000-memory.dmp

                            Filesize

                            72KB

                            Download

                          • memory/5780-9-0x0000000075390000-0x0000000075B40000-memory.dmp

                            Filesize

                            7.7MB

                            Download

                          • memory/5780-3-0x0000000005490000-0x000000000552C000-memory.dmp

                            Filesize

                            624KB

                            Download