asyncrat | 7b8f49ee16e33842749de6145dbec03a13ced02717ad905eee2d88e59718f455

Analysis

max time kernel
60s
max time network
60s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2025, 19:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b8f49ee16e33842749de6145dbec03a13ced02717ad905eee2d88e59718f455.exe
Size

1.3MB
MD5

b2176882f0392c4bf65d78beca48cb93
SHA1

30b824d0c169dd45272abb85e03573d19acbb416
SHA256

7b8f49ee16e33842749de6145dbec03a13ced02717ad905eee2d88e59718f455
SHA512

54b3bacc09848691c9b9f011d33e8e769673b49454bec3c546f86e353524831af72920f6b0ac66356e2b551957a6e304d480e7c256c9e1e2f22f9dba5ed4b013
SSDEEP

24576:2YVxlmFfqq4BNH8Ar3MVFGEkBvSbaliqOpr:txIWpRMV8PNxUr

Score

10^/10

asyncrat default defense_evasion discovery rat upx

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6666

127.0.0.1:30496

147.185.221.26:6666

147.185.221.26:30496

Attributes

delay
2
install
true
install_file
Discord.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000d000000023f50-14.dat	family_asyncrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation	7b8f49ee16e33842749de6145dbec03a13ced02717ad905eee2d88e59718f455.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation	Discord.exe

Executes dropped EXE 3 IoCs

pid	Process
4732	GH Injector - x64.exe
4572	Discord.exe
5972	Discord.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/4732-79-0x00007FF79EDE0000-0x00007FF79EFE8000-memory.dmp	autoit_exe
behavioral1/memory/4732-80-0x00007FF79EDE0000-0x00007FF79EFE8000-memory.dmp	autoit_exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000e000000023f4a-4.dat	upx
behavioral1/memory/4732-19-0x00007FF79EDE0000-0x00007FF79EFE8000-memory.dmp	upx
behavioral1/memory/4732-79-0x00007FF79EDE0000-0x00007FF79EFE8000-memory.dmp	upx
behavioral1/memory/4732-80-0x00007FF79EDE0000-0x00007FF79EFE8000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7b8f49ee16e33842749de6145dbec03a13ced02717ad905eee2d88e59718f455.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
5304	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2744	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4728	powershell.exe
4728	powershell.exe
4572	Discord.exe
4572	Discord.exe
4572	Discord.exe
4572	Discord.exe
4572	Discord.exe
4572	Discord.exe
4572	Discord.exe
4572	Discord.exe
4572	Discord.exe
4572	Discord.exe
4572	Discord.exe
4572	Discord.exe
4572	Discord.exe
4572	Discord.exe
4572	Discord.exe
4572	Discord.exe
4572	Discord.exe
4572	Discord.exe
4572	Discord.exe
4572	Discord.exe
4572	Discord.exe
4572	Discord.exe
4572	Discord.exe
4572	Discord.exe
4572	Discord.exe
4572	Discord.exe
4572	Discord.exe
4572	Discord.exe
4572	Discord.exe
4572	Discord.exe
4572	Discord.exe
4572	Discord.exe
4572	Discord.exe
4572	Discord.exe
4572	Discord.exe
4572	Discord.exe
4572	Discord.exe
4572	Discord.exe
4572	Discord.exe
4572	Discord.exe
4572	Discord.exe
4572	Discord.exe
4572	Discord.exe
4572	Discord.exe
4572	Discord.exe
4572	Discord.exe
4572	Discord.exe
4572	Discord.exe
4572	Discord.exe
4572	Discord.exe
4572	Discord.exe
5972	Discord.exe
5972	Discord.exe
5972	Discord.exe
5972	Discord.exe
5972	Discord.exe
5972	Discord.exe
5972	Discord.exe
5972	Discord.exe
5972	Discord.exe
5972	Discord.exe
5972	Discord.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4728	powershell.exe
Token: SeDebugPrivilege	4572	Discord.exe
Token: SeDebugPrivilege	4572	Discord.exe
Token: SeDebugPrivilege	5972	Discord.exe
Token: SeDebugPrivilege	5972	Discord.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 532 wrote to memory of 4728	532	7b8f49ee16e33842749de6145dbec03a13ced02717ad905eee2d88e59718f455.exe	90
PID 532 wrote to memory of 4728	532	7b8f49ee16e33842749de6145dbec03a13ced02717ad905eee2d88e59718f455.exe	90
PID 532 wrote to memory of 4728	532	7b8f49ee16e33842749de6145dbec03a13ced02717ad905eee2d88e59718f455.exe	90
PID 532 wrote to memory of 4732	532	7b8f49ee16e33842749de6145dbec03a13ced02717ad905eee2d88e59718f455.exe	92
PID 532 wrote to memory of 4732	532	7b8f49ee16e33842749de6145dbec03a13ced02717ad905eee2d88e59718f455.exe	92
PID 532 wrote to memory of 4572	532	7b8f49ee16e33842749de6145dbec03a13ced02717ad905eee2d88e59718f455.exe	93
PID 532 wrote to memory of 4572	532	7b8f49ee16e33842749de6145dbec03a13ced02717ad905eee2d88e59718f455.exe	93
PID 4572 wrote to memory of 4696	4572	Discord.exe	97
PID 4572 wrote to memory of 4696	4572	Discord.exe	97
PID 4572 wrote to memory of 3952	4572	Discord.exe	99
PID 4572 wrote to memory of 3952	4572	Discord.exe	99
PID 4696 wrote to memory of 2744	4696	cmd.exe	101
PID 4696 wrote to memory of 2744	4696	cmd.exe	101
PID 3952 wrote to memory of 5304	3952	cmd.exe	102
PID 3952 wrote to memory of 5304	3952	cmd.exe	102
PID 3952 wrote to memory of 5972	3952	cmd.exe	104
PID 3952 wrote to memory of 5972	3952	cmd.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7b8f49ee16e33842749de6145dbec03a13ced02717ad905eee2d88e59718f455.exe
"C:\Users\Admin\AppData\Local\Temp\7b8f49ee16e33842749de6145dbec03a13ced02717ad905eee2d88e59718f455.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:532
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAawB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAbABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAZABmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAYgB0ACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4728
- C:\Users\Admin\AppData\Local\Temp\GH Injector - x64.exe
  "C:\Users\Admin\AppData\Local\Temp\GH Injector - x64.exe"
  2⤵
  - Executes dropped EXE
  PID:4732
- C:\Users\Admin\AppData\Local\Temp\Discord.exe
  "C:\Users\Admin\AppData\Local\Temp\Discord.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\Admin\AppData\Roaming\Discord.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4696
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\Admin\AppData\Roaming\Discord.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5AC2.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3952
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:5304
  - - C:\Users\Admin\AppData\Roaming\Discord.exe
      "C:\Users\Admin\AppData\Roaming\Discord.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5972

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Discord.exe.log

Filesize
871B

MD5
d58f949aad7df2e7b55248bfdfc6e1b8

SHA1
6713cad396b5808b66ede2dd9b169e00d5e5018f

SHA256
5e1611e4d915fd9759825811fa4463f09172889f85889a2942be1561948fab8a

SHA512
bdddb838108c4f3f0a7737703cbde935fe26aaea97459bb099c4c773c0789997283d7f20ac7ea4ac2aedef23515afc0b251b5b461aa12d3b7a60846b87b26e38

Download Submit
C:\Users\Admin\AppData\Local\Temp\Discord.exe

Filesize
342KB

MD5
11bca33947e3a77ec9dd7250805192b4

SHA1
c7b4ccbcc1ade9b5a484fca7399cb383bb3d4ea0

SHA256
dc860dd5a4ee1c7a3a3b4e6dbb77be0a3228bb4def6feac7953df212ab5bd519

SHA512
73cdc8ecad08f1687a7afc8feab85a3de0ea9d88e139ad80bc6fe5b488b40c3ad04ff419d04275fcb8c7f5fba05005ab37ef8d638093e66085801fa1022326b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\GH Injector - x64.exe

Filesize
927KB

MD5
fac188061068468b413905c05ffe4a2e

SHA1
bc5159c4a2aabc8b138fd28da099c5c6e4e87c86

SHA256
16ac233c0be5784cf4b3bb0b3c94a9732609c6725d3982736280f04195d5304a

SHA512
3750a9e46d0d43e95e2369996661bc0c82511242c79d2aacd4e09455bba3abb8fa6eaf51880875d75cb920543108a5c8c8ebf6c0ea4fcf05a99eb40a6dd2357b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zm2yevwl.gp0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5AC2.tmp.bat

Filesize
151B

MD5
2acc51be464096d13c9c098f5475545b

SHA1
48b075d287960235783fe2a252d29a3ad6023ee1

SHA256
8b99a6b527140fd51c7d0edaea76dea978bf2583714fabc380c9f79e1c71097f

SHA512
555dfafb6a3cf5c8866944d2c6c5db0037c2530b31f9294e1beaf227c58dc8bc1dea356c9ecf14701ce0731d84aedf207eae52afff603ab9a298b28dab808f51

Download Submit
memory/4572-24-0x0000000000080000-0x00000000000DC000-memory.dmp

Filesize
368KB

Download
memory/4572-22-0x00007FFEEFD93000-0x00007FFEEFD95000-memory.dmp

Filesize
8KB

Download
memory/4728-28-0x0000000005C00000-0x0000000006228000-memory.dmp

Filesize
6.2MB

Download
memory/4728-57-0x0000000007B50000-0x0000000007BF3000-memory.dmp

Filesize
652KB

Download
memory/4728-29-0x0000000075060000-0x0000000075810000-memory.dmp

Filesize
7.7MB

Download
memory/4728-30-0x00000000059A0000-0x00000000059C2000-memory.dmp

Filesize
136KB

Download
memory/4728-32-0x0000000006310000-0x0000000006376000-memory.dmp

Filesize
408KB

Download
memory/4728-31-0x00000000062A0000-0x0000000006306000-memory.dmp

Filesize
408KB

Download
memory/4728-26-0x0000000003350000-0x0000000003386000-memory.dmp

Filesize
216KB

Download
memory/4728-42-0x0000000006380000-0x00000000066D4000-memory.dmp

Filesize
3.3MB

Download
memory/4728-43-0x0000000006940000-0x000000000695E000-memory.dmp

Filesize
120KB

Download
memory/4728-44-0x0000000006980000-0x00000000069CC000-memory.dmp

Filesize
304KB

Download
memory/4728-45-0x0000000006F10000-0x0000000006F42000-memory.dmp

Filesize
200KB

Download
memory/4728-46-0x0000000070E80000-0x0000000070ECC000-memory.dmp

Filesize
304KB

Download
memory/4728-56-0x0000000007B30000-0x0000000007B4E000-memory.dmp

Filesize
120KB

Download
memory/4728-27-0x0000000075060000-0x0000000075810000-memory.dmp

Filesize
7.7MB

Download
memory/4728-58-0x00000000082C0000-0x000000000893A000-memory.dmp

Filesize
6.5MB

Download
memory/4728-59-0x00000000056D0000-0x00000000056EA000-memory.dmp

Filesize
104KB

Download
memory/4728-60-0x0000000007D10000-0x0000000007D1A000-memory.dmp

Filesize
40KB

Download
memory/4728-25-0x000000007506E000-0x000000007506F000-memory.dmp

Filesize
4KB

Download
memory/4728-66-0x0000000007F20000-0x0000000007FB6000-memory.dmp

Filesize
600KB

Download
memory/4728-67-0x0000000007E90000-0x0000000007EA1000-memory.dmp

Filesize
68KB

Download
memory/4728-68-0x0000000007ED0000-0x0000000007EDE000-memory.dmp

Filesize
56KB

Download
memory/4728-69-0x0000000007EE0000-0x0000000007EF4000-memory.dmp

Filesize
80KB

Download
memory/4728-70-0x0000000007FC0000-0x0000000007FDA000-memory.dmp

Filesize
104KB

Download
memory/4728-71-0x0000000007F10000-0x0000000007F18000-memory.dmp

Filesize
32KB

Download
memory/4728-74-0x0000000075060000-0x0000000075810000-memory.dmp

Filesize
7.7MB

Download
memory/4732-19-0x00007FF79EDE0000-0x00007FF79EFE8000-memory.dmp

Filesize
2.0MB

Download
memory/4732-79-0x00007FF79EDE0000-0x00007FF79EFE8000-memory.dmp

Filesize
2.0MB

Download
memory/4732-80-0x00007FF79EDE0000-0x00007FF79EFE8000-memory.dmp

Filesize
2.0MB

Download