asyncrat | 71dc90514053977f36808a42189a5c732b3e61756af1ffac69053f0853c80e0c

General

Target

RimWorld.v1.5.4297.ALL.DLC.rar
Size

430.4MB
MD5

ac6ddbd9ebf7c1c5ca6aa6a6f28f80fd
SHA1

54e894eb2c16cc66f6a1f4fa98e326771163765d
SHA256

71dc90514053977f36808a42189a5c732b3e61756af1ffac69053f0853c80e0c
SHA512

1b6fea18a49831b6662acb0bfbf488f74eca2e6600f8883a03d16775ef585c7a74f4ab00f191bf84b128531ca28431b3193f9d061e972f7c81019ce4bdc2075c
SSDEEP

12582912:2cU/0hav0h/fWQlJKrFh3xXKI+EtRI5T2uXaS4:3U/10PKDxCiC5zXaS4

Score

10^/10

asyncrat rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000d00000002bcb3-3631.dat	family_asyncrat

Executes dropped EXE 4 IoCs

pid	Process
2108	RimWorldWin64.exe
5400	RimWorldWin64.exe
4888	RimWorldWin64.exe
5048	RimWorldWin64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	7zFM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4652	7zFM.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	4652	7zFM.exe
Token: 35	4652	7zFM.exe
Token: SeSecurityPrivilege	4652	7zFM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4652	7zFM.exe
4652	7zFM.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 5400	2108	RimWorldWin64.exe	82
PID 2108 wrote to memory of 5400	2108	RimWorldWin64.exe	82
PID 4888 wrote to memory of 5048	4888	RimWorldWin64.exe	84
PID 4888 wrote to memory of 5048	4888	RimWorldWin64.exe	84

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RimWorld.v1.5.4297.ALL.DLC.rar"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4652

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3892

C:\Users\Admin\Downloads\RimWorld.v1.5.4297.ALL.DLC\RimWorld.v1.5.4297.ALL.DLC\RimWorld.v1.5.4297.ALL.DLC\RimWorldWin64.exe
"C:\Users\Admin\Downloads\RimWorld.v1.5.4297.ALL.DLC\RimWorld.v1.5.4297.ALL.DLC\RimWorld.v1.5.4297.ALL.DLC\RimWorldWin64.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\RimWorldWin64.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\RimWorldWin64.exe"
  2⤵
  - Executes dropped EXE
  PID:5400

C:\Users\Admin\Downloads\RimWorld.v1.5.4297.ALL.DLC\RimWorld.v1.5.4297.ALL.DLC\RimWorld.v1.5.4297.ALL.DLC\RimWorldWin64.exe
"C:\Users\Admin\Downloads\RimWorld.v1.5.4297.ALL.DLC\RimWorld.v1.5.4297.ALL.DLC\RimWorld.v1.5.4297.ALL.DLC\RimWorldWin64.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\RimWorldWin64.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\RimWorldWin64.exe"
  2⤵
  - Executes dropped EXE
  PID:5048

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:1164

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\0f165703-a173-4556-aa6c-d5f750cf3129.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AsyncClient.exe

Filesize
58KB

MD5
b7eab91b0d1a2313659388f659e03309

SHA1
90ed48e1d440b6ee76960a63a5429872b422c97b

SHA256
db2aa7ba7c99efb92fd3a32a3d44768bfd2d68e2fe0ae543656274d7d0fa5e3e

SHA512
cfd9ab52fded83871eee61e7a24d25f1aab7c8500d5114ee26d9ed7bf2e7d65dd4a8afa1e2a88e9e4267c2917c00f41c714931d35e18920f0b50a011b6ae8f92

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\RimWorldWin64.exe

Filesize
635KB

MD5
817a479a52e13815268e175e11d26d6e

SHA1
97ddbc8fb6e7da2ddeaed3bd59632d1138fa94a5

SHA256
5dc887feb501a22bc1694c5d76846765b7f4ffb25141f7c148b21dd552e48399

SHA512
117285c5920c199080d75a858ba072f018c8a7fa40a5b9212b6cbea55eac591a0d7768e8f115bad80a9931deabedc7b853178baa8e07eaba4d34813f838f3fbe

Download Submit
C:\Users\Admin\Downloads\RimWorld.v1.5.4297.ALL.DLC\RimWorld.v1.5.4297.ALL.DLC\RimWorld.v1.5.4297.ALL.DLC\How to install Ideology.txt

Filesize
94B

MD5
0f9b9ddcca24de93b6e152b9d6e4c57c

SHA1
f58a19d45ecfb8a81b77c275ff7169cc5c37e00e

SHA256
4278c6f41ef72f33a1a39f877c88dba266d08d2ef3daf5e053b7ad0ee67034bd

SHA512
dbde5120bb8662dd88256246a14e6e4c05ed67590e6e7eeac0b8d3ff8f5e329d3552b1c13a9956dbb08a47e1e06048aaaa38468bafc35f0b318720bee9633c92

Download Submit
C:\Users\Admin\Downloads\RimWorld.v1.5.4297.ALL.DLC\RimWorld.v1.5.4297.ALL.DLC\RimWorld.v1.5.4297.ALL.DLC\MonoBleedingEdge\etc\mono\4.5\Browsers\Compat.browser

Filesize
1KB

MD5
0d831c1264b5b32a39fa347de368fe48

SHA1
187dff516f9448e63ea5078190b3347922c4b3eb

SHA256
8a1082057ac5681dcd4e9c227ed7fb8eb42ac1618963b5de3b65739dd77e2741

SHA512
4b7549eda1f8ed2c4533d056b62ca5030445393f9c6003e5ee47301ff7f44b4bd5022b74d54f571aa890b6e4593c6eded1a881500ac5ba2a720dc0ff280300af

Download Submit
C:\Users\Admin\Downloads\RimWorld.v1.5.4297.ALL.DLC\RimWorld.v1.5.4297.ALL.DLC\RimWorld.v1.5.4297.ALL.DLC\MonoBleedingEdge\etc\mono\4.5\DefaultWsdlHelpGenerator.aspx

Filesize
59KB

MD5
f7be9f1841ff92f9d4040aed832e0c79

SHA1
b3e4b508aab3cf201c06892713b43ddb0c43b7ae

SHA256
751861040b69ea63a3827507b7c8da9c7f549dc181c1c8af4b7ca78cc97d710a

SHA512
380e97f7c17ee0fdf6177ed65f6e30de662a33a8a727d9f1874e9f26bd573434c3dedd655b47a21b998d32aaa72a0566df37e901fd6c618854039d5e0cbef3f5

Download Submit
C:\Users\Admin\Downloads\RimWorld.v1.5.4297.ALL.DLC\RimWorld.v1.5.4297.ALL.DLC\RimWorld.v1.5.4297.ALL.DLC\RimWorldWin64.exe

Filesize
1.1MB

MD5
8246dc90d357ec1b731f6c03be307f8b

SHA1
251ea4514209d67fa9f94a12a9349f3fe78180e8

SHA256
9a0247e19faf225e59ac81018cea0ee87c94c41cf9231d6972478b5603b58df1

SHA512
42d6827e9023082e061248d78734b6f3289037bd158ebfec68abd324b2d5ab1ad92670a52980987ab9c401725c42811d33949e0b25e4d3e37087a3479867d6a2

Download Submit

Analysis

Sharing