asyncrat | 2cb274d7b7a10ce30a8f8f09795e900510b391f50e3952531231aae3117d6761

General

Target

2cb274d7b7a10ce30a8f8f09795e900510b391f50e3952531231aae3117d6761.exe
Size

1.1MB
MD5

437b89f58e88118121d76c3880c876a0
SHA1

89ee110065073b4ab9f58d48687a73637648af62
SHA256

2cb274d7b7a10ce30a8f8f09795e900510b391f50e3952531231aae3117d6761
SHA512

e69c81a6ce5a0bddad6ae06be8ca75e5205f3c13b5839c0433231dde23091bbbd8977442cb0284d76701a6a005716f755f4ddb1f2d51cc30de8a54739c7f887e
SSDEEP

24576:GpWSsqIyFmGZXUvGX8CNuc1kQypx97xKd8:iWmkGZEO71kQypx97xm

Score

10^/10

asyncrat default discovery persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

carolina-candles.gl.at.ply.gg:34316

Mutex

HKFTYhn7m3AO

Attributes

delay
3
install
true
install_file
Svchost.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Executes dropped EXE 2 IoCs

pid	Process
4948	2cb274d7b7a10ce30a8f8f09795e900510b391f50e3952531231aae3117d6761.exe
4576	Svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\666999666 = "C:\\Users\\Admin\\AppData\\Local\\2cb274d7b7a10ce30a8f8f09795e900510b391f50e3952531231aae3117d6761.exe"	2cb274d7b7a10ce30a8f8f09795e900510b391f50e3952531231aae3117d6761.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3872 set thread context of 3824	3872	2cb274d7b7a10ce30a8f8f09795e900510b391f50e3952531231aae3117d6761.exe	97

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4704	4948	WerFault.exe	98

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2cb274d7b7a10ce30a8f8f09795e900510b391f50e3952531231aae3117d6761.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2cb274d7b7a10ce30a8f8f09795e900510b391f50e3952531231aae3117d6761.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Svchost.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
3632	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4680	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
3824	jsc.exe
3824	jsc.exe
3824	jsc.exe
3824	jsc.exe
3824	jsc.exe
3824	jsc.exe
3824	jsc.exe
3824	jsc.exe
3824	jsc.exe
3824	jsc.exe
3824	jsc.exe
3824	jsc.exe
3824	jsc.exe
3824	jsc.exe
3824	jsc.exe
3824	jsc.exe
3824	jsc.exe
3824	jsc.exe
3824	jsc.exe
3824	jsc.exe
3824	jsc.exe
3824	jsc.exe
3824	jsc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3872	2cb274d7b7a10ce30a8f8f09795e900510b391f50e3952531231aae3117d6761.exe
Token: SeDebugPrivilege	4948	2cb274d7b7a10ce30a8f8f09795e900510b391f50e3952531231aae3117d6761.exe
Token: SeDebugPrivilege	3824	jsc.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 3872 wrote to memory of 3824	3872	2cb274d7b7a10ce30a8f8f09795e900510b391f50e3952531231aae3117d6761.exe	97
PID 3872 wrote to memory of 3824	3872	2cb274d7b7a10ce30a8f8f09795e900510b391f50e3952531231aae3117d6761.exe	97
PID 3872 wrote to memory of 3824	3872	2cb274d7b7a10ce30a8f8f09795e900510b391f50e3952531231aae3117d6761.exe	97
PID 3872 wrote to memory of 3824	3872	2cb274d7b7a10ce30a8f8f09795e900510b391f50e3952531231aae3117d6761.exe	97
PID 3872 wrote to memory of 3824	3872	2cb274d7b7a10ce30a8f8f09795e900510b391f50e3952531231aae3117d6761.exe	97
PID 3872 wrote to memory of 3824	3872	2cb274d7b7a10ce30a8f8f09795e900510b391f50e3952531231aae3117d6761.exe	97
PID 3872 wrote to memory of 3824	3872	2cb274d7b7a10ce30a8f8f09795e900510b391f50e3952531231aae3117d6761.exe	97
PID 3872 wrote to memory of 3824	3872	2cb274d7b7a10ce30a8f8f09795e900510b391f50e3952531231aae3117d6761.exe	97
PID 408 wrote to memory of 4948	408	cmd.exe	98
PID 408 wrote to memory of 4948	408	cmd.exe	98
PID 408 wrote to memory of 4948	408	cmd.exe	98
PID 3824 wrote to memory of 4356	3824	jsc.exe	100
PID 3824 wrote to memory of 4356	3824	jsc.exe	100
PID 3824 wrote to memory of 4356	3824	jsc.exe	100
PID 3824 wrote to memory of 3564	3824	jsc.exe	102
PID 3824 wrote to memory of 3564	3824	jsc.exe	102
PID 3824 wrote to memory of 3564	3824	jsc.exe	102
PID 3564 wrote to memory of 3632	3564	cmd.exe	104
PID 3564 wrote to memory of 3632	3564	cmd.exe	104
PID 3564 wrote to memory of 3632	3564	cmd.exe	104
PID 4356 wrote to memory of 4680	4356	cmd.exe	105
PID 4356 wrote to memory of 4680	4356	cmd.exe	105
PID 4356 wrote to memory of 4680	4356	cmd.exe	105
PID 3564 wrote to memory of 4576	3564	cmd.exe	106
PID 3564 wrote to memory of 4576	3564	cmd.exe	106
PID 3564 wrote to memory of 4576	3564	cmd.exe	106

C:\Users\Admin\AppData\Local\Temp\2cb274d7b7a10ce30a8f8f09795e900510b391f50e3952531231aae3117d6761.exe
"C:\Users\Admin\AppData\Local\Temp\2cb274d7b7a10ce30a8f8f09795e900510b391f50e3952531231aae3117d6761.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3824
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Svchost" /tr '"C:\Users\Admin\AppData\Roaming\Svchost.exe"' & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4356
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Svchost" /tr '"C:\Users\Admin\AppData\Roaming\Svchost.exe"'
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBBDE.tmp.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3564
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:3632
  - - C:\Users\Admin\AppData\Roaming\Svchost.exe
      "C:\Users\Admin\AppData\Roaming\Svchost.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\2cb274d7b7a10ce30a8f8f09795e900510b391f50e3952531231aae3117d6761.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:408
- C:\Users\Admin\AppData\Local\2cb274d7b7a10ce30a8f8f09795e900510b391f50e3952531231aae3117d6761.exe
  C:\Users\Admin\AppData\Local\2cb274d7b7a10ce30a8f8f09795e900510b391f50e3952531231aae3117d6761.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4948
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 804
    3⤵
    - Program crash
    PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4948 -ip 4948
1⤵
PID:1080

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\2cb274d7b7a10ce30a8f8f09795e900510b391f50e3952531231aae3117d6761.exe

Filesize
1.1MB

MD5
437b89f58e88118121d76c3880c876a0

SHA1
89ee110065073b4ab9f58d48687a73637648af62

SHA256
2cb274d7b7a10ce30a8f8f09795e900510b391f50e3952531231aae3117d6761

SHA512
e69c81a6ce5a0bddad6ae06be8ca75e5205f3c13b5839c0433231dde23091bbbd8977442cb0284d76701a6a005716f755f4ddb1f2d51cc30de8a54739c7f887e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2cb274d7b7a10ce30a8f8f09795e900510b391f50e3952531231aae3117d6761.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBBDE.tmp.bat

Filesize
151B

MD5
d53f7b3cff743c4a321abb2d0bec9891

SHA1
8ea6ac68f235e388a17da32c4ef4e25c4e398e8d

SHA256
2eced957481c0b830ee13b604368d8c24fab9e6f6c937d78a7726977a0855d15

SHA512
f4c377b155ead78d123dbe5b2cab1da09b8cf15aad4238bca3b6128549241df81dcbcabfbae061c5fbe1da1cb88bab73de317c3b76d5295781a9da039b5733ca

Download Submit
C:\Users\Admin\AppData\Roaming\Svchost.exe

Filesize
46KB

MD5
94c8e57a80dfca2482dedb87b93d4fd9

SHA1
5729e6c7d2f5ab760f0093b9d44f8ac0f876a803

SHA256
39e87f0edcdd15582cfefdfab1975aadd2c7ca1e3a5f07b1146ce3206f401bb5

SHA512
1798a3607b2b94732b52de51d2748c86f9453343b6d8a417e98e65ddb38e9198cdcb2f45bf60823cb429b312466b28c5103c7588f2c4ef69fa27bfdb4f4c67dc

Download Submit
memory/3824-20-0x0000000005140000-0x00000000051DC000-memory.dmp

Filesize
624KB

Download
memory/3824-19-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/3824-25-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/3824-10-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3824-11-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/3872-2-0x0000000005510000-0x00000000055B4000-memory.dmp

Filesize
656KB

Download
memory/3872-3-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/3872-17-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/3872-4-0x0000000074B2E000-0x0000000074B2F000-memory.dmp

Filesize
4KB

Download
memory/3872-0-0x0000000074B2E000-0x0000000074B2F000-memory.dmp

Filesize
4KB

Download
memory/3872-8-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/3872-5-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/3872-1-0x0000000000910000-0x0000000000A2E000-memory.dmp

Filesize
1.1MB

Download
memory/4576-30-0x0000000000AB0000-0x0000000000ABE000-memory.dmp

Filesize
56KB

Download
memory/4948-18-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/4948-16-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/4948-32-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download
memory/4948-33-0x0000000074B20000-0x00000000752D0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads