asyncrat | 9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 19:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fart.exe
Size

39.9MB
MD5

e1a72f7e4426c8d5e849459fa7c7e476
SHA1

e1101a053ebe7cf5dc44f4f4ea787be113cae10f
SHA256

9409521653887ec13272edd26f3768efb6f176b49b15a058dfcf69b9172faece
SHA512

0a2830e2f9e1872a98996f4221f1e81a33e8927e087397e7b3342fe79333974d030d8ff4176746c9cfd78eeb382d46a88023709c2e003b6a1ba00d883ee4426f
SSDEEP

786432:sxGPxJDr/A/brZCaMhEDL/BpYE0dkt3ZL3PDnsilllqs7GIKScPml8tBW:oGJJDrYPZCaEWLxVfDnplllpzMW

Score

10^/10

asyncrat quasar xworm default office04 slave execution rat spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

Slave

stop-largely.gl.at.ply.gg:27116

Mutex

$Sxr-kl1r656AGsPQksTmi8

Attributes

encryption_key
ql4fQ8TV9ZFP9vRX2myA
install_name
$sxr~Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
$77STARTUP~MSF
subdirectory
$sxr~SubDir

Extracted

Family

xworm

best-bird.gl.at.ply.gg:27196

super-nearest.gl.at.ply.gg:17835

Extracted

Family

asyncrat

Botnet

Default

finally-grande.gl.at.ply.gg:25844

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

history-foo.gl.at.ply.gg:42349

Mutex

2beddbf7-c691-4058-94c7-f54389b4a581

Attributes

encryption_key
CBFC5D217E55BEBDCD3A6EFA924299F76BC328D9
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Update
subdirectory
SubDir

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect Xworm Payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\mshta.exe	family_xworm
behavioral1/memory/2556-21-0x0000000000850000-0x0000000000868000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\svchost.exe	family_xworm
behavioral1/memory/2604-27-0x0000000001230000-0x000000000124A000-memory.dmp	family_xworm

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\hat.exe	family_quasar
behavioral1/memory/2676-28-0x0000000001290000-0x00000000012FC000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Local\Temp\Client-built.exe	family_quasar
behavioral1/memory/2376-32-0x0000000000CF0000-0x0000000001014000-memory.dmp	family_quasar

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Async RAT payload 1 IoCs
rat

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\ONPE.exe family_asyncrat
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

1660 powershell.exe
1220 powershell.exe
1420 powershell.exe
1348 powershell.exe
Executes dropped EXE 6 IoCs

Processes:

hat.exemshta.exeONPE.exesvchost.exeClient-built.exeindex.exe

pid process

2676 hat.exe
2556 mshta.exe
2492 ONPE.exe
2604 svchost.exe
2376 Client-built.exe
2384 index.exe
Loads dropped DLL 2 IoCs

Processes:

fart.exe

pid process

2664 fart.exe
2744
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

1360 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exemshta.exesvchost.exe

pid process

1220 powershell.exe
1660 powershell.exe
1348 powershell.exe
1420 powershell.exe
2556 mshta.exe
2604 svchost.exe

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ONPE.exe	family_asyncrat

pid	process
1660	powershell.exe
1220	powershell.exe
1420	powershell.exe
1348	powershell.exe

pid	process
2676	hat.exe
2556	mshta.exe
2492	ONPE.exe
2604	svchost.exe
2376	Client-built.exe
2384	index.exe

pid	process
2664	fart.exe
2744

flow	ioc
7	ip-api.com

pid	process
1360	schtasks.exe

pid	process
1220	powershell.exe
1660	powershell.exe
1348	powershell.exe
1420	powershell.exe
2556	mshta.exe
2604	svchost.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

Client-built.exemshta.exeONPE.exesvchost.exehat.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2376	Client-built.exe
Token: SeDebugPrivilege	2556	mshta.exe
Token: SeDebugPrivilege	2492	ONPE.exe
Token: SeDebugPrivilege	2604	svchost.exe
Token: SeDebugPrivilege	2676	hat.exe
Token: SeDebugPrivilege	1220	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	1348	powershell.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	2556	mshta.exe
Token: SeDebugPrivilege	2604	svchost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

Client-built.exemshta.exesvchost.exehat.exe

pid process

2376 Client-built.exe
2556 mshta.exe
2604 svchost.exe
2676 hat.exe

pid	process
2376	Client-built.exe
2556	mshta.exe
2604	svchost.exe
2676	hat.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

fart.exehat.exemshta.exesvchost.exe

description	pid	process	target process
PID 2664 wrote to memory of 2676	2664	fart.exe	hat.exe
PID 2664 wrote to memory of 2676	2664	fart.exe	hat.exe
PID 2664 wrote to memory of 2676	2664	fart.exe	hat.exe
PID 2664 wrote to memory of 2676	2664	fart.exe	hat.exe
PID 2664 wrote to memory of 2676	2664	fart.exe	hat.exe
PID 2664 wrote to memory of 2676	2664	fart.exe	hat.exe
PID 2664 wrote to memory of 2676	2664	fart.exe	hat.exe
PID 2664 wrote to memory of 2556	2664	fart.exe	mshta.exe
PID 2664 wrote to memory of 2556	2664	fart.exe	mshta.exe
PID 2664 wrote to memory of 2556	2664	fart.exe	mshta.exe
PID 2664 wrote to memory of 2492	2664	fart.exe	ONPE.exe
PID 2664 wrote to memory of 2492	2664	fart.exe	ONPE.exe
PID 2664 wrote to memory of 2492	2664	fart.exe	ONPE.exe
PID 2664 wrote to memory of 2604	2664	fart.exe	svchost.exe
PID 2664 wrote to memory of 2604	2664	fart.exe	svchost.exe
PID 2664 wrote to memory of 2604	2664	fart.exe	svchost.exe
PID 2664 wrote to memory of 2376	2664	fart.exe	Client-built.exe
PID 2664 wrote to memory of 2376	2664	fart.exe	Client-built.exe
PID 2664 wrote to memory of 2376	2664	fart.exe	Client-built.exe
PID 2664 wrote to memory of 2384	2664	fart.exe	index.exe
PID 2664 wrote to memory of 2384	2664	fart.exe	index.exe
PID 2664 wrote to memory of 2384	2664	fart.exe	index.exe
PID 2676 wrote to memory of 1360	2676	hat.exe	schtasks.exe
PID 2676 wrote to memory of 1360	2676	hat.exe	schtasks.exe
PID 2676 wrote to memory of 1360	2676	hat.exe	schtasks.exe
PID 2676 wrote to memory of 1360	2676	hat.exe	schtasks.exe
PID 2556 wrote to memory of 1660	2556	mshta.exe	powershell.exe
PID 2556 wrote to memory of 1660	2556	mshta.exe	powershell.exe
PID 2556 wrote to memory of 1660	2556	mshta.exe	powershell.exe
PID 2604 wrote to memory of 1220	2604	svchost.exe	powershell.exe
PID 2604 wrote to memory of 1220	2604	svchost.exe	powershell.exe
PID 2604 wrote to memory of 1220	2604	svchost.exe	powershell.exe
PID 2604 wrote to memory of 1420	2604	svchost.exe	powershell.exe
PID 2604 wrote to memory of 1420	2604	svchost.exe	powershell.exe
PID 2604 wrote to memory of 1420	2604	svchost.exe	powershell.exe
PID 2556 wrote to memory of 1348	2556	mshta.exe	powershell.exe
PID 2556 wrote to memory of 1348	2556	mshta.exe	powershell.exe
PID 2556 wrote to memory of 1348	2556	mshta.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\fart.exe
"C:\Users\Admin\AppData\Local\Temp\fart.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664

C:\Users\Admin\AppData\Local\Temp\hat.exe
"C:\Users\Admin\AppData\Local\Temp\hat.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2676

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\hat.exe" /rl HIGHEST /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:1360

C:\Users\Admin\AppData\Local\Temp\mshta.exe
"C:\Users\Admin\AppData\Local\Temp\mshta.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\mshta.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mshta.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1348

C:\Users\Admin\AppData\Local\Temp\ONPE.exe
"C:\Users\Admin\AppData\Local\Temp\ONPE.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2376

C:\Users\Admin\AppData\Local\Temp\index.exe
"C:\Users\Admin\AppData\Local\Temp\index.exe"
2⤵
- Executes dropped EXE
PID:2384

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
Filesize
3.1MB

MD5
3609d79a3bd384ec00861417a1795932

SHA1
1e2beac3970f2debf5376ed1c4197380d1b1ab39

SHA256
ac77d98fe33fad34e96b6679e70dfb7fe1664249c8961da35b780ff0ef9feb80

SHA512
9ffcec4d0cf24bd199f26eda0b3f1528c9c46224ebc415f9adfe189af9ac2900fbfbb47dc29ba8b9f05b9e53d5b9907d3c51b753ce5d3e694029a86c624c8019

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONPE.exe
Filesize
63KB

MD5
27fe9341167a34f606b800303ac54b1f

SHA1
86373d218b48361bff1c23ddd08b6ab1803a51d0

SHA256
29e13a91af9b0ac77e9b7f8b0c26e5702f46bd8aea0333ca2d191d1d09c70c5d

SHA512
05b83ad544862d9c0cfc2651b2842624cff59fc4f454e0b1a2b36a705b558fad5a834f9f1af9f2626c57f1e3cd9aa400e290eaafb6efeb680422992bcbbde5b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\hat.exe
Filesize
409KB

MD5
e10c7425705b2bd3214fa96247ee21c4

SHA1
7603536b97ab6337fa023bafcf80579c2b4059e6

SHA256
021068ac225e479b124c33d9e7582c17fdea6e625b165b79e2c818479d8094e4

SHA512
47e031992d637fef2a67e4fb08d2d82eaba03eba6b80f3e0e0997153acf0d979d0294276c4a10a97daa50130540230865c56191e6fe8df07dbea11c50fa48a2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\index.exe
Filesize
36.2MB

MD5
3c9563aff1bd31ffa1692db8bf1526a6

SHA1
b9038ff03f20441170548f3910f141d58f46e46f

SHA256
c722b281827e42918c087b7466b6afcf11fe715d45178556f4ecacee6edbdac2

SHA512
1ca5915b8f9b9e2fd34100cd9a4d4d5ccfd106e8c32189ddce90ec06073982871a8ae318051e9afe93247df89a5425efdea346014e2c16005e1193842b18ce0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mshta.exe
Filesize
67KB

MD5
092a0c6fe885844fd74947e64e7fc11e

SHA1
bfe46f64f36f2e927d862a1a787f146ed2c01219

SHA256
91431cb73305e0f1fdc698907301b6d312a350f667c50765615672e7f10a68f2

SHA512
022589bd17b46e5486971a59b2517956bb15815266e48dc73a7ae9ac9efd42a348af09df471562eb71ffc94ce1e1845d54ca2994663d1496a385bce50ae595f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
79KB

MD5
1f1b23752df3d29e7604ba52aea85862

SHA1
bb582c6cf022098b171c4c9c7318a51de29ebcf4

SHA256
4834d31394f19d42e8d2a035b4c3c9c36441340ea19fe766396848ecfb608960

SHA512
d52722ab73bb15d4a5b0033351f98f168192f382677e6d474f6cf506cf8dc2f5e421e45279b6cac0f074857f41a865d87b5d989450bfcb8eba925b7baa12fbde

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
819154cb4733035c32b4bd9c69ad789b

SHA1
bcb2e8748716da518b106ef8172c1e6df252c493

SHA256
e5eb16cab594c654beb2d5eed27f71a5aa6dda44b12e9f7dadb91e307ff11ab5

SHA512
f01d06d47f727518244562375cf609228ac9c4389a03aee81f6fea5422584b7ee3a0c0ecc95af552183cc53c716e217dfc0848dcdd5615d203251ac0c181079d

Download Submit
memory/1220-43-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

Filesize
2.9MB

Download
memory/1220-49-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/1348-61-0x0000000002970000-0x0000000002978000-memory.dmp

Filesize
32KB

Download
memory/1420-60-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download
memory/2376-32-0x0000000000CF0000-0x0000000001014000-memory.dmp

Filesize
3.1MB

Download
memory/2492-19-0x0000000000800000-0x0000000000816000-memory.dmp

Filesize
88KB

Download
memory/2556-21-0x0000000000850000-0x0000000000868000-memory.dmp

Filesize
96KB

Download
memory/2604-27-0x0000000001230000-0x000000000124A000-memory.dmp

Filesize
104KB

Download
memory/2664-0-0x000007FEF6003000-0x000007FEF6004000-memory.dmp

Filesize
4KB

Download
memory/2664-1-0x0000000000170000-0x000000000295E000-memory.dmp

Filesize
39.9MB

Download
memory/2676-28-0x0000000001290000-0x00000000012FC000-memory.dmp

Filesize
432KB

Download