# Analyzing AsyncRAT distributed in Colombia

**jstnk9.github.io/jstnk9/research/AsyncRAT-Analysis/**

June 1, 2022 · 12 min read

[Jose Luis Sánchez Martínez](https://twitter.com/Joseliyo_Jstnk)
Security Researcher

## Summary


June 1, 2022


-----

During 2019-2021 I was focused on analyzing campaigns orchestrated by the `APT-C-36 group and`
RATs used by this same group and other cybercriminal groups such as `RemcosRAT,` `AsyncRAT,`
```
Imminent Monitor RAT, etc. In the last few months I have seen some modifications of TTPs in many

```
of these families that have caught my attention and I wanted to analyze them to see what is new.

Therefore, during this entry we will go through the analysis of a sample of `AsyncRAT distributed in`
Colombia during the last month.

info

The objective of the analysis is to provide information on the execution of the binary, genealogy and
other stuff, not to go into the details of the static part.

## Analysis

### Static

The basic static information of the sample to be analyzed is shown in the table below.

**Field** **Value**

File name Stub.exe

Type PE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly

MD5 c0b9838ff7d2ddecbfe296eae947e5d6

SHA1 76af794b85e4a4ba75c5703df1207b7a6798bf2e

SHA256 79068b82bcf0786b6af1b7cc96de1bf4e1a66b0d95e7e72ed1b1054443f6c5e3

File size 45.00 KB (46080 bytes)

After verifying that the binary was C#, I decided to perform a small analysis of the code to check some
of the actions that the malware should do once executed, before executing it on my systems.


-----

If we go to the `Main function, which is the one defined in the entry point, we see that it contains the`
structure shown in the following image.


-----

The binary will check a series of conditions to verify if it is being executed among other things in a
virtual environment or not, and depending on the results, it will continue its normal flow or kill the
process.

The first check is to verify if a series of settings established in the code, among which are the key,
pastebin URL, version, etc.


-----

Secondly, it tries to create a mutex and stop similar processes of the same sample that may be running.

It then performs several checks to identify the context where it is running (mainly to see if it is a virtual
machine or a sandbox). Different anti-analysis techniques are put in place.

The first of all is related to the `DetectManufacturer method which aims to see if the system is related`
to Vmware, VirtualBox, or virtualized in general.


-----

The next thing is to check if a debugger exists in the context of AsyncRAT. To do this, it makes use of
the `isDebuggerPresent API.`

[Next, the check is focused on seeing if the system where it was executed is the known sandboxie, to](https://github.com/sandboxie-plus/Sandboxie)
check it, tries to identify if the DLL `SbieDll.dll is running.`


-----

The next check it performs is on the system disk capacity. In this case, it checks if the disk is less than
61000000000L (56.8 GB). If it is, it returns false.

The last thing it performs in this set of checks is to identify if the operating system is Windows XP with a
simple method.

It also aims to generate persistence in the system. To do this, it checks if the context of the process was
launched with privileges, if so, it will make use of `schtasks.exe to create a task. Otherwise, if the`
context is not found with administrator permissions, it will try to modify the registry key
```
Software\Microsoft\Windows\CurrentVersion\Run to execute a copy of itself create in the

```

-----

After this, the sample copies itself into the `%appdata% directory and will create a .bat file to first launch`
a `timeout, run the sample from` `%appdata% and delete the .bat file.`

The last interesting activity is to establish communications with the C2 through the
```
ClientSocket.Reconnect(); and ClientSocket.InitializeClient(); methods.

```

-----

The sample can perform many other actions once it is deployed in the environment. For example, the
```
Client.Helper.IdSender class has a method called sendInfo which is responsible for sending

```
information from the operating system to the C2.


-----

Going into detail of each class could take a long time, and in this case, the goal is to analyze the
behavior once executed, so I leave a small image of a part of the classes and methods that
incorporates the sample and we will perform an analysis of the behavior.


-----

### Dynamic

**high level processes events**


-----

Now it is time to detonate the malware in a controlled environment to verify the behavior of the malware.
In this case, I did different executions with and without administrator permissions to see how the sample
behaved. I did this because in the static part we have seen that the behavior could vary depending on
whether it was executed in the administrator context.

**privileged execution - Genealogy**

**non-privileged execution - Genealogy**

As can be seen, there are some differences when the sample was executed with privileges and when
not. For example, in the first image, which corresponds to the execution with privileges, there are 3
additional processes which are the following.
```
|_ cmd.exe (7380)
  |_ Conhost.exe (8972)
  |_ schtasks.exe (4152)

```
This is because the execution of the process 7380 `cmd.exe, is the behavior related to setting the`
scheduled task. However, if the sample is run without administrator permissions, the scheduled task
cannot be generated.


-----

We are going to go into detail about the processes to see the main actions they performed and that
could be of interest in order to generate some kind of detection or identification of patterns. To do this,
we will focus on the execution with administrator permissions and in case there is something different in
the other execution, it will be named.

**Stub.exe - 2740**
```
C:\Users\lab\Desktop\Stub.exe

```
This is the AsyncRAT sample. The execution was performed with administrator privileges.

This process, as we saw before, would be in charge of creating certain files in the system. First of all,
what it does is to create in the `%appdata% directory a copy of itself.`

Then, it creates the batch file also in `%appdata%, which will be executed later to perform different`
actions in the operating system.

As for registry keys, there is no significant activity.

info

Different behavior in the sample run without privileges.

**However, in the case of unprivileged execution, there would be a modification in the registry**
**keys for persistence, using the key**
```
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Runtime Broker .

```
**cmd.exe - 7380**
```
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Runtime
Broker" /tr '"C:\Users\lab\AppData\Roaming\Runtime Broker.exe"' & exit

```

-----

This process is basically in charge of launching the `schtasks.exe binary. It is important to mention,`
as we are seeing and will see throughout the analysis, that since this is a 32bit sample, the executions
will be related to the `C:\Windows\SysWOW64\ directory.`

This process will not exist when running AsyncRAT without administrator permissions.

**schtasks.exe - 4152**
```
schtasks /create /f /sc onlogon /rl highest /tn "Runtime Broker" /tr
'"C:\Users\lab\AppData\Roaming\Runtime Broker.exe"'

```
The task is generated in the system to be executed at each login of any user with administrator
permissions.
```
/f -> A value that forcefully creates the task and suppresses warnings if the specified task
already exists.
/sc onlogon -> In each login
/rl highest -> Max privileges
/tn "Runtime Broker" -> Task name
/tr "C:\Users\lab\AppData\Roaming\Runtime Broker.exe" -> Task run to execute

```
**cmd.exe - 8840**


-----

```
C:\Windows\system32\cmd.exe /c C:\Users\lab\AppData\Local\Temp\tmp3959.tmp.bat

```
This process is in charge of executing the bat file that was created during the execution of the
```
Stub.exe binary. It is important to mention that the name of the batch file varies according to the

```
**execution, however, the pattern is always the same. The following RegEx would work to detect this.**
```
.*tmp[a-zA-Z1-9]{4}.tmp.bat

```
**timeout.exe - 6272**
```
timeout 3

```
The malware uses a timeout of 3 seconds before it starts performing the rest of the actions.

**Runtime Broker.exe - 4080**
```
"C:\Users\lab\AppData\Roaming\Runtime Broker.exe"

```
As can be seen from the name of the process, the malware tries to impersonate the legitimate Microsoft
Windows binary `runtimebroker.exe . However, it can be noticed in this case that there is a space`
between the two words.

Here the communication with the C2 server is established. The ports used in this case are 8808, 7707
and 6606. The destination IP address is 217.195.197[.]70.

On the other hand, another indicator that could help us to identify the sample and the family during the
analysis is the Mutex used, which in this case is `AsyncMutex_6SI8OkPnk .`


-----

During the execution of `Runtime Broker.exe, I proceeded to extract the .NET assembly from`
memory to verify if it was the same `Stub.exe binary analyzed later or if it presented some difference`
when is launched. During this extraction, the following assemblies were obtained from memory.

**File name** **SHA1** **Comments**

aB.exe 76AF794B85E4A4BA75C5703DF1207B7A6798BF2E Same sample as
```
                                          Stub.exe

```
MessagePackLib.dll 16CC8C3A461A6CE5A7ED1FF569EA61B8D9BA143E At the time of
analysis, 41/68
engines in VT detect
it as malicious.
Different family
names.

Recovery.dll 93E9469789A4ECD28E30006D1CE10DBFFBD36D7C At the time of
analysis, 44/68
engines in VT detect
it as malicious. Code
protected by
[Reactor.](https://www.eziriz.com/)

System.Data.SQLite.dll B9D5AF76D8DF1C4EE4CCBA33B2AFA8300952D923 Mixed-mode
assembly for
System.Data.SQLite.
More information
[here.](https://system.data.sqlite.org/index.html/doc/trunk/www/downloads.wiki)

Newtonsoft.Json.dll E68B369BC131A32D5233EE395F47B337C2469042 Json.NET is a
popular highperformance JSON
framework for .NET

**aB.exe**

The assembly `aB.exe is the same` `Stub.exe file, which in turn is also` `Runtime Broker.exe .`

**MessagePackLib.dll**


-----

[This DLL does not contain any packers or code protectors. 41 out of 68 VT engines detect this DLL as](https://www.virustotal.com/gui/file/cd89c8c9bb614fac779491b98ed425f90b01412381e02392fb27b36db3568b0f)
malicious.

Taking a look at the assembly, you can see that the class structure does not seem to be very complex,
and with a little patience you could identify its functionality (if you are interested in the sample, ask me
privately).


-----

**Recovery.dll**

In this case, it has been possible to verify the existence of Reactor, called by itself as a .NET code
protection as can be seen on its website.


-----

As for the assembly, it can be verified that there is a protection of the code, since many strings and
classes are randomized at the moment of observing their possible logic.

In a process of trying to remove the code protection, it is possible to see in a more readable way part of
the code, identifying messages of actions that the assembly could try, in this case as seen in the image,
related to the obtaining of Firefox cookies.


-----

### High level graph

In order to have a graphical view of the most important events that take place during the execution of
AsyncRAT, a behavior graph has been elaborated where the events generated in the system during its
execution can be seen.


-----

### Diamond model

## ATT&CK

**Technique**


**Kill chain**
**phase**


**Diamond**
**vertex** **Comments**


-----

**Diamond**
**vertex** **Comments**


**Technique**

T1566.001 - Phishing: Spearphishing
Attachment

T1547.001 - Boot or Logon Autostart
Execution: Registry Run Keys / Startup
Folder

T1053.005 - Scheduled Task/Job:
Scheduled Task

T1036.005 - Masquerading: Match
Legitimate Name or Location


**Kill chain**
**phase**


Delivery Capability Email with ZIP file attached

Installation Capability Set registry key if nonprivileged user executes
the payload

Installation Capability Creates new scheduled
task if privileged user
executes the payload

Execution Capability Writes itself as a file
named Runtime
Broker.exe saved in
%APPDATA%


T1571 - Non-Standard Port C2 Infrastructure Use the ports 8808, 7707
and 6606 for
communication


T1059.003 - Command and Scripting
Interpreter: Windows Command Shell


Execution Capability Executes batch file created
previously


T1027 - Obfuscated Files or Information Exploitation Capability .NET Reactor is used for
code protection

T1095 - Non-Application Layer Protocol C2 Infrastructure TCP is used for C2
communications

## IOCs

217.195.197[.]70 through 6606, 7707, 8808 ports
76AF794B85E4A4BA75C5703DF1207B7A6798BF2E
16CC8C3A461A6CE5A7ED1FF569EA61B8D9BA143E
93E9469789A4ECD28E30006D1CE10DBFFBD36D7C
Mutex `AsyncMutex_6SI8OkPnk`

## Sigma rules

**_The sigma rules created are specifics for this payload. There will be different payloads used by_**
AsyncRAT with the same name or different. Is important to mention that the original filename embbeded
in this case is `Stub.exe . This is interesting because if the adversaries create new payloads, maybe`
the original filename will still being the same.


-----

```
title: Detect AsyncRAT persistence with schtasks based on specific payload
id: 4410f0ad-3a1c-4e21-9e3a-fa55336aa123
description: Detect the execution of the AsyncRAT payload to launch schtask for persistence.
status: experimental
date: 2022/06/01
modified: 2022/06/01
author: Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)
references:
  - https://jstnk9.github.io/jstnk9/research/AsyncRAT-Analysis
  https://www.virustotal.com/gui/file/79068b82bcf0786b6af1b7cc96de1bf4e1a66b0d95e7e72ed1b1054443f6
logsource:
 product: windows
 category: process_creation
detection:
 parent_selection:
  ParentImage|endswith: 'Stub.exe'
 selection1:
  Image|endswith: '\cmd.exe'
  CommandLine|contains|all:
   - 'schtasks '
   - '\AppData\Roaming\'
   - '.exe'
 condition: parent_selection and selection1
falsepositives:
  - Unknown
level: medium
tags:
  - attack.persistence
  - attack.T1053.005
title: Detect AsyncRAT execution based on specific payload
id: ac891380-958b-4c08-a77d-8e149d63d741
description: Detect the execution of the AsyncRAT payload to establish registry key for
persistence.
status: experimental
date: 2022/06/01
modified: 2022/06/01
author: Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)
references:
  - https://jstnk9.github.io/jstnk9/research/AsyncRAT-Analysis
  https://www.virustotal.com/gui/file/79068b82bcf0786b6af1b7cc96de1bf4e1a66b0d95e7e72ed1b1054443f6
logsource:
 product: windows
 category: registry_set
detection:
 selection:
  EventType: SetValue
  Image|endswith: 'Stub.exe'
  TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Run\'
  Details|contains: '.exe'
 condition: selection
falsepositives:
  - Unknown
level: medium
tags:
  - attack.persistence
  - attack.t1547.001

```

-----

[In the original Sigma repository, there are a large number of generic rules that can help in the detection](https://github.com/SigmaHQ/sigma/tree/master/rules/windows)
of this malware.

## Contact

**Twitter:** [https://twitter.com/Joseliyo_Jstnk](https://twitter.com/Joseliyo_Jstnk)

**LinkedIn:** [https://www.linkedin.com/in/joseluissm/](https://www.linkedin.com/in/joseluissm/)


-----