Threat Research

Analyzing AsyncRAT distributed in Colombia by Blind Eagle | Welcome to Jstnk webpage

Securonix

An in-depth look at AsyncRAT campaigns tied to APT-C-36 and related RATs, focusing on evolving TTPs and how the Colombian distribution behaves in practice. The analyzed sample (Stub.exe) reveals anti-analysis checks, persistence via scheduled tasks and Run keys, and C2 communications, illustrating concrete attack patterns. #APTC-36 #RemcosRAT #AsyncRAT #ImminentMonitorRAT #Colombia #RuntimeBroker #schtasks

Keypoints

  • The analyzed sample, Stub.exe, is a PE32 Windows binary (C#, 32-bit mono/.Net) with specific static identifiers (MD5, SHA1, SHA256) and a 45 KB size.
  • The malware performs anti-analysis checks (VM/sandbox detection, debugger presence, and environment discovery) before continuing execution.
  • It implements persistence via two main mechanisms: (a) creating a startup registry key for non-privileged contexts and (b) creating a scheduled task (schtasks) when run with administrator privileges.
  • For privileged execution, it persists by creating a scheduled task named “Runtime Broker” to run from the AppDataRoaming path; non-privileged execution leverages registry Run keys instead.
  • It masquerades as a legitimate Windows binary (Runtime Broker) to blend in and establish C2 communication through the Runtime Broker.exe process.
  • The sample establishes C2 with specific ports (8808, 7707, 6606) to IP 217.195.197.70, and uses a mutex named AsyncMutex_6SI8OkPnk as an indicator.
  • Memory analysis reveals associated binaries and libraries (aB.exe, MessagePackLib.dll, Recovery.dll, System.Data.SQLite.dll, Newtonsoft.Json.dll) with code protection through .NET Reactor in Recovery.dll.

MITRE Techniques

  • [T1059.003] Windows Command Shell – “This process is basically in charge of launching the schtasks.exe binary.”
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – “modify the registry key SoftwareMicrosoftWindowsCurrentVersionRun to execute a copy of itself create in the %appdata% path.”
  • [T1036.005] Masquerading: Match Legitimate Name or Location – “the malware tries to impersonate the legitimate Microsoft Windows binary runtimebroker.exe”
  • [T1053.005] Scheduled Task / Job: Scheduled Task – “schtasks /create /f /sc onlogon /rl highest /tn “Runtime Broker” /tr ‘”C:UserslabAppDataRoamingRuntime Broker.exe”‘ “
  • [T1566.001] Phishing: Spearphishing Attachment – “Email with ZIP file attached”
  • [T1027] Obfuscated Files or Information – “NET Reactor is used for code protection”
  • [T1095] Non-Application Layer Protocol – “TCP is used for C2 communications”
  • [T1571] Non-Standard Port – “Use the ports 8808, 7707 and 6606 for communication”

Indicators of Compromise

  • [IP] 217.195.197.70 – destination for C2 communications observed in the Runtime Broker flow
  • [Port] 8808, 7707, 6606 – C2 communication ports used by the sample
  • [Mutex] AsyncMutex_6SI8OkPnk – mutex used by the sample to avoid duplicate instances
  • [File Name] Stub.exe, Runtime Broker.exe, aB.exe – main payload and related executables
  • [Hash] MD5: c0b9838ff7d2ddecbfe296eae947e5d6; SHA1: 76af794b85e4a4ba75c5703df1207b7a6798bf2e; SHA256: 79068b82bcf0786b6af1b7cc96de1bf4e1a66b0d95e7e72ed1b1054443f6c5e3 – hash values for the Stub.exe and related components
  • [DLL] MessagePackLib.dll, Recovery.dll, System.Data.SQLite.dll, Newtonsoft.Json.dll – dynamic memory/DLLs observed in the runtime graph

Read more: https://jstnk9.github.io/jstnk9/research/AsyncRAT-Analysis/#summary