asyncrat | 8d29f4ed1dfb22f2b11e74a065ca6f8993cead1cbd965f576a935cf80fb1afc7

General

Target

SKM_C258201001130020005057.exe
Size

1.0MB
MD5

101293648c64868f186872244df8b871
SHA1

fbca0f4a9f0dfb1f7d1e93e9a650ac4e5f815901
SHA256

8d29f4ed1dfb22f2b11e74a065ca6f8993cead1cbd965f576a935cf80fb1afc7
SHA512

d67b4892f9269b8dec97d1063500a83d251e78ea2d8f20afa576da397d1013e5c1380c99284cf35d02b29faeebfe8ed7f1d9365312b9f909bc5530826fa79a26

Score

10^/10

asyncrat persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

severdops.ddns.net:6204

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
YNkqaLZuCTWrp43KtUJweEXfeczrvdLZ
anti_detection
false
autorun
false
bdos
false
delay
Default
host
severdops.ddns.net
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
6204
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

SKM_C258201001130020005057.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\SKM_C258201001130020005057.exe\""	SKM_C258201001130020005057.exe

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/500-8-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/500-9-0x000000000040C71E-mapping.dmp	asyncrat

Drops startup file 2 IoCs

Processes:

SKM_C258201001130020005057.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SKM_C258201001130020005057.exe	SKM_C258201001130020005057.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SKM_C258201001130020005057.exe	SKM_C258201001130020005057.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SKM_C258201001130020005057.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SKM_C258201001130020005057.exe"	SKM_C258201001130020005057.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\SKM_C258201001130020005057.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SKM_C258201001130020005057.exe"	SKM_C258201001130020005057.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

SKM_C258201001130020005057.exe

pid	process
644	SKM_C258201001130020005057.exe
644	SKM_C258201001130020005057.exe
644	SKM_C258201001130020005057.exe
644	SKM_C258201001130020005057.exe
644	SKM_C258201001130020005057.exe
644	SKM_C258201001130020005057.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

SKM_C258201001130020005057.exe

description pid process target process

PID 644 set thread context of 500 644 SKM_C258201001130020005057.exe SKM_C258201001130020005057.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2300 644 WerFault.exe SKM_C258201001130020005057.exe

description	pid	process	target process
PID 644 set thread context of 500	644	SKM_C258201001130020005057.exe	SKM_C258201001130020005057.exe

pid	pid_target	process	target process
2300	644	WerFault.exe	SKM_C258201001130020005057.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

SKM_C258201001130020005057.exeWerFault.exe

pid	process
644	SKM_C258201001130020005057.exe
644	SKM_C258201001130020005057.exe
644	SKM_C258201001130020005057.exe
644	SKM_C258201001130020005057.exe
644	SKM_C258201001130020005057.exe
2300	WerFault.exe
2300	WerFault.exe
2300	WerFault.exe
2300	WerFault.exe
2300	WerFault.exe
2300	WerFault.exe
2300	WerFault.exe
2300	WerFault.exe
2300	WerFault.exe
2300	WerFault.exe
2300	WerFault.exe
2300	WerFault.exe
2300	WerFault.exe
2300	WerFault.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

SKM_C258201001130020005057.exeWerFault.exeSKM_C258201001130020005057.exe

description	pid	process
Token: SeDebugPrivilege	644	SKM_C258201001130020005057.exe
Token: SeRestorePrivilege	2300	WerFault.exe
Token: SeBackupPrivilege	2300	WerFault.exe
Token: SeDebugPrivilege	2300	WerFault.exe
Token: SeDebugPrivilege	500	SKM_C258201001130020005057.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

SKM_C258201001130020005057.exe

description	pid	process	target process
PID 644 wrote to memory of 2620	644	SKM_C258201001130020005057.exe	SKM_C258201001130020005057.exe
PID 644 wrote to memory of 2620	644	SKM_C258201001130020005057.exe	SKM_C258201001130020005057.exe
PID 644 wrote to memory of 2620	644	SKM_C258201001130020005057.exe	SKM_C258201001130020005057.exe
PID 644 wrote to memory of 500	644	SKM_C258201001130020005057.exe	SKM_C258201001130020005057.exe
PID 644 wrote to memory of 500	644	SKM_C258201001130020005057.exe	SKM_C258201001130020005057.exe
PID 644 wrote to memory of 500	644	SKM_C258201001130020005057.exe	SKM_C258201001130020005057.exe
PID 644 wrote to memory of 500	644	SKM_C258201001130020005057.exe	SKM_C258201001130020005057.exe
PID 644 wrote to memory of 500	644	SKM_C258201001130020005057.exe	SKM_C258201001130020005057.exe
PID 644 wrote to memory of 500	644	SKM_C258201001130020005057.exe	SKM_C258201001130020005057.exe
PID 644 wrote to memory of 500	644	SKM_C258201001130020005057.exe	SKM_C258201001130020005057.exe
PID 644 wrote to memory of 500	644	SKM_C258201001130020005057.exe	SKM_C258201001130020005057.exe

C:\Users\Admin\AppData\Local\Temp\SKM_C258201001130020005057.exe
"C:\Users\Admin\AppData\Local\Temp\SKM_C258201001130020005057.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:644

C:\Users\Admin\AppData\Local\Temp\SKM_C258201001130020005057.exe
"C:\Users\Admin\AppData\Local\Temp\SKM_C258201001130020005057.exe"
2⤵
PID:2620

C:\Users\Admin\AppData\Local\Temp\SKM_C258201001130020005057.exe
"C:\Users\Admin\AppData\Local\Temp\SKM_C258201001130020005057.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 1124
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/500-8-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/500-9-0x000000000040C71E-mapping.dmp

Download
memory/500-10-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/500-18-0x0000000005C70000-0x0000000005C71000-memory.dmp

Filesize
4KB

Download
memory/644-2-0x0000000073EE0000-0x00000000745CE000-memory.dmp

Filesize
6.9MB

Download
memory/644-3-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/644-5-0x00000000055B0000-0x00000000055B1000-memory.dmp

Filesize
4KB

Download
memory/644-6-0x0000000005550000-0x0000000005577000-memory.dmp

Filesize
156KB

Download
memory/644-7-0x0000000005D90000-0x0000000005D91000-memory.dmp

Filesize
4KB

Download
memory/2300-13-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads