asyncrat | 12d3ad6a4467daebd29194d962f95aae46cdcd52263e08f243586a8fbb060c5f

General

Target

sample details.exe
Size

513KB
MD5

1f438fdbc78b1b8e8944de8140a58729
SHA1

f3ddaeb5ad51025c3251b77ee006247cecca205e
SHA256

12d3ad6a4467daebd29194d962f95aae46cdcd52263e08f243586a8fbb060c5f
SHA512

d1c588134765dba5c87eabab3de2d157647836ed2b419fe9e7883c7477671266c5a490e8e2e3ea2aeef25c0d030a4b57cbdb132c016ccd2bbfdc7064f46a0126

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

null:null

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
b8dOcyzjp8n8ZZClllDq0eJu2HC4JkWF
anti_detection
true
autorun
false
bdos
true
delay
Default
host
null
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
https://pastebin.com/raw/xBiaYesc
port
null
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1384-28-0x0000000000400000-0x000000000046C000-memory.dmp	asyncrat
behavioral1/memory/1384-29-0x000000000040D0DE-mapping.dmp	asyncrat
behavioral1/memory/1384-30-0x0000000000400000-0x000000000046C000-memory.dmp	asyncrat
behavioral1/memory/1384-31-0x0000000000400000-0x000000000046C000-memory.dmp	asyncrat

Drops startup file 2 IoCs

Processes:

Powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%Namee%	Powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%Namee%	Powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

sample details.exe

description pid process target process

PID 544 set thread context of 1384 544 sample details.exe sample details.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Powershell.exe

pid process

1480 Powershell.exe
1480 Powershell.exe

description	pid	process	target process
PID 544 set thread context of 1384	544	sample details.exe	sample details.exe

pid	process
1480	Powershell.exe
1480	Powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Powershell.exesample details.exe

description	pid	process
Token: SeDebugPrivilege	1480	Powershell.exe
Token: SeDebugPrivilege	1384	sample details.exe
Token: SeDebugPrivilege	1384	sample details.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

sample details.exe

description	pid	process	target process
PID 544 wrote to memory of 1480	544	sample details.exe	Powershell.exe
PID 544 wrote to memory of 1480	544	sample details.exe	Powershell.exe
PID 544 wrote to memory of 1480	544	sample details.exe	Powershell.exe
PID 544 wrote to memory of 1480	544	sample details.exe	Powershell.exe
PID 544 wrote to memory of 1384	544	sample details.exe	sample details.exe
PID 544 wrote to memory of 1384	544	sample details.exe	sample details.exe
PID 544 wrote to memory of 1384	544	sample details.exe	sample details.exe
PID 544 wrote to memory of 1384	544	sample details.exe	sample details.exe
PID 544 wrote to memory of 1384	544	sample details.exe	sample details.exe
PID 544 wrote to memory of 1384	544	sample details.exe	sample details.exe
PID 544 wrote to memory of 1384	544	sample details.exe	sample details.exe
PID 544 wrote to memory of 1384	544	sample details.exe	sample details.exe
PID 544 wrote to memory of 1384	544	sample details.exe	sample details.exe

C:\Users\Admin\AppData\Local\Temp\sample details.exe
"C:\Users\Admin\AppData\Local\Temp\sample details.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:544

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\sample details.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%Namee%'
2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Users\Admin\AppData\Local\Temp\sample details.exe
"C:\Users\Admin\AppData\Local\Temp\sample details.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1384

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/544-27-0x00000000004E0000-0x00000000004EC000-memory.dmp

Filesize
48KB

Download
memory/544-3-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download
memory/544-2-0x00000000749D0000-0x00000000750BE000-memory.dmp

Filesize
6.9MB

Download
memory/1384-32-0x00000000749D0000-0x00000000750BE000-memory.dmp

Filesize
6.9MB

Download
memory/1384-31-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1384-30-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1384-29-0x000000000040D0DE-mapping.dmp

Download
memory/1384-28-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1480-7-0x0000000001D40000-0x0000000001D41000-memory.dmp

Filesize
4KB

Download
memory/1480-18-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/1480-19-0x0000000006120000-0x0000000006121000-memory.dmp

Filesize
4KB

Download
memory/1480-26-0x0000000006290000-0x0000000006291000-memory.dmp

Filesize
4KB

Download
memory/1480-13-0x00000000056A0000-0x00000000056A1000-memory.dmp

Filesize
4KB

Download
memory/1480-10-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download
memory/1480-9-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/1480-8-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/1480-6-0x00000000749D0000-0x00000000750BE000-memory.dmp

Filesize
6.9MB

Download
memory/1480-5-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads