asyncrat | 71279240d14f290a3b81f4a9a660c5cdb37d52c7c65c60f1fa035d5b05745537

General

Target

INVOICE_PAYMENT.exe
Size

825KB
MD5

d05c3e50c2fe19f0c73104fcdcc69b10
SHA1

76d9509cfc31cc5dccf2dab9566a9145be2554bd
SHA256

71279240d14f290a3b81f4a9a660c5cdb37d52c7c65c60f1fa035d5b05745537
SHA512

7434d374919b6ad96cead1ae18d982bab0293be08dfd1eb6b37d5e1b3788424e14ccd0b0400fa1da5f8675453fdd2baadc7e5b560bf8a015ace75c59d6110516

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.6D

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

79.134.225.34:6606

79.134.225.34:7707

79.134.225.34:8808

Mutex

yvlmeiqesk

Attributes

aes_key
ocs7WICVJIXrCIZwVBdGxh2WNrfElyxa
anti_detection
false
autorun
false
bdos
false
delay
NEWYEAR
host
127.0.0.1,79.134.225.34
hwid
10
install_file
install_folder
%AppData%
mutex
yvlmeiqesk
pastebin_config
null
port
6606,7707,8808
version
0.5.6D

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1896-8-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1896-9-0x000000000040C62E-mapping.dmp	asyncrat
behavioral1/memory/1896-10-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1896-11-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Suspicious use of SetThreadContext 1 IoCs

Processes:

INVOICE_PAYMENT.exe

description pid process target process

PID 2012 set thread context of 1896 2012 INVOICE_PAYMENT.exe INVOICE_PAYMENT.exe

description	pid	process	target process
PID 2012 set thread context of 1896	2012	INVOICE_PAYMENT.exe	INVOICE_PAYMENT.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

INVOICE_PAYMENT.exe

description	pid	process	target process
PID 2012 wrote to memory of 1896	2012	INVOICE_PAYMENT.exe	INVOICE_PAYMENT.exe
PID 2012 wrote to memory of 1896	2012	INVOICE_PAYMENT.exe	INVOICE_PAYMENT.exe
PID 2012 wrote to memory of 1896	2012	INVOICE_PAYMENT.exe	INVOICE_PAYMENT.exe
PID 2012 wrote to memory of 1896	2012	INVOICE_PAYMENT.exe	INVOICE_PAYMENT.exe
PID 2012 wrote to memory of 1896	2012	INVOICE_PAYMENT.exe	INVOICE_PAYMENT.exe
PID 2012 wrote to memory of 1896	2012	INVOICE_PAYMENT.exe	INVOICE_PAYMENT.exe
PID 2012 wrote to memory of 1896	2012	INVOICE_PAYMENT.exe	INVOICE_PAYMENT.exe
PID 2012 wrote to memory of 1896	2012	INVOICE_PAYMENT.exe	INVOICE_PAYMENT.exe
PID 2012 wrote to memory of 1896	2012	INVOICE_PAYMENT.exe	INVOICE_PAYMENT.exe

C:\Users\Admin\AppData\Local\Temp\INVOICE_PAYMENT.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE_PAYMENT.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2012

C:\Users\Admin\AppData\Local\Temp\INVOICE_PAYMENT.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE_PAYMENT.exe"
2⤵
PID:1896

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1896-8-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1896-9-0x000000000040C62E-mapping.dmp

Download
memory/1896-10-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1896-11-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1896-12-0x0000000074BA0000-0x000000007528E000-memory.dmp

Filesize
6.9MB

Download
memory/2012-2-0x0000000074BA0000-0x000000007528E000-memory.dmp

Filesize
6.9MB

Download
memory/2012-3-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2012-5-0x0000000000490000-0x00000000004A2000-memory.dmp

Filesize
72KB

Download
memory/2012-6-0x0000000001F40000-0x0000000001F70000-memory.dmp

Filesize
192KB

Download
memory/2012-7-0x00000000006C0000-0x00000000006CF000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing