asyncrat | 71279240d14f290a3b81f4a9a660c5cdb37d52c7c65c60f1fa035d5b05745537

General

Target

INVOICE_PAYMENT.exe
Size

825KB
MD5

d05c3e50c2fe19f0c73104fcdcc69b10
SHA1

76d9509cfc31cc5dccf2dab9566a9145be2554bd
SHA256

71279240d14f290a3b81f4a9a660c5cdb37d52c7c65c60f1fa035d5b05745537
SHA512

7434d374919b6ad96cead1ae18d982bab0293be08dfd1eb6b37d5e1b3788424e14ccd0b0400fa1da5f8675453fdd2baadc7e5b560bf8a015ace75c59d6110516

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.6D

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

79.134.225.34:6606

79.134.225.34:7707

79.134.225.34:8808

Mutex

yvlmeiqesk

Attributes

aes_key
ocs7WICVJIXrCIZwVBdGxh2WNrfElyxa
anti_detection
false
autorun
false
bdos
false
delay
NEWYEAR
host
127.0.0.1,79.134.225.34
hwid
10
install_file
install_folder
%AppData%
mutex
yvlmeiqesk
pastebin_config
null
port
6606,7707,8808
version
0.5.6D

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2896-13-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/2896-14-0x000000000040C62E-mapping.dmp	asyncrat

Suspicious use of SetThreadContext 1 IoCs

Processes:

INVOICE_PAYMENT.exe

description pid process target process

PID 2484 set thread context of 2896 2484 INVOICE_PAYMENT.exe INVOICE_PAYMENT.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

INVOICE_PAYMENT.exe

description pid process

Token: SeDebugPrivilege 2484 INVOICE_PAYMENT.exe

description	pid	process	target process
PID 2484 set thread context of 2896	2484	INVOICE_PAYMENT.exe	INVOICE_PAYMENT.exe

description	pid	process
Token: SeDebugPrivilege	2484	INVOICE_PAYMENT.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

INVOICE_PAYMENT.exe

description	pid	process	target process
PID 2484 wrote to memory of 2896	2484	INVOICE_PAYMENT.exe	INVOICE_PAYMENT.exe
PID 2484 wrote to memory of 2896	2484	INVOICE_PAYMENT.exe	INVOICE_PAYMENT.exe
PID 2484 wrote to memory of 2896	2484	INVOICE_PAYMENT.exe	INVOICE_PAYMENT.exe
PID 2484 wrote to memory of 2896	2484	INVOICE_PAYMENT.exe	INVOICE_PAYMENT.exe
PID 2484 wrote to memory of 2896	2484	INVOICE_PAYMENT.exe	INVOICE_PAYMENT.exe
PID 2484 wrote to memory of 2896	2484	INVOICE_PAYMENT.exe	INVOICE_PAYMENT.exe
PID 2484 wrote to memory of 2896	2484	INVOICE_PAYMENT.exe	INVOICE_PAYMENT.exe
PID 2484 wrote to memory of 2896	2484	INVOICE_PAYMENT.exe	INVOICE_PAYMENT.exe

C:\Users\Admin\AppData\Local\Temp\INVOICE_PAYMENT.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE_PAYMENT.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484

C:\Users\Admin\AppData\Local\Temp\INVOICE_PAYMENT.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE_PAYMENT.exe"
2⤵
PID:2896

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2484-2-0x0000000073D40000-0x000000007442E000-memory.dmp

Filesize
6.9MB

Download
memory/2484-3-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/2484-5-0x0000000006F10000-0x0000000006F11000-memory.dmp

Filesize
4KB

Download
memory/2484-6-0x00000000074B0000-0x00000000074B1000-memory.dmp

Filesize
4KB

Download
memory/2484-7-0x0000000006FB0000-0x0000000006FB1000-memory.dmp

Filesize
4KB

Download
memory/2484-8-0x0000000006EA0000-0x0000000006EA1000-memory.dmp

Filesize
4KB

Download
memory/2484-9-0x0000000007170000-0x0000000007171000-memory.dmp

Filesize
4KB

Download
memory/2484-10-0x0000000000A00000-0x0000000000A12000-memory.dmp

Filesize
72KB

Download
memory/2484-11-0x0000000004E40000-0x0000000004E70000-memory.dmp

Filesize
192KB

Download
memory/2484-12-0x0000000004CF0000-0x0000000004CFF000-memory.dmp

Filesize
60KB

Download
memory/2896-13-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2896-14-0x000000000040C62E-mapping.dmp

Download
memory/2896-15-0x0000000073D40000-0x000000007442E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing