asyncrat | 139d70b24d7cd96624f1559a68d903c5e80b690def1b68a185b9f389b6565fe2

Analysis

max time kernel
142s
max time network
149s
platform
windows7_x64
resource
win7v20201028
submitted
05-01-2021 09:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Order_1101201918_AUTECH.exe
Size

780KB
MD5

0c13fd1c14c7b5ec9c069c3c824c7788
SHA1

688af4adffd3e279761a41c949edd2c9bdf70799
SHA256

139d70b24d7cd96624f1559a68d903c5e80b690def1b68a185b9f389b6565fe2
SHA512

1ad8a43d81e515342757ef0c204941583dbafb9da420fb9c25771f105bb5eb5e20d383ee4fdace652511b7b8f96533adaed3225c15ed2fa50c48ecc76b7849aa

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

null:null

Mutex

chizzy25!@/@!7^UPCAZWSWAzZ!

Attributes

aes_key
4eqytfgDE8DYWEFCKHecODZBbvb3Lq5L
anti_detection
false
autorun
false
bdos
false
delay
F UUUUUUU 2
host
null
hwid
3
install_file
install_folder
%AppData%
mutex
chizzy25!@/@!7^UPCAZWSWAzZ!
pastebin_config
https://pastebin.com/raw/HKYwiN9V
port
null
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1616-20-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1616-21-0x000000000040C75E-mapping.dmp	asyncrat
behavioral1/memory/1616-24-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1616-23-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Executes dropped EXE 4 IoCs

Processes:

windowsgui.exeAddInProcess32.exewindowselec.exewindowselec.exe

pid process

1564 windowsgui.exe
1616 AddInProcess32.exe
1864 windowselec.exe
1668 windowselec.exe

pid	process
1564	windowsgui.exe
1616	AddInProcess32.exe
1864	windowselec.exe
1668	windowselec.exe

Drops startup file 1 IoCs

Processes:

Order_1101201918_AUTECH.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windowsgui.lnk	Order_1101201918_AUTECH.exe

Loads dropped DLL 4 IoCs

Processes:

Order_1101201918_AUTECH.exewindowsgui.exewindowselec.exe

pid process

1204 Order_1101201918_AUTECH.exe
1564 windowsgui.exe
1564 windowsgui.exe
1864 windowselec.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

windowsgui.exe

description pid process target process

PID 1564 set thread context of 1616 1564 windowsgui.exe AddInProcess32.exe

description	pid	process	target process
PID 1564 set thread context of 1616	1564	windowsgui.exe	AddInProcess32.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

Order_1101201918_AUTECH.exewindowsgui.exewindowselec.exewindowselec.exe

pid	process
1204	Order_1101201918_AUTECH.exe
1204	Order_1101201918_AUTECH.exe
1204	Order_1101201918_AUTECH.exe
1564	windowsgui.exe
1564	windowsgui.exe
1564	windowsgui.exe
1864	windowselec.exe
1668	windowselec.exe
1668	windowselec.exe
1668	windowselec.exe
1564	windowsgui.exe
1564	windowsgui.exe
1564	windowsgui.exe
1564	windowsgui.exe
1564	windowsgui.exe
1564	windowsgui.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

Order_1101201918_AUTECH.exewindowsgui.exewindowselec.exewindowselec.exeAddInProcess32.exe

description	pid	process
Token: SeDebugPrivilege	1204	Order_1101201918_AUTECH.exe
Token: SeDebugPrivilege	1564	windowsgui.exe
Token: SeDebugPrivilege	1864	windowselec.exe
Token: SeDebugPrivilege	1668	windowselec.exe
Token: SeDebugPrivilege	1616	AddInProcess32.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

Order_1101201918_AUTECH.exewindowsgui.exewindowselec.exe

description	pid	process	target process
PID 1204 wrote to memory of 1564	1204	Order_1101201918_AUTECH.exe	windowsgui.exe
PID 1204 wrote to memory of 1564	1204	Order_1101201918_AUTECH.exe	windowsgui.exe
PID 1204 wrote to memory of 1564	1204	Order_1101201918_AUTECH.exe	windowsgui.exe
PID 1204 wrote to memory of 1564	1204	Order_1101201918_AUTECH.exe	windowsgui.exe
PID 1564 wrote to memory of 1616	1564	windowsgui.exe	AddInProcess32.exe
PID 1564 wrote to memory of 1616	1564	windowsgui.exe	AddInProcess32.exe
PID 1564 wrote to memory of 1616	1564	windowsgui.exe	AddInProcess32.exe
PID 1564 wrote to memory of 1616	1564	windowsgui.exe	AddInProcess32.exe
PID 1564 wrote to memory of 1616	1564	windowsgui.exe	AddInProcess32.exe
PID 1564 wrote to memory of 1616	1564	windowsgui.exe	AddInProcess32.exe
PID 1564 wrote to memory of 1616	1564	windowsgui.exe	AddInProcess32.exe
PID 1564 wrote to memory of 1616	1564	windowsgui.exe	AddInProcess32.exe
PID 1564 wrote to memory of 1616	1564	windowsgui.exe	AddInProcess32.exe
PID 1564 wrote to memory of 1864	1564	windowsgui.exe	windowselec.exe
PID 1564 wrote to memory of 1864	1564	windowsgui.exe	windowselec.exe
PID 1564 wrote to memory of 1864	1564	windowsgui.exe	windowselec.exe
PID 1564 wrote to memory of 1864	1564	windowsgui.exe	windowselec.exe
PID 1864 wrote to memory of 1668	1864	windowselec.exe	windowselec.exe
PID 1864 wrote to memory of 1668	1864	windowselec.exe	windowselec.exe
PID 1864 wrote to memory of 1668	1864	windowselec.exe	windowselec.exe
PID 1864 wrote to memory of 1668	1864	windowselec.exe	windowselec.exe

C:\Users\Admin\AppData\Local\Temp\Order_1101201918_AUTECH.exe
"C:\Users\Admin\AppData\Local\Temp\Order_1101201918_AUTECH.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1204

C:\Users\Admin\AppData\Roaming\windowsgui.exe
"C:\Users\Admin\AppData\Roaming\windowsgui.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Users\Admin\AppData\Local\Temp\windowselec.exe
"C:\Users\Admin\AppData\Local\Temp\windowselec.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1864

C:\Users\Admin\AppData\Local\Temp\windowselec.exe
"C:\Users\Admin\AppData\Local\Temp\windowselec.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1668

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowselec.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowselec.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowselec.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowselec.txt
MD5
03b6af325e62f30d7a2760c2062a75b7

SHA1
d24ba3d533008af5969e3fc6834c942acfa99abb

SHA256
920517781baddf8743c45da88cf4619cc4d1358ad5f22f6e06ca565d00d23f0d

SHA512
9958e1f663351f7b889e0f5473bb238316b8cee315e85b8cfdffaafd4d40d3100ac0f1dbaa05f7ca63d936d99bb72a2d8b7ccbb6f346e9bc2a6197456aa32027

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowselec.txt
MD5
347e4171e7e19a656720ed9819505f74

SHA1
a715b7bd0832d33041dbd04fa34150131c9e4a60

SHA256
7c3fe63b84c0b9085b0e0971f72d8c73113a54e43819f1e977a4276bf0ab305e

SHA512
02f274bdcb581331db823c8f3e843f32038813b666037be4a53130903a8285e0d16cb513be4a38520210842a9f684cbb1ea75aa5e4f34c12265d72b128230184

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowselec.txt
MD5
cd56d0a909c85dc5b32a9d40cb20e672

SHA1
c2d273d8490be83161dd2d7c80617b248eca4d49

SHA256
cbf82f9187754ef5cfbf182bba39618d044758b46e9f4354600d5f32cadd35fa

SHA512
db02e7b5cc7dd31f03e73da4715a40a7b0f7f8bb032affd567193196ed4fdf276fa30745b8d4d9518ab4d47ab71a5a2bc4fd4c33944fdf2c1bc2e9c779baba13

Download Submit
C:\Users\Admin\AppData\Roaming\windowsgui.exe
MD5
0c13fd1c14c7b5ec9c069c3c824c7788

SHA1
688af4adffd3e279761a41c949edd2c9bdf70799

SHA256
139d70b24d7cd96624f1559a68d903c5e80b690def1b68a185b9f389b6565fe2

SHA512
1ad8a43d81e515342757ef0c204941583dbafb9da420fb9c25771f105bb5eb5e20d383ee4fdace652511b7b8f96533adaed3225c15ed2fa50c48ecc76b7849aa

Download Submit
C:\Users\Admin\AppData\Roaming\windowsgui.exe
MD5
0c13fd1c14c7b5ec9c069c3c824c7788

SHA1
688af4adffd3e279761a41c949edd2c9bdf70799

SHA256
139d70b24d7cd96624f1559a68d903c5e80b690def1b68a185b9f389b6565fe2

SHA512
1ad8a43d81e515342757ef0c204941583dbafb9da420fb9c25771f105bb5eb5e20d383ee4fdace652511b7b8f96533adaed3225c15ed2fa50c48ecc76b7849aa

Download Submit
\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
\Users\Admin\AppData\Local\Temp\windowselec.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
\Users\Admin\AppData\Local\Temp\windowselec.exe
MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
\Users\Admin\AppData\Roaming\windowsgui.exe
MD5
0c13fd1c14c7b5ec9c069c3c824c7788

SHA1
688af4adffd3e279761a41c949edd2c9bdf70799

SHA256
139d70b24d7cd96624f1559a68d903c5e80b690def1b68a185b9f389b6565fe2

SHA512
1ad8a43d81e515342757ef0c204941583dbafb9da420fb9c25771f105bb5eb5e20d383ee4fdace652511b7b8f96533adaed3225c15ed2fa50c48ecc76b7849aa

Download Submit
memory/1204-6-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/1204-5-0x00000000002C0000-0x00000000002DE000-memory.dmp

Filesize
120KB

Download
memory/1204-2-0x00000000740B0000-0x000000007479E000-memory.dmp

Filesize
6.9MB

Download
memory/1204-3-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/1564-8-0x0000000000000000-mapping.dmp

Download
memory/1564-17-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/1564-16-0x00000000004B0000-0x00000000004BB000-memory.dmp

Filesize
44KB

Download
memory/1564-12-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/1564-11-0x00000000740B0000-0x000000007479E000-memory.dmp

Filesize
6.9MB

Download
memory/1616-21-0x000000000040C75E-mapping.dmp

Download
memory/1616-25-0x00000000740B0000-0x000000007479E000-memory.dmp

Filesize
6.9MB

Download
memory/1616-23-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1616-24-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1616-20-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1668-38-0x0000000000000000-mapping.dmp

Download
memory/1668-40-0x00000000740B0000-0x000000007479E000-memory.dmp

Filesize
6.9MB

Download
memory/1864-33-0x00000000740B0000-0x000000007479E000-memory.dmp

Filesize
6.9MB

Download
memory/1864-34-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/1864-30-0x0000000000000000-mapping.dmp

Download