asyncrat | 4f00838cab77f7c56b646623621de0fdc33fbc75c1d2c4539435429ca0cc94db

General

Target

aida64extrem e630.exe
Size

187KB
MD5

b2e6c73f17d8888a8b0341ed37a07ccf
SHA1

f7926eebc3949e6ff2d00ded6048cefc5eba7f52
SHA256

4f00838cab77f7c56b646623621de0fdc33fbc75c1d2c4539435429ca0cc94db
SHA512

367a544067da3c0941e285bb7c46ab75e9cb7518b53fe78cd2be5501fec0f5dd68645b2136a57e32cb003813084f0d4a43654a9db1775289271fdd284e5ed4d3

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

170293.ddns.net:1231

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
dWppLoj1BP1Yv8TfZlxnO5WEvC22ipao
anti_detection
false
autorun
true
bdos
false
delay
Default
host
170293.ddns.net
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
1231
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/848-5-0x0000000000460000-0x000000000046C000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

544 svchost.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1376 cmd.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1676 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

964 timeout.exe

pid	process
544	svchost.exe

pid	process
1376	cmd.exe

pid	process
1676	schtasks.exe

pid	process
964	timeout.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

aida64extrem e630.exetaskmgr.exe

pid	process
848	aida64extrem e630.exe
848	aida64extrem e630.exe
848	aida64extrem e630.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

aida64extrem e630.exesvchost.exetaskmgr.exe

description pid process

Token: SeDebugPrivilege 848 aida64extrem e630.exe
Token: SeDebugPrivilege 544 svchost.exe
Token: SeDebugPrivilege 948 taskmgr.exe

description	pid	process
Token: SeDebugPrivilege	848	aida64extrem e630.exe
Token: SeDebugPrivilege	544	svchost.exe
Token: SeDebugPrivilege	948	taskmgr.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

taskmgr.exe

pid	process
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe

Suspicious use of SendNotifyMessage 34 IoCs

Processes:

taskmgr.exe

pid	process
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe
948	taskmgr.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

aida64extrem e630.execmd.execmd.exe

description	pid	process	target process
PID 848 wrote to memory of 1220	848	aida64extrem e630.exe	cmd.exe
PID 848 wrote to memory of 1220	848	aida64extrem e630.exe	cmd.exe
PID 848 wrote to memory of 1220	848	aida64extrem e630.exe	cmd.exe
PID 848 wrote to memory of 1220	848	aida64extrem e630.exe	cmd.exe
PID 848 wrote to memory of 1376	848	aida64extrem e630.exe	cmd.exe
PID 848 wrote to memory of 1376	848	aida64extrem e630.exe	cmd.exe
PID 848 wrote to memory of 1376	848	aida64extrem e630.exe	cmd.exe
PID 848 wrote to memory of 1376	848	aida64extrem e630.exe	cmd.exe
PID 1220 wrote to memory of 1676	1220	cmd.exe	schtasks.exe
PID 1220 wrote to memory of 1676	1220	cmd.exe	schtasks.exe
PID 1220 wrote to memory of 1676	1220	cmd.exe	schtasks.exe
PID 1220 wrote to memory of 1676	1220	cmd.exe	schtasks.exe
PID 1376 wrote to memory of 964	1376	cmd.exe	timeout.exe
PID 1376 wrote to memory of 964	1376	cmd.exe	timeout.exe
PID 1376 wrote to memory of 964	1376	cmd.exe	timeout.exe
PID 1376 wrote to memory of 964	1376	cmd.exe	timeout.exe
PID 1376 wrote to memory of 544	1376	cmd.exe	svchost.exe
PID 1376 wrote to memory of 544	1376	cmd.exe	svchost.exe
PID 1376 wrote to memory of 544	1376	cmd.exe	svchost.exe
PID 1376 wrote to memory of 544	1376	cmd.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\aida64extrem e630.exe
"C:\Users\Admin\AppData\Local\Temp\aida64extrem e630.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
3⤵
- Creates scheduled task(s)
PID:1676

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp280A.tmp.bat""
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:964

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:544

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp280A.tmp.bat
MD5
8edf3d6a320f41fc197c5af9e48669f1

SHA1
d9a86c7ff6ddeceacfb1dd1abb903b5c247ad202

SHA256
a5017bd98e265f367c69d9d074d739ac07d3d18ed1f26a657dbb8cb5451b4274

SHA512
1a4892af84c390d133e0077d2921df88235329285f34b29352ab1c70e82f9bda2b8249bf78997c70b63c85b04aaf5c51fd20560c4e7ce3c8f44069a097415f3a

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
MD5
b2e6c73f17d8888a8b0341ed37a07ccf

SHA1
f7926eebc3949e6ff2d00ded6048cefc5eba7f52

SHA256
4f00838cab77f7c56b646623621de0fdc33fbc75c1d2c4539435429ca0cc94db

SHA512
367a544067da3c0941e285bb7c46ab75e9cb7518b53fe78cd2be5501fec0f5dd68645b2136a57e32cb003813084f0d4a43654a9db1775289271fdd284e5ed4d3

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
MD5
b2e6c73f17d8888a8b0341ed37a07ccf

SHA1
f7926eebc3949e6ff2d00ded6048cefc5eba7f52

SHA256
4f00838cab77f7c56b646623621de0fdc33fbc75c1d2c4539435429ca0cc94db

SHA512
367a544067da3c0941e285bb7c46ab75e9cb7518b53fe78cd2be5501fec0f5dd68645b2136a57e32cb003813084f0d4a43654a9db1775289271fdd284e5ed4d3

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe
MD5
b2e6c73f17d8888a8b0341ed37a07ccf

SHA1
f7926eebc3949e6ff2d00ded6048cefc5eba7f52

SHA256
4f00838cab77f7c56b646623621de0fdc33fbc75c1d2c4539435429ca0cc94db

SHA512
367a544067da3c0941e285bb7c46ab75e9cb7518b53fe78cd2be5501fec0f5dd68645b2136a57e32cb003813084f0d4a43654a9db1775289271fdd284e5ed4d3

Download Submit
memory/544-13-0x0000000000000000-mapping.dmp

Download
memory/544-16-0x0000000001380000-0x0000000001381000-memory.dmp

Filesize
4KB

Download
memory/544-15-0x0000000074850000-0x0000000074F3E000-memory.dmp

Filesize
6.9MB

Download
memory/848-3-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/848-5-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/848-2-0x00000000748D0000-0x0000000074FBE000-memory.dmp

Filesize
6.9MB

Download
memory/964-10-0x0000000000000000-mapping.dmp

Download
memory/1220-6-0x0000000000000000-mapping.dmp

Download
memory/1376-7-0x0000000000000000-mapping.dmp

Download
memory/1676-9-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads