asyncrat | e9b025c3083c60b1260f6c9b6909f3c80aa7861814b4cee817b5485bb9b3e700

Analysis

max time kernel
122s
max time network
147s
platform
windows7_x64
resource
win7v20201028
submitted
15-01-2021 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Production order List Quotation.pdf.exe
Size

874KB
MD5

30028635a4d6eaceee5c23499f73aa3a
SHA1

94ee1f211c7c5e14cf5835071cf16f239eefebd7
SHA256

e9b025c3083c60b1260f6c9b6909f3c80aa7861814b4cee817b5485bb9b3e700
SHA512

5a9597eeca40dd4ad0e82730608e8527c239e7459423f3b530e49cc0e174eaf79193865c0fa6e610c36b0ef353c4e35ddf290c95ea88b9dd82b27aeb8697f360

Score

10^/10

asyncrat persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

1.remcosagent.com:1993

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
zfpcQBbFjdAkORcbNZ0s5ioknjh7mjo2
anti_detection
false
autorun
false
bdos
false
delay
Default
host
1.remcosagent.com
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
1993
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

List.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\List.exe\""	List.exe

Async RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1076-19-0x000000000040C75E-mapping.dmp	asyncrat
behavioral1/memory/1076-18-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1076-21-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1076-22-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Executes dropped EXE 3 IoCs

Processes:

Production.exeProduction.exeList.exe

pid process

1756 Production.exe
1076 Production.exe
272 List.exe

pid	process
1756	Production.exe
1076	Production.exe
272	List.exe

Drops startup file 2 IoCs

Processes:

List.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\List.exe	List.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\List.exe	List.exe

Loads dropped DLL 9 IoCs

Processes:

Production order List Quotation.pdf.exeProduction.exe

pid	process
2024	Production order List Quotation.pdf.exe
2024	Production order List Quotation.pdf.exe
2024	Production order List Quotation.pdf.exe
2024	Production order List Quotation.pdf.exe
1756	Production.exe
2024	Production order List Quotation.pdf.exe
2024	Production order List Quotation.pdf.exe
2024	Production order List Quotation.pdf.exe
2024	Production order List Quotation.pdf.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

List.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\List.exe"	List.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\List.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\List.exe"	List.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Production.exe

description pid process target process

PID 1756 set thread context of 1076 1756 Production.exe Production.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Production.exe

pid process

1756 Production.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Production.exeProduction.exe

description pid process

Token: SeDebugPrivilege 1756 Production.exe
Token: SeDebugPrivilege 1076 Production.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

488 DllHost.exe

description	pid	process	target process
PID 1756 set thread context of 1076	1756	Production.exe	Production.exe

pid	process
1756	Production.exe

description	pid	process
Token: SeDebugPrivilege	1756	Production.exe
Token: SeDebugPrivilege	1076	Production.exe

pid	process
488	DllHost.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

Production order List Quotation.pdf.exeProduction.exe

description	pid	process	target process
PID 2024 wrote to memory of 1756	2024	Production order List Quotation.pdf.exe	Production.exe
PID 2024 wrote to memory of 1756	2024	Production order List Quotation.pdf.exe	Production.exe
PID 2024 wrote to memory of 1756	2024	Production order List Quotation.pdf.exe	Production.exe
PID 2024 wrote to memory of 1756	2024	Production order List Quotation.pdf.exe	Production.exe
PID 2024 wrote to memory of 1756	2024	Production order List Quotation.pdf.exe	Production.exe
PID 2024 wrote to memory of 1756	2024	Production order List Quotation.pdf.exe	Production.exe
PID 2024 wrote to memory of 1756	2024	Production order List Quotation.pdf.exe	Production.exe
PID 1756 wrote to memory of 1076	1756	Production.exe	Production.exe
PID 1756 wrote to memory of 1076	1756	Production.exe	Production.exe
PID 1756 wrote to memory of 1076	1756	Production.exe	Production.exe
PID 1756 wrote to memory of 1076	1756	Production.exe	Production.exe
PID 1756 wrote to memory of 1076	1756	Production.exe	Production.exe
PID 1756 wrote to memory of 1076	1756	Production.exe	Production.exe
PID 1756 wrote to memory of 1076	1756	Production.exe	Production.exe
PID 1756 wrote to memory of 1076	1756	Production.exe	Production.exe
PID 1756 wrote to memory of 1076	1756	Production.exe	Production.exe
PID 1756 wrote to memory of 1076	1756	Production.exe	Production.exe
PID 1756 wrote to memory of 1076	1756	Production.exe	Production.exe
PID 1756 wrote to memory of 1076	1756	Production.exe	Production.exe
PID 2024 wrote to memory of 272	2024	Production order List Quotation.pdf.exe	List.exe
PID 2024 wrote to memory of 272	2024	Production order List Quotation.pdf.exe	List.exe
PID 2024 wrote to memory of 272	2024	Production order List Quotation.pdf.exe	List.exe
PID 2024 wrote to memory of 272	2024	Production order List Quotation.pdf.exe	List.exe
PID 2024 wrote to memory of 272	2024	Production order List Quotation.pdf.exe	List.exe
PID 2024 wrote to memory of 272	2024	Production order List Quotation.pdf.exe	List.exe
PID 2024 wrote to memory of 272	2024	Production order List Quotation.pdf.exe	List.exe

C:\Users\Admin\AppData\Local\Temp\Production order List Quotation.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Production order List Quotation.pdf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Production.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Production.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Production.exe
"{path}"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Users\Admin\AppData\Local\Temp\RarSFX0\List.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\List.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
PID:272

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:488

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\List.exe
MD5
0028087865f1e988b57381d704eb065c

SHA1
5b7582c2bc8497e95bedfc91c0365630363c1ca8

SHA256
7d58d6c4528974565cb90c9434d635f495bd246b4ba716bf0ae4fc20277b3cc9

SHA512
fbc07196eeb3d683ef94b18534a978a28ba5cdd5345185b9a55a83e2f000818b95f1ef0ea16387e78e99844466c8f82710b0886e3feaf7ab3cb910df1493a479

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\List.exe
MD5
0028087865f1e988b57381d704eb065c

SHA1
5b7582c2bc8497e95bedfc91c0365630363c1ca8

SHA256
7d58d6c4528974565cb90c9434d635f495bd246b4ba716bf0ae4fc20277b3cc9

SHA512
fbc07196eeb3d683ef94b18534a978a28ba5cdd5345185b9a55a83e2f000818b95f1ef0ea16387e78e99844466c8f82710b0886e3feaf7ab3cb910df1493a479

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Order.jpg
MD5
f2ff26db0c8cdad7840be73974c1ae11

SHA1
fc0270b0cf43b66274b5fa0b2cb9bf6a96e9cb43

SHA256
4153f7907b1e44f5bb4c9cc455504534a5025ce35d69cd1fa28ae1610efc383f

SHA512
e1fe938108f9c4400662d13eaa597e98728bbbaeef324ba4100b357ffceb133ae06c134809e4f22c2338003f89a888f1a3afcc81bb227f54d6515876c24c20c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Production.exe
MD5
1013ec08102495056cb230adc003a216

SHA1
1c2d3fdebf59b64af64935387c13fc65703e2291

SHA256
8b0f3de1f5501f809f673354c1497b76b8970a8d8f199596b7ee04eee3b6786a

SHA512
21abb1139625e8bb60e1b12372818dd17cd7a2c74bae126a98ff8ee0e75fc104ea7d7cc676faaf98b48e450036c04e72b133e13d528538d00377f98d7c601af3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Production.exe
MD5
1013ec08102495056cb230adc003a216

SHA1
1c2d3fdebf59b64af64935387c13fc65703e2291

SHA256
8b0f3de1f5501f809f673354c1497b76b8970a8d8f199596b7ee04eee3b6786a

SHA512
21abb1139625e8bb60e1b12372818dd17cd7a2c74bae126a98ff8ee0e75fc104ea7d7cc676faaf98b48e450036c04e72b133e13d528538d00377f98d7c601af3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Production.exe
MD5
1013ec08102495056cb230adc003a216

SHA1
1c2d3fdebf59b64af64935387c13fc65703e2291

SHA256
8b0f3de1f5501f809f673354c1497b76b8970a8d8f199596b7ee04eee3b6786a

SHA512
21abb1139625e8bb60e1b12372818dd17cd7a2c74bae126a98ff8ee0e75fc104ea7d7cc676faaf98b48e450036c04e72b133e13d528538d00377f98d7c601af3

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\List.exe
MD5
0028087865f1e988b57381d704eb065c

SHA1
5b7582c2bc8497e95bedfc91c0365630363c1ca8

SHA256
7d58d6c4528974565cb90c9434d635f495bd246b4ba716bf0ae4fc20277b3cc9

SHA512
fbc07196eeb3d683ef94b18534a978a28ba5cdd5345185b9a55a83e2f000818b95f1ef0ea16387e78e99844466c8f82710b0886e3feaf7ab3cb910df1493a479

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\List.exe
MD5
0028087865f1e988b57381d704eb065c

SHA1
5b7582c2bc8497e95bedfc91c0365630363c1ca8

SHA256
7d58d6c4528974565cb90c9434d635f495bd246b4ba716bf0ae4fc20277b3cc9

SHA512
fbc07196eeb3d683ef94b18534a978a28ba5cdd5345185b9a55a83e2f000818b95f1ef0ea16387e78e99844466c8f82710b0886e3feaf7ab3cb910df1493a479

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\List.exe
MD5
0028087865f1e988b57381d704eb065c

SHA1
5b7582c2bc8497e95bedfc91c0365630363c1ca8

SHA256
7d58d6c4528974565cb90c9434d635f495bd246b4ba716bf0ae4fc20277b3cc9

SHA512
fbc07196eeb3d683ef94b18534a978a28ba5cdd5345185b9a55a83e2f000818b95f1ef0ea16387e78e99844466c8f82710b0886e3feaf7ab3cb910df1493a479

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\List.exe
MD5
0028087865f1e988b57381d704eb065c

SHA1
5b7582c2bc8497e95bedfc91c0365630363c1ca8

SHA256
7d58d6c4528974565cb90c9434d635f495bd246b4ba716bf0ae4fc20277b3cc9

SHA512
fbc07196eeb3d683ef94b18534a978a28ba5cdd5345185b9a55a83e2f000818b95f1ef0ea16387e78e99844466c8f82710b0886e3feaf7ab3cb910df1493a479

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Production.exe
MD5
1013ec08102495056cb230adc003a216

SHA1
1c2d3fdebf59b64af64935387c13fc65703e2291

SHA256
8b0f3de1f5501f809f673354c1497b76b8970a8d8f199596b7ee04eee3b6786a

SHA512
21abb1139625e8bb60e1b12372818dd17cd7a2c74bae126a98ff8ee0e75fc104ea7d7cc676faaf98b48e450036c04e72b133e13d528538d00377f98d7c601af3

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Production.exe
MD5
1013ec08102495056cb230adc003a216

SHA1
1c2d3fdebf59b64af64935387c13fc65703e2291

SHA256
8b0f3de1f5501f809f673354c1497b76b8970a8d8f199596b7ee04eee3b6786a

SHA512
21abb1139625e8bb60e1b12372818dd17cd7a2c74bae126a98ff8ee0e75fc104ea7d7cc676faaf98b48e450036c04e72b133e13d528538d00377f98d7c601af3

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Production.exe
MD5
1013ec08102495056cb230adc003a216

SHA1
1c2d3fdebf59b64af64935387c13fc65703e2291

SHA256
8b0f3de1f5501f809f673354c1497b76b8970a8d8f199596b7ee04eee3b6786a

SHA512
21abb1139625e8bb60e1b12372818dd17cd7a2c74bae126a98ff8ee0e75fc104ea7d7cc676faaf98b48e450036c04e72b133e13d528538d00377f98d7c601af3

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Production.exe
MD5
1013ec08102495056cb230adc003a216

SHA1
1c2d3fdebf59b64af64935387c13fc65703e2291

SHA256
8b0f3de1f5501f809f673354c1497b76b8970a8d8f199596b7ee04eee3b6786a

SHA512
21abb1139625e8bb60e1b12372818dd17cd7a2c74bae126a98ff8ee0e75fc104ea7d7cc676faaf98b48e450036c04e72b133e13d528538d00377f98d7c601af3

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Production.exe
MD5
1013ec08102495056cb230adc003a216

SHA1
1c2d3fdebf59b64af64935387c13fc65703e2291

SHA256
8b0f3de1f5501f809f673354c1497b76b8970a8d8f199596b7ee04eee3b6786a

SHA512
21abb1139625e8bb60e1b12372818dd17cd7a2c74bae126a98ff8ee0e75fc104ea7d7cc676faaf98b48e450036c04e72b133e13d528538d00377f98d7c601af3

Download Submit
memory/272-36-0x0000000000310000-0x000000000032E000-memory.dmp

Filesize
120KB

Download
memory/272-34-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/272-33-0x0000000073500000-0x0000000073BEE000-memory.dmp

Filesize
6.9MB

Download
memory/272-30-0x0000000000000000-mapping.dmp

Download
memory/1076-19-0x000000000040C75E-mapping.dmp

Download
memory/1076-23-0x0000000073500000-0x0000000073BEE000-memory.dmp

Filesize
6.9MB

Download
memory/1076-22-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1076-21-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1076-18-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1756-8-0x0000000000000000-mapping.dmp

Download
memory/1756-12-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1756-16-0x0000000000D50000-0x0000000000D79000-memory.dmp

Filesize
164KB

Download
memory/1756-11-0x0000000073500000-0x0000000073BEE000-memory.dmp

Filesize
6.9MB

Download
memory/1756-14-0x0000000000530000-0x000000000053E000-memory.dmp

Filesize
56KB

Download
memory/2024-2-0x0000000001F70000-0x0000000002071000-memory.dmp

Filesize
1.0MB

Download