asyncrat | aa0399675c53f77a7996102b5301ea24814642e9eee30648c9ac75b3b1052235

General

Target

FedEx Invoice 202116435.exe
Size

766KB
MD5

fd3988d887f5e982384dca104ea49001
SHA1

d3ad5fa2af44707e5e27b76fdbebf5a9ae28b457
SHA256

aa0399675c53f77a7996102b5301ea24814642e9eee30648c9ac75b3b1052235
SHA512

868c4795ae2fea9aaa98ad069c97564bc051ee73e728bdd61ba7f250b8b9d9b41013b4446a61a364c71f6f4105f25790938a1cbeaba64850159f69ad4836811c

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

79.134.225.45:2233

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
yCFT3D6MMz3qsbxnPTBTTSsUCB2B6gqZ
anti_detection
false
autorun
false
bdos
false
delay
Default
host
79.134.225.45
hwid
5
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
2233
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4064-14-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/4064-15-0x000000000040C70E-mapping.dmp	asyncrat

Suspicious use of SetThreadContext 1 IoCs

Processes:

FedEx Invoice 202116435.exe

description pid process target process

PID 576 set thread context of 4064 576 FedEx Invoice 202116435.exe FedEx Invoice 202116435.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

932 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

FedEx Invoice 202116435.exe

pid process

576 FedEx Invoice 202116435.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

FedEx Invoice 202116435.exe

description pid process

Token: SeDebugPrivilege 576 FedEx Invoice 202116435.exe

description	pid	process	target process
PID 576 set thread context of 4064	576	FedEx Invoice 202116435.exe	FedEx Invoice 202116435.exe

pid	process
932	schtasks.exe

pid	process
576	FedEx Invoice 202116435.exe

description	pid	process
Token: SeDebugPrivilege	576	FedEx Invoice 202116435.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

FedEx Invoice 202116435.exe

description	pid	process	target process
PID 576 wrote to memory of 932	576	FedEx Invoice 202116435.exe	schtasks.exe
PID 576 wrote to memory of 932	576	FedEx Invoice 202116435.exe	schtasks.exe
PID 576 wrote to memory of 932	576	FedEx Invoice 202116435.exe	schtasks.exe
PID 576 wrote to memory of 4064	576	FedEx Invoice 202116435.exe	FedEx Invoice 202116435.exe
PID 576 wrote to memory of 4064	576	FedEx Invoice 202116435.exe	FedEx Invoice 202116435.exe
PID 576 wrote to memory of 4064	576	FedEx Invoice 202116435.exe	FedEx Invoice 202116435.exe
PID 576 wrote to memory of 4064	576	FedEx Invoice 202116435.exe	FedEx Invoice 202116435.exe
PID 576 wrote to memory of 4064	576	FedEx Invoice 202116435.exe	FedEx Invoice 202116435.exe
PID 576 wrote to memory of 4064	576	FedEx Invoice 202116435.exe	FedEx Invoice 202116435.exe
PID 576 wrote to memory of 4064	576	FedEx Invoice 202116435.exe	FedEx Invoice 202116435.exe
PID 576 wrote to memory of 4064	576	FedEx Invoice 202116435.exe	FedEx Invoice 202116435.exe

C:\Users\Admin\AppData\Local\Temp\FedEx Invoice 202116435.exe
"C:\Users\Admin\AppData\Local\Temp\FedEx Invoice 202116435.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pVJgNVIylS" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD226.tmp"
2⤵
- Creates scheduled task(s)
PID:932

C:\Users\Admin\AppData\Local\Temp\FedEx Invoice 202116435.exe
"C:\Users\Admin\AppData\Local\Temp\FedEx Invoice 202116435.exe"
2⤵
PID:4064

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FedEx Invoice 202116435.exe.log
MD5
90acfd72f14a512712b1a7380c0faf60

SHA1
40ba4accb8faa75887e84fb8e38d598dc8cf0f12

SHA256
20806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86

SHA512
29dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD226.tmp
MD5
8ede796c7c1deaaad605c973ce63e013

SHA1
52f0f548e32058e587bbe751f8f73976e0cd08f6

SHA256
361e97d89b0c624e51a2f0f079f31273d7e16c675c199468554fe4f1ff80c78c

SHA512
8fabcf7b3506df737804eeba5cb4bbb2c53663ab8dae19c4be3a66f46b5de3894eb4bdbf4330d9faa46e7ae332a2cd0c159fff01517b740094ce30e042a5b86b

Download Submit
memory/576-9-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

Filesize
4KB

Download
memory/576-6-0x0000000005280000-0x0000000005281000-memory.dmp

Filesize
4KB

Download
memory/576-7-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/576-8-0x00000000026C0000-0x00000000026C1000-memory.dmp

Filesize
4KB

Download
memory/576-2-0x0000000073560000-0x0000000073C4E000-memory.dmp

Filesize
6.9MB

Download
memory/576-10-0x0000000005250000-0x0000000005263000-memory.dmp

Filesize
76KB

Download
memory/576-11-0x0000000000A50000-0x0000000000A98000-memory.dmp

Filesize
288KB

Download
memory/576-5-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/576-3-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/932-12-0x0000000000000000-mapping.dmp

Download
memory/4064-14-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4064-15-0x000000000040C70E-mapping.dmp

Download
memory/4064-17-0x0000000073560000-0x0000000073C4E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads