asyncrat | f641d9449ad546a0e9ff2f015ff03f9ce0263867caaef3a5cc462fd9b685b928

General

Target

HY_RAY_RFQ,pdf .exe
Size

812KB
MD5

16e55e5dbbf48b3f0d453ac7fcccd908
SHA1

7705956e0cf0d5d3e0429c1539dfc204e01c7d87
SHA256

f641d9449ad546a0e9ff2f015ff03f9ce0263867caaef3a5cc462fd9b685b928
SHA512

111812911c27801addb81373f3dcc7c2f3200c44e2ddcca33fe4989bfc81b5fd6662f2db33e0ae79a36787985ed1e6fc756baf8e4dda847111beb134f4afea5d

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

null:null

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
yFdiISTMNVqtdBU1VShPLhZnkF6gdamp
anti_detection
false
autorun
false
bdos
false
delay
billion
host
null
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
https://pastebin.com/raw/Q5Dxj1fY
port
null
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1016-9-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1016-10-0x000000000040C77E-mapping.dmp	asyncrat
behavioral1/memory/1016-11-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1016-12-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

HY_RAY_RFQ,pdf .exe

description pid process target process

PID 1732 set thread context of 1016 1732 HY_RAY_RFQ,pdf .exe HY_RAY_RFQ,pdf .exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1608 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

HY_RAY_RFQ,pdf .exe

pid process

1732 HY_RAY_RFQ,pdf .exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

HY_RAY_RFQ,pdf .exeHY_RAY_RFQ,pdf .exe

description pid process

Token: SeDebugPrivilege 1732 HY_RAY_RFQ,pdf .exe
Token: SeDebugPrivilege 1016 HY_RAY_RFQ,pdf .exe

description	pid	process	target process
PID 1732 set thread context of 1016	1732	HY_RAY_RFQ,pdf .exe	HY_RAY_RFQ,pdf .exe

pid	process
1608	schtasks.exe

pid	process
1732	HY_RAY_RFQ,pdf .exe

description	pid	process
Token: SeDebugPrivilege	1732	HY_RAY_RFQ,pdf .exe
Token: SeDebugPrivilege	1016	HY_RAY_RFQ,pdf .exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

HY_RAY_RFQ,pdf .exe

description	pid	process	target process
PID 1732 wrote to memory of 1608	1732	HY_RAY_RFQ,pdf .exe	schtasks.exe
PID 1732 wrote to memory of 1608	1732	HY_RAY_RFQ,pdf .exe	schtasks.exe
PID 1732 wrote to memory of 1608	1732	HY_RAY_RFQ,pdf .exe	schtasks.exe
PID 1732 wrote to memory of 1608	1732	HY_RAY_RFQ,pdf .exe	schtasks.exe
PID 1732 wrote to memory of 1016	1732	HY_RAY_RFQ,pdf .exe	HY_RAY_RFQ,pdf .exe
PID 1732 wrote to memory of 1016	1732	HY_RAY_RFQ,pdf .exe	HY_RAY_RFQ,pdf .exe
PID 1732 wrote to memory of 1016	1732	HY_RAY_RFQ,pdf .exe	HY_RAY_RFQ,pdf .exe
PID 1732 wrote to memory of 1016	1732	HY_RAY_RFQ,pdf .exe	HY_RAY_RFQ,pdf .exe
PID 1732 wrote to memory of 1016	1732	HY_RAY_RFQ,pdf .exe	HY_RAY_RFQ,pdf .exe
PID 1732 wrote to memory of 1016	1732	HY_RAY_RFQ,pdf .exe	HY_RAY_RFQ,pdf .exe
PID 1732 wrote to memory of 1016	1732	HY_RAY_RFQ,pdf .exe	HY_RAY_RFQ,pdf .exe
PID 1732 wrote to memory of 1016	1732	HY_RAY_RFQ,pdf .exe	HY_RAY_RFQ,pdf .exe
PID 1732 wrote to memory of 1016	1732	HY_RAY_RFQ,pdf .exe	HY_RAY_RFQ,pdf .exe

C:\Users\Admin\AppData\Local\Temp\HY_RAY_RFQ,pdf .exe
"C:\Users\Admin\AppData\Local\Temp\HY_RAY_RFQ,pdf .exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\etElxxOddDniUS" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6789.tmp"
2⤵
- Creates scheduled task(s)
PID:1608

C:\Users\Admin\AppData\Local\Temp\HY_RAY_RFQ,pdf .exe
"C:\Users\Admin\AppData\Local\Temp\HY_RAY_RFQ,pdf .exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1016

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6789.tmp
MD5
99c0e03148a45e4f86bd88d056ea9aa2

SHA1
d2eabb3feaa77b4f5e9d51d84a76bb18996433f0

SHA256
894ea3e47cd1046911d2f728d57e5f7ca3f71705f8c11af684e867ddfb264e7d

SHA512
9c1fc6b4be5c2992cd63d3784b0f932a9cdb85c5284b968d0e6cee719e2aa3d7d231110c800dde2d1309ee6177c65a361f925c1ccec485271314e2d27db15731

Download Submit
memory/1016-9-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1016-10-0x000000000040C77E-mapping.dmp

Download
memory/1016-11-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1016-12-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1016-13-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/1608-7-0x0000000000000000-mapping.dmp

Download
memory/1732-2-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/1732-3-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/1732-5-0x00000000004B0000-0x00000000004C3000-memory.dmp

Filesize
76KB

Download
memory/1732-6-0x0000000004D40000-0x0000000004D89000-memory.dmp

Filesize
292KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads