asyncrat | 06df1e9bb7ab365ebd850980b89028d41f7280807719a0f598005fa3e220ec63

General

Target

RFQ.exe
Size

1.0MB
MD5

7195bce6da44b422e7b841c1ae2c2253
SHA1

fc9b00b7b346b80a88cf12b7ced06ce95e5cd686
SHA256

06df1e9bb7ab365ebd850980b89028d41f7280807719a0f598005fa3e220ec63
SHA512

9c8186c8f62f4cfe343e1cfc8abbe0d978c6b750a252c377250a1fa7f1a7d310e46031abcc179ee2d9235820bf9d40d3d3eafe2c335f44f6f16b5050ce551d32

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

bigman2021.duckdns.org:6606

bigman2021.duckdns.org:7707

bigman2021.duckdns.org:8808

79.134.225.18:6606

79.134.225.18:7707

79.134.225.18:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
8HLIxjjLl31oyeuCdupeIJlMgShc597W
anti_detection
false
autorun
false
bdos
false
delay
Default
host
bigman2021.duckdns.org,79.134.225.18
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
6606,7707,8808
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2552-14-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/2552-15-0x000000000040C76E-mapping.dmp	asyncrat

Suspicious use of SetThreadContext 1 IoCs

Processes:

RFQ.exe

description pid process target process

PID 1156 set thread context of 2552 1156 RFQ.exe RFQ.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

RFQ.exe

pid process

1156 RFQ.exe
1156 RFQ.exe
1156 RFQ.exe
1156 RFQ.exe
1156 RFQ.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RFQ.exe

description pid process

Token: SeDebugPrivilege 1156 RFQ.exe

description	pid	process	target process
PID 1156 set thread context of 2552	1156	RFQ.exe	RFQ.exe

pid	process
1156	RFQ.exe
1156	RFQ.exe
1156	RFQ.exe
1156	RFQ.exe
1156	RFQ.exe

description	pid	process
Token: SeDebugPrivilege	1156	RFQ.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

RFQ.exe

description	pid	process	target process
PID 1156 wrote to memory of 700	1156	RFQ.exe	RFQ.exe
PID 1156 wrote to memory of 700	1156	RFQ.exe	RFQ.exe
PID 1156 wrote to memory of 700	1156	RFQ.exe	RFQ.exe
PID 1156 wrote to memory of 2456	1156	RFQ.exe	RFQ.exe
PID 1156 wrote to memory of 2456	1156	RFQ.exe	RFQ.exe
PID 1156 wrote to memory of 2456	1156	RFQ.exe	RFQ.exe
PID 1156 wrote to memory of 2552	1156	RFQ.exe	RFQ.exe
PID 1156 wrote to memory of 2552	1156	RFQ.exe	RFQ.exe
PID 1156 wrote to memory of 2552	1156	RFQ.exe	RFQ.exe
PID 1156 wrote to memory of 2552	1156	RFQ.exe	RFQ.exe
PID 1156 wrote to memory of 2552	1156	RFQ.exe	RFQ.exe
PID 1156 wrote to memory of 2552	1156	RFQ.exe	RFQ.exe
PID 1156 wrote to memory of 2552	1156	RFQ.exe	RFQ.exe
PID 1156 wrote to memory of 2552	1156	RFQ.exe	RFQ.exe

C:\Users\Admin\AppData\Local\Temp\RFQ.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156

C:\Users\Admin\AppData\Local\Temp\RFQ.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"
2⤵
PID:700

C:\Users\Admin\AppData\Local\Temp\RFQ.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"
2⤵
PID:2456

C:\Users\Admin\AppData\Local\Temp\RFQ.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"
2⤵
PID:2552

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ.exe.log
MD5
65f1f0c7993639f9f9e1d524224a2c93

SHA1
5b51a6a56f3041dbc2d3f510252bbe68ffbbc59c

SHA256
e582e80a644a998d1b2958bdcb0cd1e899076befa7c5e868d033b3fe75a2ca93

SHA512
3e8953968bbc31f3105a0df28b95edfb4cee8af78ec527d47707b82e3d5fc2aa725fca574de3c963da53614e60d282408b21d075eed007be25679e9458bf1c23

Download Submit
memory/1156-11-0x0000000005C00000-0x0000000005C01000-memory.dmp

Filesize
4KB

Download
memory/1156-12-0x00000000051D0000-0x00000000051E3000-memory.dmp

Filesize
76KB

Download
memory/1156-6-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/1156-7-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download
memory/1156-8-0x00000000053F0000-0x00000000053F1000-memory.dmp

Filesize
4KB

Download
memory/1156-9-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/1156-5-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/1156-2-0x0000000073CB0000-0x000000007439E000-memory.dmp

Filesize
6.9MB

Download
memory/1156-10-0x0000000005390000-0x0000000005391000-memory.dmp

Filesize
4KB

Download
memory/1156-13-0x0000000000E10000-0x0000000000EA1000-memory.dmp

Filesize
580KB

Download
memory/1156-3-0x00000000007A0000-0x00000000007A1000-memory.dmp

Filesize
4KB

Download
memory/2552-15-0x000000000040C76E-mapping.dmp

Download
memory/2552-14-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2552-17-0x0000000073CB0000-0x000000007439E000-memory.dmp

Filesize
6.9MB

Download
memory/2552-20-0x0000000002D40000-0x0000000002D41000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing