asyncrat | 60f80dde8a53609fc7411854b9400a613c6978386ef05aa1bbedbfd2fc51814e

General

Target

payment confirmation_16.01.2021.exe
Size

1.4MB
MD5

e3aea83c2ae72dfbaf7d887baa9d40da
SHA1

63b622b74f1e7ede93634c73d61384d431fbf199
SHA256

60f80dde8a53609fc7411854b9400a613c6978386ef05aa1bbedbfd2fc51814e
SHA512

100a267444667abf6e5ceb47157c92de523c6236fcdc07703c3b274f3e06ed35ab3a6040a87483e22d94758b35d71859df3dd2a22649cee9d41c2b05d6030eaa

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

bigman2021.duckdns.org:6606

bigman2021.duckdns.org:7707

bigman2021.duckdns.org:8808

79.134.225.18:6606

79.134.225.18:7707

79.134.225.18:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
8HLIxjjLl31oyeuCdupeIJlMgShc597W
anti_detection
false
autorun
false
bdos
false
delay
Default
host
bigman2021.duckdns.org,79.134.225.18
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
6606,7707,8808
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/396-8-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/396-9-0x000000000040C76E-mapping.dmp	asyncrat
behavioral1/memory/396-11-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Suspicious use of SetThreadContext 1 IoCs

Processes:

payment confirmation_16.01.2021.exe

description pid process target process

PID 292 set thread context of 396 292 payment confirmation_16.01.2021.exe payment confirmation_16.01.2021.exe

description	pid	process	target process
PID 292 set thread context of 396	292	payment confirmation_16.01.2021.exe	payment confirmation_16.01.2021.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

payment confirmation_16.01.2021.exe

description	pid	process	target process
PID 292 wrote to memory of 396	292	payment confirmation_16.01.2021.exe	payment confirmation_16.01.2021.exe
PID 292 wrote to memory of 396	292	payment confirmation_16.01.2021.exe	payment confirmation_16.01.2021.exe
PID 292 wrote to memory of 396	292	payment confirmation_16.01.2021.exe	payment confirmation_16.01.2021.exe
PID 292 wrote to memory of 396	292	payment confirmation_16.01.2021.exe	payment confirmation_16.01.2021.exe
PID 292 wrote to memory of 396	292	payment confirmation_16.01.2021.exe	payment confirmation_16.01.2021.exe
PID 292 wrote to memory of 396	292	payment confirmation_16.01.2021.exe	payment confirmation_16.01.2021.exe
PID 292 wrote to memory of 396	292	payment confirmation_16.01.2021.exe	payment confirmation_16.01.2021.exe
PID 292 wrote to memory of 396	292	payment confirmation_16.01.2021.exe	payment confirmation_16.01.2021.exe
PID 292 wrote to memory of 396	292	payment confirmation_16.01.2021.exe	payment confirmation_16.01.2021.exe

C:\Users\Admin\AppData\Local\Temp\payment confirmation_16.01.2021.exe
"C:\Users\Admin\AppData\Local\Temp\payment confirmation_16.01.2021.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:292

C:\Users\Admin\AppData\Local\Temp\payment confirmation_16.01.2021.exe
"C:\Users\Admin\AppData\Local\Temp\payment confirmation_16.01.2021.exe"
2⤵
PID:396

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/292-2-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download
memory/292-3-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/292-5-0x0000000004900000-0x0000000004901000-memory.dmp

Filesize
4KB

Download
memory/292-6-0x0000000000880000-0x0000000000893000-memory.dmp

Filesize
76KB

Download
memory/292-7-0x0000000004E70000-0x0000000004EF1000-memory.dmp

Filesize
516KB

Download
memory/396-8-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/396-9-0x000000000040C76E-mapping.dmp

Download
memory/396-10-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download
memory/396-11-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/396-13-0x0000000076861000-0x0000000076863000-memory.dmp

Filesize
8KB

Download
memory/396-14-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing