asyncrat | bb39c0c70183c13923ea4b4eedce081c40d7175e812de1e370ffcc3237fcbe75

General

Target

1CEE64EFC81D4853D76E04A737F114C9.exe
Size

685KB
MD5

1cee64efc81d4853d76e04a737f114c9
SHA1

df7da998dd6a70631c6d8d1bd007f0820155d61c
SHA256

bb39c0c70183c13923ea4b4eedce081c40d7175e812de1e370ffcc3237fcbe75
SHA512

eec88ead0f188bb84fd7a22fc8a1d392dec18e5d6715574f50de76466e5877e64c186c0a68892fbb385d68d76468c3c905e8ef26f4f937a224144ff424dd8f5b

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7G | Custom Edition

C2

179.43.140.208:7707

179.43.140.208:8808

179.43.140.208:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:6606

Mutex

AsyncRAT_Mutex_vdYIIf87BI

Attributes

aes_key
Mrwz4gGTldVjtABCZMeijWElvNsBLIbU
anti_detection
false
autorun
false
bdos
false
delay
Trino
host
179.43.140.208,127.0.0.1
hwid
30
install_file
install_folder
%AppData%
mutex
AsyncRAT_Mutex_vdYIIf87BI
pastebin_config
null
port
7707,8808,6606
version
0.5.7G | Custom Edition

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/60-4-0x0000000000400000-0x0000000000480000-memory.dmp	asyncrat
behavioral2/memory/60-6-0x00000000023C0000-0x000000000242A000-memory.dmp	asyncrat
behavioral2/memory/60-16-0x0000000006330000-0x0000000006337000-memory.dmp	asyncrat

Loads dropped DLL 1 IoCs

Processes:

1CEE64EFC81D4853D76E04A737F114C9.exe

pid process

540 1CEE64EFC81D4853D76E04A737F114C9.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

1CEE64EFC81D4853D76E04A737F114C9.exe

description pid process target process

PID 540 set thread context of 60 540 1CEE64EFC81D4853D76E04A737F114C9.exe 1CEE64EFC81D4853D76E04A737F114C9.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 540 set thread context of 60	540	1CEE64EFC81D4853D76E04A737F114C9.exe	1CEE64EFC81D4853D76E04A737F114C9.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

1CEE64EFC81D4853D76E04A737F114C9.exe1CEE64EFC81D4853D76E04A737F114C9.exe

pid	process
540	1CEE64EFC81D4853D76E04A737F114C9.exe
540	1CEE64EFC81D4853D76E04A737F114C9.exe
540	1CEE64EFC81D4853D76E04A737F114C9.exe
540	1CEE64EFC81D4853D76E04A737F114C9.exe
540	1CEE64EFC81D4853D76E04A737F114C9.exe
540	1CEE64EFC81D4853D76E04A737F114C9.exe
540	1CEE64EFC81D4853D76E04A737F114C9.exe
540	1CEE64EFC81D4853D76E04A737F114C9.exe
60	1CEE64EFC81D4853D76E04A737F114C9.exe
60	1CEE64EFC81D4853D76E04A737F114C9.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

1CEE64EFC81D4853D76E04A737F114C9.exe

pid process

540 1CEE64EFC81D4853D76E04A737F114C9.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1CEE64EFC81D4853D76E04A737F114C9.exe

description pid process

Token: SeDebugPrivilege 60 1CEE64EFC81D4853D76E04A737F114C9.exe

description	pid	process
Token: SeDebugPrivilege	60	1CEE64EFC81D4853D76E04A737F114C9.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

1CEE64EFC81D4853D76E04A737F114C9.exe1CEE64EFC81D4853D76E04A737F114C9.execmd.execmd.exe

description	pid	process	target process
PID 540 wrote to memory of 60	540	1CEE64EFC81D4853D76E04A737F114C9.exe	1CEE64EFC81D4853D76E04A737F114C9.exe
PID 540 wrote to memory of 60	540	1CEE64EFC81D4853D76E04A737F114C9.exe	1CEE64EFC81D4853D76E04A737F114C9.exe
PID 540 wrote to memory of 60	540	1CEE64EFC81D4853D76E04A737F114C9.exe	1CEE64EFC81D4853D76E04A737F114C9.exe
PID 540 wrote to memory of 60	540	1CEE64EFC81D4853D76E04A737F114C9.exe	1CEE64EFC81D4853D76E04A737F114C9.exe
PID 60 wrote to memory of 2192	60	1CEE64EFC81D4853D76E04A737F114C9.exe	cmd.exe
PID 60 wrote to memory of 2192	60	1CEE64EFC81D4853D76E04A737F114C9.exe	cmd.exe
PID 60 wrote to memory of 2192	60	1CEE64EFC81D4853D76E04A737F114C9.exe	cmd.exe
PID 2192 wrote to memory of 3784	2192	cmd.exe	powershell.exe
PID 2192 wrote to memory of 3784	2192	cmd.exe	powershell.exe
PID 2192 wrote to memory of 3784	2192	cmd.exe	powershell.exe
PID 60 wrote to memory of 412	60	1CEE64EFC81D4853D76E04A737F114C9.exe	cmd.exe
PID 60 wrote to memory of 412	60	1CEE64EFC81D4853D76E04A737F114C9.exe	cmd.exe
PID 60 wrote to memory of 412	60	1CEE64EFC81D4853D76E04A737F114C9.exe	cmd.exe
PID 412 wrote to memory of 688	412	cmd.exe	powershell.exe
PID 412 wrote to memory of 688	412	cmd.exe	powershell.exe
PID 412 wrote to memory of 688	412	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\1CEE64EFC81D4853D76E04A737F114C9.exe
"C:\Users\Admin\AppData\Local\Temp\1CEE64EFC81D4853D76E04A737F114C9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:540
- C:\Users\Admin\AppData\Local\Temp\1CEE64EFC81D4853D76E04A737F114C9.exe
  "C:\Users\Admin\AppData\Local\Temp\1CEE64EFC81D4853D76E04A737F114C9.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:60
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\dywvrm.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2192
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\dywvrm.exe"'
      4⤵
      PID:3784
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ubqejt.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:412
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ubqejt.exe"'
      4⤵
      PID:688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsm644E.tmp\bmzqq630.dll

MD5
7fa64127ee51ac86aa1d9a2a055abf65

SHA1
7a23d0774f7021b718e1b144249af8dcbba01db7

SHA256
708bc3f2bac4f7c2c54efdac158117155271e39d8cee325c31ef676824d765b3

SHA512
d8b71ddd412fe63ff0b0335d585c6d0a07075fe3dfa451657a803127d037e00ed805e30cdda937003a5c63ea07e37f9ed967c0b0376aed5729557ee5efb8ed57

Download Submit
memory/60-11-0x00000000049C4000-0x00000000049C5000-memory.dmp

Filesize
4KB

Download
memory/60-5-0x0000000073200000-0x00000000738EE000-memory.dmp

Filesize
6.9MB

Download
memory/60-13-0x0000000005470000-0x0000000005471000-memory.dmp

Filesize
4KB

Download
memory/60-14-0x0000000005970000-0x0000000005971000-memory.dmp

Filesize
4KB

Download
memory/60-9-0x00000000049C2000-0x00000000049C3000-memory.dmp

Filesize
4KB

Download
memory/60-8-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/60-10-0x00000000049C3000-0x00000000049C4000-memory.dmp

Filesize
4KB

Download
memory/60-3-0x000000000040188B-mapping.dmp

Download
memory/60-12-0x00000000053D0000-0x00000000053D1000-memory.dmp

Filesize
4KB

Download
memory/60-4-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/60-6-0x00000000023C0000-0x000000000242A000-memory.dmp

Filesize
424KB

Download
memory/60-15-0x00000000062B0000-0x00000000062B1000-memory.dmp

Filesize
4KB

Download
memory/60-16-0x0000000006330000-0x0000000006337000-memory.dmp

Filesize
28KB

Download
memory/60-17-0x0000000006380000-0x0000000006381000-memory.dmp

Filesize
4KB

Download
memory/412-21-0x0000000000000000-mapping.dmp

Download
memory/688-22-0x0000000000000000-mapping.dmp

Download
memory/2192-18-0x0000000000000000-mapping.dmp

Download
memory/3784-19-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads