asyncrat | 153539010b81b41dcbd4cf3932a91e8e3fe2cb8a077dcbce4be08dce7fa5091c

General

Target

DHL Delivery Invoice AWB 2774038374.pdf.exe
Size

786KB
MD5

d743cbe63d8fbd4f86cc5606c22147a6
SHA1

dac98cb344e90b0e9872a8fee8df8e30c884fc90
SHA256

153539010b81b41dcbd4cf3932a91e8e3fe2cb8a077dcbce4be08dce7fa5091c
SHA512

553799f270fa11b6437c7c1066359db33de7c54eea0d1821bf4d721b5d54c69af24ee66bdc9b86f30ce14af3603a0ebf87a53166b5d84c38a904e87a6a83f16d

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

vladmir001.myddns.me:6381

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
4JaeOmABEr7aogISnRFvR85Emmylke5f
anti_detection
false
autorun
false
bdos
false
delay
Default
host
vladmir001.myddns.me
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
6381
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/852-68-0x000000000040C73E-mapping.dmp	asyncrat
behavioral1/memory/852-67-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/852-69-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Suspicious use of SetThreadContext 1 IoCs

Processes:

DHL Delivery Invoice AWB 2774038374.pdf.exe

description pid process target process

PID 2004 set thread context of 852 2004 DHL Delivery Invoice AWB 2774038374.pdf.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1688 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

DHL Delivery Invoice AWB 2774038374.pdf.exe

pid process

2004 DHL Delivery Invoice AWB 2774038374.pdf.exe
2004 DHL Delivery Invoice AWB 2774038374.pdf.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

DHL Delivery Invoice AWB 2774038374.pdf.exe

description pid process

Token: SeDebugPrivilege 2004 DHL Delivery Invoice AWB 2774038374.pdf.exe

description	pid	process	target process
PID 2004 set thread context of 852	2004	DHL Delivery Invoice AWB 2774038374.pdf.exe	RegSvcs.exe

pid	process
1688	schtasks.exe

pid	process
2004	DHL Delivery Invoice AWB 2774038374.pdf.exe
2004	DHL Delivery Invoice AWB 2774038374.pdf.exe

description	pid	process
Token: SeDebugPrivilege	2004	DHL Delivery Invoice AWB 2774038374.pdf.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

DHL Delivery Invoice AWB 2774038374.pdf.exe

description	pid	process	target process
PID 2004 wrote to memory of 1688	2004	DHL Delivery Invoice AWB 2774038374.pdf.exe	schtasks.exe
PID 2004 wrote to memory of 1688	2004	DHL Delivery Invoice AWB 2774038374.pdf.exe	schtasks.exe
PID 2004 wrote to memory of 1688	2004	DHL Delivery Invoice AWB 2774038374.pdf.exe	schtasks.exe
PID 2004 wrote to memory of 1688	2004	DHL Delivery Invoice AWB 2774038374.pdf.exe	schtasks.exe
PID 2004 wrote to memory of 852	2004	DHL Delivery Invoice AWB 2774038374.pdf.exe	RegSvcs.exe
PID 2004 wrote to memory of 852	2004	DHL Delivery Invoice AWB 2774038374.pdf.exe	RegSvcs.exe
PID 2004 wrote to memory of 852	2004	DHL Delivery Invoice AWB 2774038374.pdf.exe	RegSvcs.exe
PID 2004 wrote to memory of 852	2004	DHL Delivery Invoice AWB 2774038374.pdf.exe	RegSvcs.exe
PID 2004 wrote to memory of 852	2004	DHL Delivery Invoice AWB 2774038374.pdf.exe	RegSvcs.exe
PID 2004 wrote to memory of 852	2004	DHL Delivery Invoice AWB 2774038374.pdf.exe	RegSvcs.exe
PID 2004 wrote to memory of 852	2004	DHL Delivery Invoice AWB 2774038374.pdf.exe	RegSvcs.exe
PID 2004 wrote to memory of 852	2004	DHL Delivery Invoice AWB 2774038374.pdf.exe	RegSvcs.exe
PID 2004 wrote to memory of 852	2004	DHL Delivery Invoice AWB 2774038374.pdf.exe	RegSvcs.exe
PID 2004 wrote to memory of 852	2004	DHL Delivery Invoice AWB 2774038374.pdf.exe	RegSvcs.exe
PID 2004 wrote to memory of 852	2004	DHL Delivery Invoice AWB 2774038374.pdf.exe	RegSvcs.exe
PID 2004 wrote to memory of 852	2004	DHL Delivery Invoice AWB 2774038374.pdf.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\DHL Delivery Invoice AWB 2774038374.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Delivery Invoice AWB 2774038374.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kTeyOdy" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB6B2.tmp"
2⤵
- Creates scheduled task(s)
PID:1688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB6B2.tmp
MD5
fb2f7fc38b74df425406d0be3be97d77

SHA1
86902991bd431459d7e126dc585263fff494e1cb

SHA256
8a254e983241fd5bbc276f65c8bd7e713488c362e5e471a288ac018632eb1e2a

SHA512
154dd157f45263d953a059121b0588b43acf676f0b29e9b5924551b03f7ed1acc3fd0b2e49c7e3ecc27d42ec37fcbaf841ca757c454c84204f6ea0932b12ce19

Download Submit
memory/852-68-0x000000000040C73E-mapping.dmp

Download
memory/852-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/852-69-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/852-71-0x00000000765F1000-0x00000000765F3000-memory.dmp

Filesize
8KB

Download
memory/852-72-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/1688-65-0x0000000000000000-mapping.dmp

Download
memory/2004-59-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/2004-61-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/2004-62-0x0000000000480000-0x0000000000489000-memory.dmp

Filesize
36KB

Download
memory/2004-63-0x0000000004C30000-0x0000000004C97000-memory.dmp

Filesize
412KB

Download
memory/2004-64-0x00000000006F0000-0x0000000000710000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads