asyncrat | 153539010b81b41dcbd4cf3932a91e8e3fe2cb8a077dcbce4be08dce7fa5091c

General

Target

DHL Delivery Invoice AWB 2774038374.pdf.exe
Size

786KB
MD5

d743cbe63d8fbd4f86cc5606c22147a6
SHA1

dac98cb344e90b0e9872a8fee8df8e30c884fc90
SHA256

153539010b81b41dcbd4cf3932a91e8e3fe2cb8a077dcbce4be08dce7fa5091c
SHA512

553799f270fa11b6437c7c1066359db33de7c54eea0d1821bf4d721b5d54c69af24ee66bdc9b86f30ce14af3603a0ebf87a53166b5d84c38a904e87a6a83f16d

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

vladmir001.myddns.me:6381

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
4JaeOmABEr7aogISnRFvR85Emmylke5f
anti_detection
false
autorun
false
bdos
false
delay
Default
host
vladmir001.myddns.me
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
6381
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/496-127-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/496-128-0x000000000040C73E-mapping.dmp	asyncrat

Suspicious use of SetThreadContext 1 IoCs

Processes:

DHL Delivery Invoice AWB 2774038374.pdf.exe

description pid process target process

PID 1000 set thread context of 496 1000 DHL Delivery Invoice AWB 2774038374.pdf.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

412 schtasks.exe

description	pid	process	target process
PID 1000 set thread context of 496	1000	DHL Delivery Invoice AWB 2774038374.pdf.exe	RegSvcs.exe

pid	process
412	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

DHL Delivery Invoice AWB 2774038374.pdf.exe

pid	process
1000	DHL Delivery Invoice AWB 2774038374.pdf.exe
1000	DHL Delivery Invoice AWB 2774038374.pdf.exe
1000	DHL Delivery Invoice AWB 2774038374.pdf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

DHL Delivery Invoice AWB 2774038374.pdf.exe

description pid process

Token: SeDebugPrivilege 1000 DHL Delivery Invoice AWB 2774038374.pdf.exe

description	pid	process
Token: SeDebugPrivilege	1000	DHL Delivery Invoice AWB 2774038374.pdf.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

DHL Delivery Invoice AWB 2774038374.pdf.exe

description	pid	process	target process
PID 1000 wrote to memory of 412	1000	DHL Delivery Invoice AWB 2774038374.pdf.exe	schtasks.exe
PID 1000 wrote to memory of 412	1000	DHL Delivery Invoice AWB 2774038374.pdf.exe	schtasks.exe
PID 1000 wrote to memory of 412	1000	DHL Delivery Invoice AWB 2774038374.pdf.exe	schtasks.exe
PID 1000 wrote to memory of 496	1000	DHL Delivery Invoice AWB 2774038374.pdf.exe	RegSvcs.exe
PID 1000 wrote to memory of 496	1000	DHL Delivery Invoice AWB 2774038374.pdf.exe	RegSvcs.exe
PID 1000 wrote to memory of 496	1000	DHL Delivery Invoice AWB 2774038374.pdf.exe	RegSvcs.exe
PID 1000 wrote to memory of 496	1000	DHL Delivery Invoice AWB 2774038374.pdf.exe	RegSvcs.exe
PID 1000 wrote to memory of 496	1000	DHL Delivery Invoice AWB 2774038374.pdf.exe	RegSvcs.exe
PID 1000 wrote to memory of 496	1000	DHL Delivery Invoice AWB 2774038374.pdf.exe	RegSvcs.exe
PID 1000 wrote to memory of 496	1000	DHL Delivery Invoice AWB 2774038374.pdf.exe	RegSvcs.exe
PID 1000 wrote to memory of 496	1000	DHL Delivery Invoice AWB 2774038374.pdf.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\DHL Delivery Invoice AWB 2774038374.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Delivery Invoice AWB 2774038374.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kTeyOdy" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF9C.tmp"
2⤵
- Creates scheduled task(s)
PID:412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:496

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF9C.tmp
MD5
e515e937d083a071bfcc5aed00cfdbf1

SHA1
2ab20ffe4adbb90be98a57e011fb8f086f425121

SHA256
ead1b87fd173cce1e723e80ce851583d361e774b1836a40f53057488464548f9

SHA512
cebe68ad0c6d3b4cdc8ce98684131b4d08747235aa0fcedd1c1cc1f85279cf08e0fbae8a3d223c6140f7fe3f3d0f735f58b2c1e9eb48603a53a306af0edf9b29

Download Submit
memory/412-125-0x0000000000000000-mapping.dmp

Download
memory/496-131-0x00000000055D0000-0x00000000055D1000-memory.dmp

Filesize
4KB

Download
memory/496-128-0x000000000040C73E-mapping.dmp

Download
memory/496-127-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1000-121-0x0000000005730000-0x0000000005C2E000-memory.dmp

Filesize
5.0MB

Download
memory/1000-114-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/1000-122-0x0000000005C20000-0x0000000005C29000-memory.dmp

Filesize
36KB

Download
memory/1000-123-0x00000000016B0000-0x0000000001717000-memory.dmp

Filesize
412KB

Download
memory/1000-124-0x0000000001770000-0x0000000001790000-memory.dmp

Filesize
128KB

Download
memory/1000-120-0x0000000005930000-0x0000000005931000-memory.dmp

Filesize
4KB

Download
memory/1000-119-0x00000000056D0000-0x00000000056D1000-memory.dmp

Filesize
4KB

Download
memory/1000-118-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/1000-117-0x0000000005C30000-0x0000000005C31000-memory.dmp

Filesize
4KB

Download
memory/1000-116-0x0000000005620000-0x0000000005621000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads