asyncrat | b79d5a2f5f011eb02665057aec937277f09aa936e15f0d4e44fae931f89d2c59

General

Target

650EECE6AEA7CD4626CB251F9FF91CE9.exe
Size

62KB
MD5

650eece6aea7cd4626cb251f9ff91ce9
SHA1

70455699f8b6b8a2bea51f9b391d1400ca9222d4
SHA256

b79d5a2f5f011eb02665057aec937277f09aa936e15f0d4e44fae931f89d2c59
SHA512

668815781d7d9f2686800f7f9b0d94682a48ecbcfd00ff4ccdb3243dbd7c6d07a1792006d292b2222a3bc5987721f050478113900c1c753c594c5bd8281d1dd1

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

2.tcp.ngrok.io:11834

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
Tu5p5O66uhwxYdRR7fGk7ls9AW60NIJU
anti_detection
false
autorun
false
bdos
true
delay
Default
host
2.tcp.ngrok.io
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
11834
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3528-123-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/3528-124-0x000000000040C72E-mapping.dmp	asyncrat

Suspicious use of SetThreadContext 1 IoCs

Processes:

650EECE6AEA7CD4626CB251F9FF91CE9.exe

description pid process target process

PID 3944 set thread context of 3528 3944 650EECE6AEA7CD4626CB251F9FF91CE9.exe RegAsm.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 3528 RegAsm.exe
Token: SeDebugPrivilege 3528 RegAsm.exe

description	pid	process	target process
PID 3944 set thread context of 3528	3944	650EECE6AEA7CD4626CB251F9FF91CE9.exe	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	3528	RegAsm.exe
Token: SeDebugPrivilege	3528	RegAsm.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

650EECE6AEA7CD4626CB251F9FF91CE9.exe

description	pid	process	target process
PID 3944 wrote to memory of 3528	3944	650EECE6AEA7CD4626CB251F9FF91CE9.exe	RegAsm.exe
PID 3944 wrote to memory of 3528	3944	650EECE6AEA7CD4626CB251F9FF91CE9.exe	RegAsm.exe
PID 3944 wrote to memory of 3528	3944	650EECE6AEA7CD4626CB251F9FF91CE9.exe	RegAsm.exe
PID 3944 wrote to memory of 3528	3944	650EECE6AEA7CD4626CB251F9FF91CE9.exe	RegAsm.exe
PID 3944 wrote to memory of 3528	3944	650EECE6AEA7CD4626CB251F9FF91CE9.exe	RegAsm.exe
PID 3944 wrote to memory of 3528	3944	650EECE6AEA7CD4626CB251F9FF91CE9.exe	RegAsm.exe
PID 3944 wrote to memory of 3528	3944	650EECE6AEA7CD4626CB251F9FF91CE9.exe	RegAsm.exe
PID 3944 wrote to memory of 3528	3944	650EECE6AEA7CD4626CB251F9FF91CE9.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\650EECE6AEA7CD4626CB251F9FF91CE9.exe
"C:\Users\Admin\AppData\Local\Temp\650EECE6AEA7CD4626CB251F9FF91CE9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3528

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3528-123-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3528-124-0x000000000040C72E-mapping.dmp

Download
memory/3528-127-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

Filesize
4KB

Download
memory/3944-114-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/3944-116-0x0000000005220000-0x0000000005221000-memory.dmp

Filesize
4KB

Download
memory/3944-117-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/3944-118-0x0000000004D20000-0x000000000521E000-memory.dmp

Filesize
5.0MB

Download
memory/3944-119-0x0000000004F40000-0x0000000004F41000-memory.dmp

Filesize
4KB

Download
memory/3944-120-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

Filesize
4KB

Download
memory/3944-121-0x0000000004FC0000-0x0000000004FCE000-memory.dmp

Filesize
56KB

Download
memory/3944-122-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing