asyncrat | 0953e07352cc9da191595f0dc233d4c04070b507f3503cf7cd62e6bb9a680ec7

General

Target

1ab91c6b55ef7fe9426448d1b365e919.exe
Size

47KB
MD5

1ab91c6b55ef7fe9426448d1b365e919
SHA1

a47527efb62e08131fadd1c0c321d1405688acde
SHA256

0953e07352cc9da191595f0dc233d4c04070b507f3503cf7cd62e6bb9a680ec7
SHA512

bf940cda054dcf7a117296dfec96683ad3b6b1d0a431caa171741630145df33d6f57f30b647c8fbbd04648fc716fba9ca78a673398b522e06b3a37a489a0c87f

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

cryptserver.hopto.org:4444

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
eT1fq0d6dtymBNAUb6WLtqX26xciO5Sd
anti_detection
true
autorun
true
bdos
false
delay
Default
host
cryptserver.hopto.org
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
4444
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\update.exe	asyncrat
C:\Users\Admin\AppData\Roaming\update.exe	asyncrat

Executes dropped EXE 1 IoCs

Processes:

update.exe

pid process

2248 update.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1184 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1228 timeout.exe

pid	process
2248	update.exe

pid	process
1184	schtasks.exe

pid	process
1228	timeout.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

1ab91c6b55ef7fe9426448d1b365e919.exe

pid	process
736	1ab91c6b55ef7fe9426448d1b365e919.exe
736	1ab91c6b55ef7fe9426448d1b365e919.exe
736	1ab91c6b55ef7fe9426448d1b365e919.exe
736	1ab91c6b55ef7fe9426448d1b365e919.exe
736	1ab91c6b55ef7fe9426448d1b365e919.exe
736	1ab91c6b55ef7fe9426448d1b365e919.exe
736	1ab91c6b55ef7fe9426448d1b365e919.exe
736	1ab91c6b55ef7fe9426448d1b365e919.exe
736	1ab91c6b55ef7fe9426448d1b365e919.exe
736	1ab91c6b55ef7fe9426448d1b365e919.exe
736	1ab91c6b55ef7fe9426448d1b365e919.exe
736	1ab91c6b55ef7fe9426448d1b365e919.exe
736	1ab91c6b55ef7fe9426448d1b365e919.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

1ab91c6b55ef7fe9426448d1b365e919.exeupdate.exe

description pid process

Token: SeDebugPrivilege 736 1ab91c6b55ef7fe9426448d1b365e919.exe
Token: SeDebugPrivilege 2248 update.exe

description	pid	process
Token: SeDebugPrivilege	736	1ab91c6b55ef7fe9426448d1b365e919.exe
Token: SeDebugPrivilege	2248	update.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

1ab91c6b55ef7fe9426448d1b365e919.execmd.execmd.exe

description	pid	process	target process
PID 736 wrote to memory of 4068	736	1ab91c6b55ef7fe9426448d1b365e919.exe	cmd.exe
PID 736 wrote to memory of 4068	736	1ab91c6b55ef7fe9426448d1b365e919.exe	cmd.exe
PID 736 wrote to memory of 4068	736	1ab91c6b55ef7fe9426448d1b365e919.exe	cmd.exe
PID 736 wrote to memory of 2732	736	1ab91c6b55ef7fe9426448d1b365e919.exe	cmd.exe
PID 736 wrote to memory of 2732	736	1ab91c6b55ef7fe9426448d1b365e919.exe	cmd.exe
PID 736 wrote to memory of 2732	736	1ab91c6b55ef7fe9426448d1b365e919.exe	cmd.exe
PID 4068 wrote to memory of 1184	4068	cmd.exe	schtasks.exe
PID 4068 wrote to memory of 1184	4068	cmd.exe	schtasks.exe
PID 4068 wrote to memory of 1184	4068	cmd.exe	schtasks.exe
PID 2732 wrote to memory of 1228	2732	cmd.exe	timeout.exe
PID 2732 wrote to memory of 1228	2732	cmd.exe	timeout.exe
PID 2732 wrote to memory of 1228	2732	cmd.exe	timeout.exe
PID 2732 wrote to memory of 2248	2732	cmd.exe	update.exe
PID 2732 wrote to memory of 2248	2732	cmd.exe	update.exe
PID 2732 wrote to memory of 2248	2732	cmd.exe	update.exe

C:\Users\Admin\AppData\Local\Temp\1ab91c6b55ef7fe9426448d1b365e919.exe
"C:\Users\Admin\AppData\Local\Temp\1ab91c6b55ef7fe9426448d1b365e919.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:736

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "update" /tr '"C:\Users\Admin\AppData\Roaming\update.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4068

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "update" /tr '"C:\Users\Admin\AppData\Roaming\update.exe"'
3⤵
- Creates scheduled task(s)
PID:1184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC4FB.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1228

C:\Users\Admin\AppData\Roaming\update.exe
"C:\Users\Admin\AppData\Roaming\update.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2248

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC4FB.tmp.bat
MD5
35233e36c3099247d87111a3afe2a950

SHA1
0455eb10692660909d157054a718c8765be83bc4

SHA256
b63e4c27f5934094c8ae3bce48236d0a5467accc08c03f49a51b9a34d5b9d6ed

SHA512
540800e1bfaa463038bd8b675204566104dda117ac6f1cadeed888371fd39f3bd6d1fc163b2c616cf78238613e30df1a1dd8f3b07b30e1e51f3ae09f2c97ee98

Download Submit
C:\Users\Admin\AppData\Roaming\update.exe
MD5
1ab91c6b55ef7fe9426448d1b365e919

SHA1
a47527efb62e08131fadd1c0c321d1405688acde

SHA256
0953e07352cc9da191595f0dc233d4c04070b507f3503cf7cd62e6bb9a680ec7

SHA512
bf940cda054dcf7a117296dfec96683ad3b6b1d0a431caa171741630145df33d6f57f30b647c8fbbd04648fc716fba9ca78a673398b522e06b3a37a489a0c87f

Download Submit
C:\Users\Admin\AppData\Roaming\update.exe
MD5
1ab91c6b55ef7fe9426448d1b365e919

SHA1
a47527efb62e08131fadd1c0c321d1405688acde

SHA256
0953e07352cc9da191595f0dc233d4c04070b507f3503cf7cd62e6bb9a680ec7

SHA512
bf940cda054dcf7a117296dfec96683ad3b6b1d0a431caa171741630145df33d6f57f30b647c8fbbd04648fc716fba9ca78a673398b522e06b3a37a489a0c87f

Download Submit
memory/736-117-0x0000000005750000-0x0000000005751000-memory.dmp

Filesize
4KB

Download
memory/736-118-0x0000000005CC0000-0x0000000005CC1000-memory.dmp

Filesize
4KB

Download
memory/736-116-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/736-114-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/1184-122-0x0000000000000000-mapping.dmp

Download
memory/1228-123-0x0000000000000000-mapping.dmp

Download
memory/2248-124-0x0000000000000000-mapping.dmp

Download
memory/2248-129-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/2732-120-0x0000000000000000-mapping.dmp

Download
memory/4068-119-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads