asyncrat | 046d650990c01b17f9e518a2c93fcad54247eb25ea194aa0939a8a9a7f31fe10

General

Target

Q-B210426002.exe
Size

604KB
MD5

d2dc47a6a92d45dba94e456ac4354dc0
SHA1

63d871671fbf733cf56f746dded735e5e21f6f5b
SHA256

046d650990c01b17f9e518a2c93fcad54247eb25ea194aa0939a8a9a7f31fe10
SHA512

dc35d695f94ce4ca66da5208d4af204ef4744598f194b49e6346f724028c40b64b893e94f277166f780099cd5dde10270d20a5ead024b097a41cc06ea9a7a890

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

mazi.ddns.net:2066

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
QOvO5FC2sdXjluSQPHx2mlSamLh7qeQR
anti_detection
false
autorun
true
bdos
false
delay
Default
host
mazi.ddns.net
hwid
10
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
2066
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3364-138-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/3364-139-0x000000000040C73E-mapping.dmp	asyncrat

Executes dropped EXE 1 IoCs

Processes:

DONDON.exe

pid process

1796 DONDON.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Q-B210426002.exe

description pid process target process

PID 4048 set thread context of 3364 4048 Q-B210426002.exe Q-B210426002.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

500 schtasks.exe
3484 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2892 timeout.exe

pid	process
1796	DONDON.exe

description	pid	process	target process
PID 4048 set thread context of 3364	4048	Q-B210426002.exe	Q-B210426002.exe

pid	process
500	schtasks.exe
3484	schtasks.exe

pid	process
2892	timeout.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

powershell.exepowershell.exeQ-B210426002.exepowershell.exeQ-B210426002.exe

pid	process
4068	powershell.exe
3744	powershell.exe
4048	Q-B210426002.exe
4068	powershell.exe
1240	powershell.exe
3744	powershell.exe
1240	powershell.exe
4068	powershell.exe
3744	powershell.exe
1240	powershell.exe
3364	Q-B210426002.exe
3364	Q-B210426002.exe
3364	Q-B210426002.exe
3364	Q-B210426002.exe
3364	Q-B210426002.exe
3364	Q-B210426002.exe
3364	Q-B210426002.exe
3364	Q-B210426002.exe
3364	Q-B210426002.exe
3364	Q-B210426002.exe
3364	Q-B210426002.exe
3364	Q-B210426002.exe
3364	Q-B210426002.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exeQ-B210426002.exepowershell.exeQ-B210426002.exe

description	pid	process
Token: SeDebugPrivilege	3744	powershell.exe
Token: SeDebugPrivilege	4068	powershell.exe
Token: SeDebugPrivilege	4048	Q-B210426002.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeDebugPrivilege	3364	Q-B210426002.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

Q-B210426002.exeQ-B210426002.execmd.execmd.exe

description	pid	process	target process
PID 4048 wrote to memory of 4068	4048	Q-B210426002.exe	powershell.exe
PID 4048 wrote to memory of 4068	4048	Q-B210426002.exe	powershell.exe
PID 4048 wrote to memory of 4068	4048	Q-B210426002.exe	powershell.exe
PID 4048 wrote to memory of 3744	4048	Q-B210426002.exe	powershell.exe
PID 4048 wrote to memory of 3744	4048	Q-B210426002.exe	powershell.exe
PID 4048 wrote to memory of 3744	4048	Q-B210426002.exe	powershell.exe
PID 4048 wrote to memory of 500	4048	Q-B210426002.exe	schtasks.exe
PID 4048 wrote to memory of 500	4048	Q-B210426002.exe	schtasks.exe
PID 4048 wrote to memory of 500	4048	Q-B210426002.exe	schtasks.exe
PID 4048 wrote to memory of 1240	4048	Q-B210426002.exe	powershell.exe
PID 4048 wrote to memory of 1240	4048	Q-B210426002.exe	powershell.exe
PID 4048 wrote to memory of 1240	4048	Q-B210426002.exe	powershell.exe
PID 4048 wrote to memory of 3364	4048	Q-B210426002.exe	Q-B210426002.exe
PID 4048 wrote to memory of 3364	4048	Q-B210426002.exe	Q-B210426002.exe
PID 4048 wrote to memory of 3364	4048	Q-B210426002.exe	Q-B210426002.exe
PID 4048 wrote to memory of 3364	4048	Q-B210426002.exe	Q-B210426002.exe
PID 4048 wrote to memory of 3364	4048	Q-B210426002.exe	Q-B210426002.exe
PID 4048 wrote to memory of 3364	4048	Q-B210426002.exe	Q-B210426002.exe
PID 4048 wrote to memory of 3364	4048	Q-B210426002.exe	Q-B210426002.exe
PID 4048 wrote to memory of 3364	4048	Q-B210426002.exe	Q-B210426002.exe
PID 3364 wrote to memory of 1348	3364	Q-B210426002.exe	cmd.exe
PID 3364 wrote to memory of 1348	3364	Q-B210426002.exe	cmd.exe
PID 3364 wrote to memory of 1348	3364	Q-B210426002.exe	cmd.exe
PID 3364 wrote to memory of 1632	3364	Q-B210426002.exe	cmd.exe
PID 3364 wrote to memory of 1632	3364	Q-B210426002.exe	cmd.exe
PID 3364 wrote to memory of 1632	3364	Q-B210426002.exe	cmd.exe
PID 1632 wrote to memory of 2892	1632	cmd.exe	timeout.exe
PID 1632 wrote to memory of 2892	1632	cmd.exe	timeout.exe
PID 1632 wrote to memory of 2892	1632	cmd.exe	timeout.exe
PID 1348 wrote to memory of 3484	1348	cmd.exe	schtasks.exe
PID 1348 wrote to memory of 3484	1348	cmd.exe	schtasks.exe
PID 1348 wrote to memory of 3484	1348	cmd.exe	schtasks.exe
PID 1632 wrote to memory of 1796	1632	cmd.exe	DONDON.exe
PID 1632 wrote to memory of 1796	1632	cmd.exe	DONDON.exe
PID 1632 wrote to memory of 1796	1632	cmd.exe	DONDON.exe

C:\Users\Admin\AppData\Local\Temp\Q-B210426002.exe
"C:\Users\Admin\AppData\Local\Temp\Q-B210426002.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4048

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Q-B210426002.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4068

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BnnWnBimZLJk.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3744

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BnnWnBimZLJk" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA430.tmp"
2⤵
- Creates scheduled task(s)
PID:500

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BnnWnBimZLJk.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1240

C:\Users\Admin\AppData\Local\Temp\Q-B210426002.exe
"C:\Users\Admin\AppData\Local\Temp\Q-B210426002.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3364

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "DONDON" /tr '"C:\Users\Admin\AppData\Roaming\DONDON.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "DONDON" /tr '"C:\Users\Admin\AppData\Roaming\DONDON.exe"'
4⤵
- Creates scheduled task(s)
PID:3484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD840.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:2892

C:\Users\Admin\AppData\Roaming\DONDON.exe
"C:\Users\Admin\AppData\Roaming\DONDON.exe"
4⤵
- Executes dropped EXE
PID:1796

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Q-B210426002.exe.log
MD5
90acfd72f14a512712b1a7380c0faf60

SHA1
40ba4accb8faa75887e84fb8e38d598dc8cf0f12

SHA256
20806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86

SHA512
29dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d7130f6844f95f9d1927bb98ebd7841e

SHA1
62d4a57b548ca2472f50325f6d8bbfe30ab56849

SHA256
d6e87a0ceef1ce7a981788c5da6ca523c18626843308e20c48c4a1bf6d943afc

SHA512
4e988860da4050e0ff19ad7e190d1ed0ed9d59ee53d0bd30590f5718678cba50951eef88daa35ce152f120fde3aff89951b0f5eb8a4114375dc16b8fc68b2dd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
02b1cde2c16abd45a41bf4297bcc3982

SHA1
2da79bc3424b08549bcb929faa866a7dce971e77

SHA256
464064c2756c559fdc955caa41eebf1682cc49de8551fe993eb54bae863a235e

SHA512
c7a40113a1bdee6be305b21e8f8dc74b70b5a666bcfc1ca0864de175117a55fd4f21a2ff3291b200b6dee36e7674e98c1610899bfca6a8984dd93f1730c4f48c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA430.tmp
MD5
ea4428de28853a889617d2861faedc3b

SHA1
fd1c3fc852ebafab685868deb193d7548c6e23a1

SHA256
f6a812903ccbfcbd5bf2e080934a373a42886d6dcd5579a3dcfc53f4adcd6ab4

SHA512
39061f9647a0efe4bcbc936c98238e2e61daa9236ef5075f27ca2517be423aa65119c81e8e3a44eb24f1263cdf96d0574ed67a901d2a833dadb375609f08066d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD840.tmp.bat
MD5
724942b03997e90502a921df7f3cbca7

SHA1
3fab82d8461d857a1d38b5c25a5927867e064c0b

SHA256
c8a6d3a52ef02a17d4804209407b16162e9537da203452a0c146e071aa8074eb

SHA512
446aa1c92de51f3512c469ee2a2a9a6419aa3ab936d8994a1fdcd35a649da0cfa5fb6861e8a6ef494231717f64f711acabe1e036e3b5c1266635918b6bfcaae3

Download Submit
C:\Users\Admin\AppData\Roaming\DONDON.exe
MD5
d2dc47a6a92d45dba94e456ac4354dc0

SHA1
63d871671fbf733cf56f746dded735e5e21f6f5b

SHA256
046d650990c01b17f9e518a2c93fcad54247eb25ea194aa0939a8a9a7f31fe10

SHA512
dc35d695f94ce4ca66da5208d4af204ef4744598f194b49e6346f724028c40b64b893e94f277166f780099cd5dde10270d20a5ead024b097a41cc06ea9a7a890

Download Submit
C:\Users\Admin\AppData\Roaming\DONDON.exe
MD5
d2dc47a6a92d45dba94e456ac4354dc0

SHA1
63d871671fbf733cf56f746dded735e5e21f6f5b

SHA256
046d650990c01b17f9e518a2c93fcad54247eb25ea194aa0939a8a9a7f31fe10

SHA512
dc35d695f94ce4ca66da5208d4af204ef4744598f194b49e6346f724028c40b64b893e94f277166f780099cd5dde10270d20a5ead024b097a41cc06ea9a7a890

Download Submit
memory/500-127-0x0000000000000000-mapping.dmp

Download
memory/1240-193-0x000000007F880000-0x000000007F881000-memory.dmp

Filesize
4KB

Download
memory/1240-168-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download
memory/1240-169-0x0000000004C62000-0x0000000004C63000-memory.dmp

Filesize
4KB

Download
memory/1240-137-0x0000000000000000-mapping.dmp

Download
memory/1240-196-0x0000000004C63000-0x0000000004C64000-memory.dmp

Filesize
4KB

Download
memory/1348-201-0x0000000000000000-mapping.dmp

Download
memory/1632-202-0x0000000000000000-mapping.dmp

Download
memory/1796-210-0x00000000058F0000-0x0000000005DEE000-memory.dmp

Filesize
5.0MB

Download
memory/1796-207-0x0000000000000000-mapping.dmp

Download
memory/2892-205-0x0000000000000000-mapping.dmp

Download
memory/3364-200-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/3364-138-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3364-139-0x000000000040C73E-mapping.dmp

Download
memory/3484-206-0x0000000000000000-mapping.dmp

Download
memory/3744-126-0x0000000000000000-mapping.dmp

Download
memory/3744-150-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/3744-192-0x000000007ECF0000-0x000000007ECF1000-memory.dmp

Filesize
4KB

Download
memory/3744-151-0x0000000004B12000-0x0000000004B13000-memory.dmp

Filesize
4KB

Download
memory/3744-195-0x0000000004B13000-0x0000000004B14000-memory.dmp

Filesize
4KB

Download
memory/3744-164-0x00000000086C0000-0x00000000086C1000-memory.dmp

Filesize
4KB

Download
memory/3744-166-0x0000000008480000-0x0000000008481000-memory.dmp

Filesize
4KB

Download
memory/4048-123-0x0000000005FA0000-0x0000000006029000-memory.dmp

Filesize
548KB

Download
memory/4048-121-0x0000000005170000-0x000000000517E000-memory.dmp

Filesize
56KB

Download
memory/4048-120-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/4048-122-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/4048-124-0x0000000001110000-0x0000000001151000-memory.dmp

Filesize
260KB

Download
memory/4048-119-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download
memory/4048-118-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download
memory/4048-114-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/4048-117-0x0000000005760000-0x0000000005761000-memory.dmp

Filesize
4KB

Download
memory/4048-116-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/4068-130-0x00000000047B0000-0x00000000047B1000-memory.dmp

Filesize
4KB

Download
memory/4068-194-0x0000000006D33000-0x0000000006D34000-memory.dmp

Filesize
4KB

Download
memory/4068-190-0x000000007F0B0000-0x000000007F0B1000-memory.dmp

Filesize
4KB

Download
memory/4068-188-0x0000000009060000-0x0000000009093000-memory.dmp

Filesize
204KB

Download
memory/4068-161-0x0000000007FB0000-0x0000000007FB1000-memory.dmp

Filesize
4KB

Download
memory/4068-152-0x0000000007B80000-0x0000000007B81000-memory.dmp

Filesize
4KB

Download
memory/4068-140-0x0000000006FF0000-0x0000000006FF1000-memory.dmp

Filesize
4KB

Download
memory/4068-142-0x0000000006D30000-0x0000000006D31000-memory.dmp

Filesize
4KB

Download
memory/4068-143-0x0000000007290000-0x0000000007291000-memory.dmp

Filesize
4KB

Download
memory/4068-148-0x0000000007300000-0x0000000007301000-memory.dmp

Filesize
4KB

Download
memory/4068-146-0x0000000006D32000-0x0000000006D33000-memory.dmp

Filesize
4KB

Download
memory/4068-131-0x0000000007370000-0x0000000007371000-memory.dmp

Filesize
4KB

Download
memory/4068-125-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads