asyncrat | 6d52d77cc1f4ae6384113a2099386a3ec22f31d6d58bb264d625d532fdf48161

General

Target

INV00293893.exe
Size

593KB
MD5

9c697146c626141417666b847ba49752
SHA1

5847ac080a879df3533d5fece6cb21f07702beb3
SHA256

6d52d77cc1f4ae6384113a2099386a3ec22f31d6d58bb264d625d532fdf48161
SHA512

ba2f995e8d81227f96d6868bead1017960bfb18784691fb8e35754666794b7d10c6d7b8ae505e5d13fbfb23f55d44c232bfdc65890f8ee280b2835f0b5beb454

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

podzeye.duckdns.org:5522

podzeye.duckdns.org:5552

podzeye.duckdns.org:5533

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
bvWieEm9xvjWPWmzbmFe0NuBHX1DCbdD
anti_detection
false
autorun
false
bdos
false
delay
Default
host
podzeye.duckdns.org
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
5522,5552,5533
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1692-69-0x000000000040C73E-mapping.dmp	asyncrat
behavioral1/memory/1692-68-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1692-70-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Suspicious use of SetThreadContext 1 IoCs

Processes:

INV00293893.exe

description pid process target process

PID 980 set thread context of 1692 980 INV00293893.exe INV00293893.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1540 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

INV00293893.exe

pid process

980 INV00293893.exe
980 INV00293893.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

INV00293893.exe

description pid process

Token: SeDebugPrivilege 980 INV00293893.exe

description	pid	process	target process
PID 980 set thread context of 1692	980	INV00293893.exe	INV00293893.exe

pid	process
1540	schtasks.exe

pid	process
980	INV00293893.exe
980	INV00293893.exe

description	pid	process
Token: SeDebugPrivilege	980	INV00293893.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

INV00293893.exe

description	pid	process	target process
PID 980 wrote to memory of 1540	980	INV00293893.exe	schtasks.exe
PID 980 wrote to memory of 1540	980	INV00293893.exe	schtasks.exe
PID 980 wrote to memory of 1540	980	INV00293893.exe	schtasks.exe
PID 980 wrote to memory of 1540	980	INV00293893.exe	schtasks.exe
PID 980 wrote to memory of 820	980	INV00293893.exe	INV00293893.exe
PID 980 wrote to memory of 820	980	INV00293893.exe	INV00293893.exe
PID 980 wrote to memory of 820	980	INV00293893.exe	INV00293893.exe
PID 980 wrote to memory of 820	980	INV00293893.exe	INV00293893.exe
PID 980 wrote to memory of 1692	980	INV00293893.exe	INV00293893.exe
PID 980 wrote to memory of 1692	980	INV00293893.exe	INV00293893.exe
PID 980 wrote to memory of 1692	980	INV00293893.exe	INV00293893.exe
PID 980 wrote to memory of 1692	980	INV00293893.exe	INV00293893.exe
PID 980 wrote to memory of 1692	980	INV00293893.exe	INV00293893.exe
PID 980 wrote to memory of 1692	980	INV00293893.exe	INV00293893.exe
PID 980 wrote to memory of 1692	980	INV00293893.exe	INV00293893.exe
PID 980 wrote to memory of 1692	980	INV00293893.exe	INV00293893.exe
PID 980 wrote to memory of 1692	980	INV00293893.exe	INV00293893.exe

C:\Users\Admin\AppData\Local\Temp\INV00293893.exe
"C:\Users\Admin\AppData\Local\Temp\INV00293893.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pYkCZWtidw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp690F.tmp"
2⤵
- Creates scheduled task(s)
PID:1540

C:\Users\Admin\AppData\Local\Temp\INV00293893.exe
"C:\Users\Admin\AppData\Local\Temp\INV00293893.exe"
2⤵
PID:820

C:\Users\Admin\AppData\Local\Temp\INV00293893.exe
"C:\Users\Admin\AppData\Local\Temp\INV00293893.exe"
2⤵
PID:1692

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp690F.tmp
MD5
ed0959f546d5143787113f48ed40831f

SHA1
ff00cd2ea12bb97ec72ea3416c424f5c141e7554

SHA256
0d6675928853ae18b1634337fc62b2e24e1f37ca3dd27b9382960c03bb5dcc85

SHA512
3f431f337bfe8aafd32eaa00bac731a32ce3f082686a860668ddeb99e50af128b926cdd05fc3aa28bbb1c29f457a4e70d836d2b93ccc220f33a0edfce8968f5d

Download Submit
memory/980-60-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/980-62-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/980-63-0x0000000001D50000-0x0000000001D5E000-memory.dmp

Filesize
56KB

Download
memory/980-64-0x0000000004A10000-0x0000000004A9A000-memory.dmp

Filesize
552KB

Download
memory/980-65-0x0000000001FF0000-0x0000000002033000-memory.dmp

Filesize
268KB

Download
memory/1540-66-0x0000000000000000-mapping.dmp

Download
memory/1692-69-0x000000000040C73E-mapping.dmp

Download
memory/1692-68-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1692-70-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1692-72-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads