asyncrat | 6d52d77cc1f4ae6384113a2099386a3ec22f31d6d58bb264d625d532fdf48161

General

Target

INV00293893.exe
Size

593KB
MD5

9c697146c626141417666b847ba49752
SHA1

5847ac080a879df3533d5fece6cb21f07702beb3
SHA256

6d52d77cc1f4ae6384113a2099386a3ec22f31d6d58bb264d625d532fdf48161
SHA512

ba2f995e8d81227f96d6868bead1017960bfb18784691fb8e35754666794b7d10c6d7b8ae505e5d13fbfb23f55d44c232bfdc65890f8ee280b2835f0b5beb454

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

podzeye.duckdns.org:5522

podzeye.duckdns.org:5552

podzeye.duckdns.org:5533

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
bvWieEm9xvjWPWmzbmFe0NuBHX1DCbdD
anti_detection
false
autorun
false
bdos
false
delay
Default
host
podzeye.duckdns.org
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
5522,5552,5533
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1168-125-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/1168-126-0x000000000040C73E-mapping.dmp	asyncrat

Suspicious use of SetThreadContext 1 IoCs

Processes:

INV00293893.exe

description pid process target process

PID 752 set thread context of 1168 752 INV00293893.exe INV00293893.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3344 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

INV00293893.exe

pid process

752 INV00293893.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

INV00293893.exe

description pid process

Token: SeDebugPrivilege 752 INV00293893.exe

description	pid	process	target process
PID 752 set thread context of 1168	752	INV00293893.exe	INV00293893.exe

pid	process
3344	schtasks.exe

pid	process
752	INV00293893.exe

description	pid	process
Token: SeDebugPrivilege	752	INV00293893.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

INV00293893.exe

description	pid	process	target process
PID 752 wrote to memory of 3344	752	INV00293893.exe	schtasks.exe
PID 752 wrote to memory of 3344	752	INV00293893.exe	schtasks.exe
PID 752 wrote to memory of 3344	752	INV00293893.exe	schtasks.exe
PID 752 wrote to memory of 1168	752	INV00293893.exe	INV00293893.exe
PID 752 wrote to memory of 1168	752	INV00293893.exe	INV00293893.exe
PID 752 wrote to memory of 1168	752	INV00293893.exe	INV00293893.exe
PID 752 wrote to memory of 1168	752	INV00293893.exe	INV00293893.exe
PID 752 wrote to memory of 1168	752	INV00293893.exe	INV00293893.exe
PID 752 wrote to memory of 1168	752	INV00293893.exe	INV00293893.exe
PID 752 wrote to memory of 1168	752	INV00293893.exe	INV00293893.exe
PID 752 wrote to memory of 1168	752	INV00293893.exe	INV00293893.exe

C:\Users\Admin\AppData\Local\Temp\INV00293893.exe
"C:\Users\Admin\AppData\Local\Temp\INV00293893.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pYkCZWtidw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp41D7.tmp"
2⤵
- Creates scheduled task(s)
PID:3344

C:\Users\Admin\AppData\Local\Temp\INV00293893.exe
"C:\Users\Admin\AppData\Local\Temp\INV00293893.exe"
2⤵
PID:1168

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp41D7.tmp
MD5
9512820a4c02319a9d4c400ace7a4fcc

SHA1
45bee9643b885e35e18cafd23ba0c4ace8573179

SHA256
697ea901aa15dcaafed71f5390469f5d36ab42928edbacbdcb8d04c16812eadf

SHA512
af5955fa43ddf17cdf0eb4b1e49dbc3854ece519a1a2d717aace00827db229a575a984a3f22bd2929ad4a724380154e6703426d87f7d4a347989d61d7bc4791e

Download Submit
memory/752-118-0x0000000005920000-0x0000000005921000-memory.dmp

Filesize
4KB

Download
memory/752-117-0x0000000005880000-0x0000000005881000-memory.dmp

Filesize
4KB

Download
memory/752-114-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/752-119-0x0000000005860000-0x000000000586E000-memory.dmp

Filesize
56KB

Download
memory/752-120-0x0000000006190000-0x0000000006191000-memory.dmp

Filesize
4KB

Download
memory/752-121-0x0000000002DD0000-0x0000000002E5A000-memory.dmp

Filesize
552KB

Download
memory/752-122-0x00000000015C0000-0x0000000001603000-memory.dmp

Filesize
268KB

Download
memory/752-116-0x0000000005710000-0x0000000005711000-memory.dmp

Filesize
4KB

Download
memory/1168-125-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1168-126-0x000000000040C73E-mapping.dmp

Download
memory/1168-129-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/3344-123-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads