asyncrat | 2edc93f84e6911e5b86040964715868c82eb28c2b48cdbb2c72dee60cfe2f792

General

Target

8D74E2EF18E68405319A1090D20A0674.exe
Size

264KB
MD5

8d74e2ef18e68405319a1090d20a0674
SHA1

363c4e86dbf7f6ab65dcc79cedb07aa52ea12ed9
SHA256

2edc93f84e6911e5b86040964715868c82eb28c2b48cdbb2c72dee60cfe2f792
SHA512

6ab882ae5e24837037f3d18260f0b39f9f4b6110ebd2af86e14edebb6df201f389cc390e5af6213f5e93f1a238c55ace91910cf709dc82cfe709b6f49f958fd3

Score

10^/10

asyncrat persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

fact.azad.live:5380

societyf500.ddns.net:5380

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
g5ATBHeFjqZicBQcW6MmoyX0Xhwz0tjW
anti_detection
false
autorun
true
bdos
false
delay
Default
host
fact.azad.live,societyf500.ddns.net
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
5380
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/188-117-0x0000000000400000-0x0000000000421000-memory.dmp	asyncrat
behavioral2/memory/188-118-0x0000000002200000-0x000000000220C000-memory.dmp	asyncrat
behavioral2/memory/1296-141-0x0000000000400000-0x0000000000421000-memory.dmp	asyncrat

Executes dropped EXE 2 IoCs

Processes:

dwm.exedwm.exe

pid process

772 dwm.exe
1296 dwm.exe
Loads dropped DLL 2 IoCs

Processes:

8D74E2EF18E68405319A1090D20A0674.exedwm.exe

pid process

3540 8D74E2EF18E68405319A1090D20A0674.exe
772 dwm.exe

pid	process
772	dwm.exe
1296	dwm.exe

pid	process
3540	8D74E2EF18E68405319A1090D20A0674.exe
772	dwm.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8D74E2EF18E68405319A1090D20A0674.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\AppData\\dwm.exe"	8D74E2EF18E68405319A1090D20A0674.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

8D74E2EF18E68405319A1090D20A0674.exedwm.exe

description	pid	process	target process
PID 3540 set thread context of 188	3540	8D74E2EF18E68405319A1090D20A0674.exe	8D74E2EF18E68405319A1090D20A0674.exe
PID 772 set thread context of 1296	772	dwm.exe	dwm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\dwm.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\dwm.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\dwm.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\dwm.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\dwm.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\dwm.exe	nsis_installer_2

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3712 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3692 timeout.exe

pid	process
3712	schtasks.exe

pid	process
3692	timeout.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

8D74E2EF18E68405319A1090D20A0674.exe

pid	process
188	8D74E2EF18E68405319A1090D20A0674.exe
188	8D74E2EF18E68405319A1090D20A0674.exe
188	8D74E2EF18E68405319A1090D20A0674.exe
188	8D74E2EF18E68405319A1090D20A0674.exe
188	8D74E2EF18E68405319A1090D20A0674.exe
188	8D74E2EF18E68405319A1090D20A0674.exe
188	8D74E2EF18E68405319A1090D20A0674.exe
188	8D74E2EF18E68405319A1090D20A0674.exe
188	8D74E2EF18E68405319A1090D20A0674.exe
188	8D74E2EF18E68405319A1090D20A0674.exe
188	8D74E2EF18E68405319A1090D20A0674.exe
188	8D74E2EF18E68405319A1090D20A0674.exe
188	8D74E2EF18E68405319A1090D20A0674.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

8D74E2EF18E68405319A1090D20A0674.exedwm.exe

pid process

3540 8D74E2EF18E68405319A1090D20A0674.exe
772 dwm.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

8D74E2EF18E68405319A1090D20A0674.exedwm.exe

description pid process

Token: SeDebugPrivilege 188 8D74E2EF18E68405319A1090D20A0674.exe
Token: SeDebugPrivilege 1296 dwm.exe

pid	process
3540	8D74E2EF18E68405319A1090D20A0674.exe
772	dwm.exe

description	pid	process
Token: SeDebugPrivilege	188	8D74E2EF18E68405319A1090D20A0674.exe
Token: SeDebugPrivilege	1296	dwm.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

8D74E2EF18E68405319A1090D20A0674.exe8D74E2EF18E68405319A1090D20A0674.execmd.execmd.exedwm.exe

description	pid	process	target process
PID 3540 wrote to memory of 188	3540	8D74E2EF18E68405319A1090D20A0674.exe	8D74E2EF18E68405319A1090D20A0674.exe
PID 3540 wrote to memory of 188	3540	8D74E2EF18E68405319A1090D20A0674.exe	8D74E2EF18E68405319A1090D20A0674.exe
PID 3540 wrote to memory of 188	3540	8D74E2EF18E68405319A1090D20A0674.exe	8D74E2EF18E68405319A1090D20A0674.exe
PID 3540 wrote to memory of 188	3540	8D74E2EF18E68405319A1090D20A0674.exe	8D74E2EF18E68405319A1090D20A0674.exe
PID 188 wrote to memory of 4092	188	8D74E2EF18E68405319A1090D20A0674.exe	cmd.exe
PID 188 wrote to memory of 4092	188	8D74E2EF18E68405319A1090D20A0674.exe	cmd.exe
PID 188 wrote to memory of 4092	188	8D74E2EF18E68405319A1090D20A0674.exe	cmd.exe
PID 188 wrote to memory of 3260	188	8D74E2EF18E68405319A1090D20A0674.exe	cmd.exe
PID 188 wrote to memory of 3260	188	8D74E2EF18E68405319A1090D20A0674.exe	cmd.exe
PID 188 wrote to memory of 3260	188	8D74E2EF18E68405319A1090D20A0674.exe	cmd.exe
PID 4092 wrote to memory of 3712	4092	cmd.exe	schtasks.exe
PID 4092 wrote to memory of 3712	4092	cmd.exe	schtasks.exe
PID 4092 wrote to memory of 3712	4092	cmd.exe	schtasks.exe
PID 3260 wrote to memory of 3692	3260	cmd.exe	timeout.exe
PID 3260 wrote to memory of 3692	3260	cmd.exe	timeout.exe
PID 3260 wrote to memory of 3692	3260	cmd.exe	timeout.exe
PID 3260 wrote to memory of 772	3260	cmd.exe	dwm.exe
PID 3260 wrote to memory of 772	3260	cmd.exe	dwm.exe
PID 3260 wrote to memory of 772	3260	cmd.exe	dwm.exe
PID 772 wrote to memory of 1296	772	dwm.exe	dwm.exe
PID 772 wrote to memory of 1296	772	dwm.exe	dwm.exe
PID 772 wrote to memory of 1296	772	dwm.exe	dwm.exe
PID 772 wrote to memory of 1296	772	dwm.exe	dwm.exe

C:\Users\Admin\AppData\Local\Temp\8D74E2EF18E68405319A1090D20A0674.exe
"C:\Users\Admin\AppData\Local\Temp\8D74E2EF18E68405319A1090D20A0674.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3540

C:\Users\Admin\AppData\Local\Temp\8D74E2EF18E68405319A1090D20A0674.exe
"C:\Users\Admin\AppData\Local\Temp\8D74E2EF18E68405319A1090D20A0674.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:188

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "dwm" /tr '"C:\Users\Admin\AppData\Roaming\dwm.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "dwm" /tr '"C:\Users\Admin\AppData\Roaming\dwm.exe"'
4⤵
- Creates scheduled task(s)
PID:3712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp93F8.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:3260

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:3692

C:\Users\Admin\AppData\Roaming\dwm.exe
"C:\Users\Admin\AppData\Roaming\dwm.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:772

C:\Users\Admin\AppData\Roaming\dwm.exe
"C:\Users\Admin\AppData\Roaming\dwm.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1296

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0ug8kkc9yylgslet6xhk
MD5
0e158940b02a969fee96076cef7d5f9b

SHA1
ecaed9c81fe6876a924c5dcfa3bea58197332a78

SHA256
f82e69060b57788f13e22b60c1da3100056f5efe6877105dd01e95853a2fffc3

SHA512
384140d46cf0ad650eeff67e379bb0ae716981066d232463d0d7ac2562d78f2c65630347f9f5afc0bf79f831374ad85d0985ee2a7def1d32fe2b2f1902db9254

Download Submit
C:\Users\Admin\AppData\Local\Temp\eg4qkktz6zvepr
MD5
6d77ea32f8214afe3278f446727ce728

SHA1
fb08a5050eb2a586c65b0fb987bcb35830765dbd

SHA256
38e8d892faa22377b1dcd14faee1652e50a404b81ec6b69467b1249a43b032f6

SHA512
aa4fc073027d1f069c5313eb38901452ac3c84c3d7756930784c5321d5d569f504786ca336f67573ba7d4df3d67af5337b4f590c059b2024389eeba5849be2a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp93F8.tmp.bat
MD5
664c988332d636d155939f1ef8274817

SHA1
da2a2d5737c0ba702705752c4fb659ffe7bd738d

SHA256
bfc9f940302c071d13902be8ffce621e52362b3db76c624499570cc1342fa1cf

SHA512
b4c4133c95b0948972bf4cd71e8ae35ba81bd9864b2ec7bf763d97d03d3a7ab3066f1d9567acbd78ddf02a73c7ab5388c32c8de9a7a764c599df0f696b094d2d

Download Submit
C:\Users\Admin\AppData\Roaming\dwm.exe
MD5
8d74e2ef18e68405319a1090d20a0674

SHA1
363c4e86dbf7f6ab65dcc79cedb07aa52ea12ed9

SHA256
2edc93f84e6911e5b86040964715868c82eb28c2b48cdbb2c72dee60cfe2f792

SHA512
6ab882ae5e24837037f3d18260f0b39f9f4b6110ebd2af86e14edebb6df201f389cc390e5af6213f5e93f1a238c55ace91910cf709dc82cfe709b6f49f958fd3

Download Submit
C:\Users\Admin\AppData\Roaming\dwm.exe
MD5
8d74e2ef18e68405319a1090d20a0674

SHA1
363c4e86dbf7f6ab65dcc79cedb07aa52ea12ed9

SHA256
2edc93f84e6911e5b86040964715868c82eb28c2b48cdbb2c72dee60cfe2f792

SHA512
6ab882ae5e24837037f3d18260f0b39f9f4b6110ebd2af86e14edebb6df201f389cc390e5af6213f5e93f1a238c55ace91910cf709dc82cfe709b6f49f958fd3

Download Submit
C:\Users\Admin\AppData\Roaming\dwm.exe
MD5
8d74e2ef18e68405319a1090d20a0674

SHA1
363c4e86dbf7f6ab65dcc79cedb07aa52ea12ed9

SHA256
2edc93f84e6911e5b86040964715868c82eb28c2b48cdbb2c72dee60cfe2f792

SHA512
6ab882ae5e24837037f3d18260f0b39f9f4b6110ebd2af86e14edebb6df201f389cc390e5af6213f5e93f1a238c55ace91910cf709dc82cfe709b6f49f958fd3

Download Submit
\Users\Admin\AppData\Local\Temp\nsk9ED8.tmp\ktjs.dll
MD5
808bcde0e218d1c449e03b7a8d8e6a85

SHA1
9bacabb5d38179ed06703124fd99247ff8c3739b

SHA256
a128457ae2a48027b291f00a53d1e299222148b8d4cec7045f204190cbba8044

SHA512
dccdad4d124ca6899d481f82ea37d742a53d4411a9df17ad167e62559b6855ff69f5546f48112af5ed8ba2ab473928233a8f4281980ae9b9e7e4d5c08a8446d6

Download Submit
\Users\Admin\AppData\Local\Temp\nsz2C57.tmp\ktjs.dll
MD5
808bcde0e218d1c449e03b7a8d8e6a85

SHA1
9bacabb5d38179ed06703124fd99247ff8c3739b

SHA256
a128457ae2a48027b291f00a53d1e299222148b8d4cec7045f204190cbba8044

SHA512
dccdad4d124ca6899d481f82ea37d742a53d4411a9df17ad167e62559b6855ff69f5546f48112af5ed8ba2ab473928233a8f4281980ae9b9e7e4d5c08a8446d6

Download Submit
memory/188-118-0x0000000002200000-0x000000000220C000-memory.dmp

Filesize
48KB

Download
memory/188-124-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/188-123-0x0000000002384000-0x0000000002385000-memory.dmp

Filesize
4KB

Download
memory/188-122-0x0000000002383000-0x0000000002384000-memory.dmp

Filesize
4KB

Download
memory/188-120-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/188-121-0x0000000002382000-0x0000000002383000-memory.dmp

Filesize
4KB

Download
memory/188-117-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/188-116-0x000000000040188B-mapping.dmp

Download
memory/772-130-0x0000000000000000-mapping.dmp

Download
memory/1296-137-0x000000000040188B-mapping.dmp

Download
memory/1296-142-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download
memory/1296-141-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1296-143-0x0000000004852000-0x0000000004853000-memory.dmp

Filesize
4KB

Download
memory/1296-144-0x0000000004853000-0x0000000004854000-memory.dmp

Filesize
4KB

Download
memory/1296-145-0x0000000004854000-0x0000000004855000-memory.dmp

Filesize
4KB

Download
memory/3260-126-0x0000000000000000-mapping.dmp

Download
memory/3540-115-0x0000000000990000-0x0000000000993000-memory.dmp

Filesize
12KB

Download
memory/3692-129-0x0000000000000000-mapping.dmp

Download
memory/3712-128-0x0000000000000000-mapping.dmp

Download
memory/4092-125-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads