asyncrat | bba6a0edd815ea52c69ae4870598b5f4ff396f6e5860bb2e03d74e101b29e898

General

Target

IMG-06-05-345678909876543.exe
Size

222KB
MD5

fd6cd4fc819f390b6c8b66820023e406
SHA1

75313bc953f604560e69eeec7debef6c1aea049d
SHA256

bba6a0edd815ea52c69ae4870598b5f4ff396f6e5860bb2e03d74e101b29e898
SHA512

a6793de1bf344930071d7b5d860b4fdffba705fe5f5062a47492b57264e283bc93d313f7bc993ec7b3ebd7c54a95499827b4e24139ce0056053cf38b83568046

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.6A

C2

joseedward5001.ddns.net:1515

194.5.98.120:1515

Mutex

cfbtvyfbge

Attributes

aes_key
HmKU5jDgSS0N12PbG0QQ2B4Ik7gjdFTl
anti_detection
false
autorun
false
bdos
false
delay
host
joseedward5001.ddns.net,194.5.98.120
hwid
5
install_file
install_folder
%AppData%
mutex
cfbtvyfbge
pastebin_config
null
port
1515
version
0.5.6A

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1504-125-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/1504-126-0x000000000040C3BE-mapping.dmp	asyncrat

Drops startup file 2 IoCs

Processes:

IMG-06-05-345678909876543.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG-06-05-345678909876543.exe	IMG-06-05-345678909876543.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG-06-05-345678909876543.exe	IMG-06-05-345678909876543.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

IMG-06-05-345678909876543.exe

description pid process target process

PID 640 set thread context of 1504 640 IMG-06-05-345678909876543.exe IMG-06-05-345678909876543.exe

description	pid	process	target process
PID 640 set thread context of 1504	640	IMG-06-05-345678909876543.exe	IMG-06-05-345678909876543.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

Processes:

IMG-06-05-345678909876543.exeIMG-06-05-345678909876543.exe

pid	process
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
640	IMG-06-05-345678909876543.exe
1504	IMG-06-05-345678909876543.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

IMG-06-05-345678909876543.exeIMG-06-05-345678909876543.exe

description pid process

Token: SeDebugPrivilege 640 IMG-06-05-345678909876543.exe
Token: SeDebugPrivilege 1504 IMG-06-05-345678909876543.exe

description	pid	process
Token: SeDebugPrivilege	640	IMG-06-05-345678909876543.exe
Token: SeDebugPrivilege	1504	IMG-06-05-345678909876543.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

IMG-06-05-345678909876543.exe

description	pid	process	target process
PID 640 wrote to memory of 1488	640	IMG-06-05-345678909876543.exe	IMG-06-05-345678909876543.exe
PID 640 wrote to memory of 1488	640	IMG-06-05-345678909876543.exe	IMG-06-05-345678909876543.exe
PID 640 wrote to memory of 1488	640	IMG-06-05-345678909876543.exe	IMG-06-05-345678909876543.exe
PID 640 wrote to memory of 1504	640	IMG-06-05-345678909876543.exe	IMG-06-05-345678909876543.exe
PID 640 wrote to memory of 1504	640	IMG-06-05-345678909876543.exe	IMG-06-05-345678909876543.exe
PID 640 wrote to memory of 1504	640	IMG-06-05-345678909876543.exe	IMG-06-05-345678909876543.exe
PID 640 wrote to memory of 1504	640	IMG-06-05-345678909876543.exe	IMG-06-05-345678909876543.exe
PID 640 wrote to memory of 1504	640	IMG-06-05-345678909876543.exe	IMG-06-05-345678909876543.exe
PID 640 wrote to memory of 1504	640	IMG-06-05-345678909876543.exe	IMG-06-05-345678909876543.exe
PID 640 wrote to memory of 1504	640	IMG-06-05-345678909876543.exe	IMG-06-05-345678909876543.exe
PID 640 wrote to memory of 1504	640	IMG-06-05-345678909876543.exe	IMG-06-05-345678909876543.exe

C:\Users\Admin\AppData\Local\Temp\IMG-06-05-345678909876543.exe
"C:\Users\Admin\AppData\Local\Temp\IMG-06-05-345678909876543.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:640

C:\Users\Admin\AppData\Local\Temp\IMG-06-05-345678909876543.exe
"C:\Users\Admin\AppData\Local\Temp\IMG-06-05-345678909876543.exe"
2⤵
PID:1488

C:\Users\Admin\AppData\Local\Temp\IMG-06-05-345678909876543.exe
"C:\Users\Admin\AppData\Local\Temp\IMG-06-05-345678909876543.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/640-114-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/640-116-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download
memory/640-117-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download
memory/640-118-0x0000000004D00000-0x00000000051FE000-memory.dmp

Filesize
5.0MB

Download
memory/640-119-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/640-120-0x0000000004E80000-0x0000000004EA5000-memory.dmp

Filesize
148KB

Download
memory/640-121-0x0000000008620000-0x0000000008621000-memory.dmp

Filesize
4KB

Download
memory/640-122-0x0000000004D00000-0x00000000051FE000-memory.dmp

Filesize
5.0MB

Download
memory/640-123-0x0000000006780000-0x0000000006781000-memory.dmp

Filesize
4KB

Download
memory/640-124-0x0000000004D00000-0x00000000051FE000-memory.dmp

Filesize
5.0MB

Download
memory/1504-125-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1504-126-0x000000000040C3BE-mapping.dmp

Download
memory/1504-129-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads