asyncrat | 2edc93f84e6911e5b86040964715868c82eb28c2b48cdbb2c72dee60cfe2f792

General

Target

8D74E2EF18E68405319A1090D20A0674.exe
Size

264KB
MD5

8d74e2ef18e68405319a1090d20a0674
SHA1

363c4e86dbf7f6ab65dcc79cedb07aa52ea12ed9
SHA256

2edc93f84e6911e5b86040964715868c82eb28c2b48cdbb2c72dee60cfe2f792
SHA512

6ab882ae5e24837037f3d18260f0b39f9f4b6110ebd2af86e14edebb6df201f389cc390e5af6213f5e93f1a238c55ace91910cf709dc82cfe709b6f49f958fd3

Score

10^/10

asyncrat persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

fact.azad.live:5380

societyf500.ddns.net:5380

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
g5ATBHeFjqZicBQcW6MmoyX0Xhwz0tjW
anti_detection
false
autorun
true
bdos
false
delay
Default
host
fact.azad.live,societyf500.ddns.net
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
5380
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3584-117-0x00000000022F0000-0x00000000022FC000-memory.dmp	asyncrat
behavioral2/memory/3584-119-0x0000000000400000-0x0000000000421000-memory.dmp	asyncrat
behavioral2/memory/3888-136-0x0000000002050000-0x0000000002073000-memory.dmp	asyncrat
behavioral2/memory/1604-141-0x0000000000400000-0x0000000000421000-memory.dmp	asyncrat

Executes dropped EXE 2 IoCs

Processes:

dwm.exedwm.exe

pid process

3888 dwm.exe
1604 dwm.exe
Loads dropped DLL 2 IoCs

Processes:

8D74E2EF18E68405319A1090D20A0674.exedwm.exe

pid process

3176 8D74E2EF18E68405319A1090D20A0674.exe
3888 dwm.exe

pid	process
3888	dwm.exe
1604	dwm.exe

pid	process
3176	8D74E2EF18E68405319A1090D20A0674.exe
3888	dwm.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8D74E2EF18E68405319A1090D20A0674.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "C:\\Users\\Admin\\AppData\\Roaming\\AppData\\dwm.exe"	8D74E2EF18E68405319A1090D20A0674.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

8D74E2EF18E68405319A1090D20A0674.exedwm.exe

description	pid	process	target process
PID 3176 set thread context of 3584	3176	8D74E2EF18E68405319A1090D20A0674.exe	8D74E2EF18E68405319A1090D20A0674.exe
PID 3888 set thread context of 1604	3888	dwm.exe	dwm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\dwm.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\dwm.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\dwm.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\dwm.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\dwm.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\dwm.exe	nsis_installer_2

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2320 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3376 timeout.exe

pid	process
2320	schtasks.exe

pid	process
3376	timeout.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

8D74E2EF18E68405319A1090D20A0674.exe

pid	process
3584	8D74E2EF18E68405319A1090D20A0674.exe
3584	8D74E2EF18E68405319A1090D20A0674.exe
3584	8D74E2EF18E68405319A1090D20A0674.exe
3584	8D74E2EF18E68405319A1090D20A0674.exe
3584	8D74E2EF18E68405319A1090D20A0674.exe
3584	8D74E2EF18E68405319A1090D20A0674.exe
3584	8D74E2EF18E68405319A1090D20A0674.exe
3584	8D74E2EF18E68405319A1090D20A0674.exe
3584	8D74E2EF18E68405319A1090D20A0674.exe
3584	8D74E2EF18E68405319A1090D20A0674.exe
3584	8D74E2EF18E68405319A1090D20A0674.exe
3584	8D74E2EF18E68405319A1090D20A0674.exe
3584	8D74E2EF18E68405319A1090D20A0674.exe
3584	8D74E2EF18E68405319A1090D20A0674.exe
3584	8D74E2EF18E68405319A1090D20A0674.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

8D74E2EF18E68405319A1090D20A0674.exedwm.exe

pid process

3176 8D74E2EF18E68405319A1090D20A0674.exe
3888 dwm.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

8D74E2EF18E68405319A1090D20A0674.exedwm.exe

description pid process

Token: SeDebugPrivilege 3584 8D74E2EF18E68405319A1090D20A0674.exe
Token: SeDebugPrivilege 1604 dwm.exe

pid	process
3176	8D74E2EF18E68405319A1090D20A0674.exe
3888	dwm.exe

description	pid	process
Token: SeDebugPrivilege	3584	8D74E2EF18E68405319A1090D20A0674.exe
Token: SeDebugPrivilege	1604	dwm.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

8D74E2EF18E68405319A1090D20A0674.exe8D74E2EF18E68405319A1090D20A0674.execmd.execmd.exedwm.exe

description	pid	process	target process
PID 3176 wrote to memory of 3584	3176	8D74E2EF18E68405319A1090D20A0674.exe	8D74E2EF18E68405319A1090D20A0674.exe
PID 3176 wrote to memory of 3584	3176	8D74E2EF18E68405319A1090D20A0674.exe	8D74E2EF18E68405319A1090D20A0674.exe
PID 3176 wrote to memory of 3584	3176	8D74E2EF18E68405319A1090D20A0674.exe	8D74E2EF18E68405319A1090D20A0674.exe
PID 3176 wrote to memory of 3584	3176	8D74E2EF18E68405319A1090D20A0674.exe	8D74E2EF18E68405319A1090D20A0674.exe
PID 3584 wrote to memory of 3968	3584	8D74E2EF18E68405319A1090D20A0674.exe	cmd.exe
PID 3584 wrote to memory of 3968	3584	8D74E2EF18E68405319A1090D20A0674.exe	cmd.exe
PID 3584 wrote to memory of 3968	3584	8D74E2EF18E68405319A1090D20A0674.exe	cmd.exe
PID 3584 wrote to memory of 3404	3584	8D74E2EF18E68405319A1090D20A0674.exe	cmd.exe
PID 3584 wrote to memory of 3404	3584	8D74E2EF18E68405319A1090D20A0674.exe	cmd.exe
PID 3584 wrote to memory of 3404	3584	8D74E2EF18E68405319A1090D20A0674.exe	cmd.exe
PID 3404 wrote to memory of 3376	3404	cmd.exe	timeout.exe
PID 3404 wrote to memory of 3376	3404	cmd.exe	timeout.exe
PID 3404 wrote to memory of 3376	3404	cmd.exe	timeout.exe
PID 3968 wrote to memory of 2320	3968	cmd.exe	schtasks.exe
PID 3968 wrote to memory of 2320	3968	cmd.exe	schtasks.exe
PID 3968 wrote to memory of 2320	3968	cmd.exe	schtasks.exe
PID 3404 wrote to memory of 3888	3404	cmd.exe	dwm.exe
PID 3404 wrote to memory of 3888	3404	cmd.exe	dwm.exe
PID 3404 wrote to memory of 3888	3404	cmd.exe	dwm.exe
PID 3888 wrote to memory of 1604	3888	dwm.exe	dwm.exe
PID 3888 wrote to memory of 1604	3888	dwm.exe	dwm.exe
PID 3888 wrote to memory of 1604	3888	dwm.exe	dwm.exe
PID 3888 wrote to memory of 1604	3888	dwm.exe	dwm.exe

C:\Users\Admin\AppData\Local\Temp\8D74E2EF18E68405319A1090D20A0674.exe
"C:\Users\Admin\AppData\Local\Temp\8D74E2EF18E68405319A1090D20A0674.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3176

C:\Users\Admin\AppData\Local\Temp\8D74E2EF18E68405319A1090D20A0674.exe
"C:\Users\Admin\AppData\Local\Temp\8D74E2EF18E68405319A1090D20A0674.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3584

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "dwm" /tr '"C:\Users\Admin\AppData\Roaming\dwm.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:3968

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "dwm" /tr '"C:\Users\Admin\AppData\Roaming\dwm.exe"'
4⤵
- Creates scheduled task(s)
PID:2320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7370.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:3404

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:3376

C:\Users\Admin\AppData\Roaming\dwm.exe
"C:\Users\Admin\AppData\Roaming\dwm.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3888

C:\Users\Admin\AppData\Roaming\dwm.exe
"C:\Users\Admin\AppData\Roaming\dwm.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1604

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0ug8kkc9yylgslet6xhk
MD5
497901d339b1c1ec1ae8f6ac9343a9bb

SHA1
487fcecc43306cd8c77722b76329fb2d01d73d1f

SHA256
1d89981600c622f4e28b2863a37b31921bb24c8828170c8d1d96d7b1e704ebe0

SHA512
999cbf3aced5d3812840a6755848fb93e0140d03f6d2cb6dd69e94477f210cf029422dfa05d9e054ac29622e0c758ad85a17958cbac844d087e66d3e70395b0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eg4qkktz6zvepr
MD5
6d77ea32f8214afe3278f446727ce728

SHA1
fb08a5050eb2a586c65b0fb987bcb35830765dbd

SHA256
38e8d892faa22377b1dcd14faee1652e50a404b81ec6b69467b1249a43b032f6

SHA512
aa4fc073027d1f069c5313eb38901452ac3c84c3d7756930784c5321d5d569f504786ca336f67573ba7d4df3d67af5337b4f590c059b2024389eeba5849be2a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7370.tmp.bat
MD5
7b363c8dc226ca1c75bc3b98d620f689

SHA1
65c0cc2b699268334aab70e613144dec976c60f2

SHA256
ce9cf94264a118360717d7adfe126011deccccfb107f6d96e24c34b664111647

SHA512
9df8ee5286c923703820e11e3a586394826b68c4234147fd6b8000eae6058c98ef44d3721976711b266c0fba47fc8b43821545585a613d55044b3b6b44c25fa7

Download Submit
C:\Users\Admin\AppData\Roaming\dwm.exe
MD5
8d74e2ef18e68405319a1090d20a0674

SHA1
363c4e86dbf7f6ab65dcc79cedb07aa52ea12ed9

SHA256
2edc93f84e6911e5b86040964715868c82eb28c2b48cdbb2c72dee60cfe2f792

SHA512
6ab882ae5e24837037f3d18260f0b39f9f4b6110ebd2af86e14edebb6df201f389cc390e5af6213f5e93f1a238c55ace91910cf709dc82cfe709b6f49f958fd3

Download Submit
C:\Users\Admin\AppData\Roaming\dwm.exe
MD5
8d74e2ef18e68405319a1090d20a0674

SHA1
363c4e86dbf7f6ab65dcc79cedb07aa52ea12ed9

SHA256
2edc93f84e6911e5b86040964715868c82eb28c2b48cdbb2c72dee60cfe2f792

SHA512
6ab882ae5e24837037f3d18260f0b39f9f4b6110ebd2af86e14edebb6df201f389cc390e5af6213f5e93f1a238c55ace91910cf709dc82cfe709b6f49f958fd3

Download Submit
C:\Users\Admin\AppData\Roaming\dwm.exe
MD5
8d74e2ef18e68405319a1090d20a0674

SHA1
363c4e86dbf7f6ab65dcc79cedb07aa52ea12ed9

SHA256
2edc93f84e6911e5b86040964715868c82eb28c2b48cdbb2c72dee60cfe2f792

SHA512
6ab882ae5e24837037f3d18260f0b39f9f4b6110ebd2af86e14edebb6df201f389cc390e5af6213f5e93f1a238c55ace91910cf709dc82cfe709b6f49f958fd3

Download Submit
\Users\Admin\AppData\Local\Temp\nsm7E8E.tmp\ktjs.dll
MD5
808bcde0e218d1c449e03b7a8d8e6a85

SHA1
9bacabb5d38179ed06703124fd99247ff8c3739b

SHA256
a128457ae2a48027b291f00a53d1e299222148b8d4cec7045f204190cbba8044

SHA512
dccdad4d124ca6899d481f82ea37d742a53d4411a9df17ad167e62559b6855ff69f5546f48112af5ed8ba2ab473928233a8f4281980ae9b9e7e4d5c08a8446d6

Download Submit
\Users\Admin\AppData\Local\Temp\nssDA4.tmp\ktjs.dll
MD5
808bcde0e218d1c449e03b7a8d8e6a85

SHA1
9bacabb5d38179ed06703124fd99247ff8c3739b

SHA256
a128457ae2a48027b291f00a53d1e299222148b8d4cec7045f204190cbba8044

SHA512
dccdad4d124ca6899d481f82ea37d742a53d4411a9df17ad167e62559b6855ff69f5546f48112af5ed8ba2ab473928233a8f4281980ae9b9e7e4d5c08a8446d6

Download Submit
memory/1604-144-0x0000000004903000-0x0000000004904000-memory.dmp

Filesize
4KB

Download
memory/1604-142-0x0000000004900000-0x0000000004901000-memory.dmp

Filesize
4KB

Download
memory/1604-141-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1604-143-0x0000000004902000-0x0000000004903000-memory.dmp

Filesize
4KB

Download
memory/1604-137-0x000000000040188B-mapping.dmp

Download
memory/1604-145-0x0000000004904000-0x0000000004905000-memory.dmp

Filesize
4KB

Download
memory/1604-147-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/1604-148-0x00000000055C0000-0x00000000055C1000-memory.dmp

Filesize
4KB

Download
memory/2320-129-0x0000000000000000-mapping.dmp

Download
memory/3176-115-0x0000000002280000-0x00000000022A3000-memory.dmp

Filesize
140KB

Download
memory/3376-128-0x0000000000000000-mapping.dmp

Download
memory/3404-126-0x0000000000000000-mapping.dmp

Download
memory/3584-122-0x00000000048C3000-0x00000000048C4000-memory.dmp

Filesize
4KB

Download
memory/3584-124-0x00000000048E0000-0x00000000048E1000-memory.dmp

Filesize
4KB

Download
memory/3584-123-0x00000000048C4000-0x00000000048C5000-memory.dmp

Filesize
4KB

Download
memory/3584-121-0x00000000048C2000-0x00000000048C3000-memory.dmp

Filesize
4KB

Download
memory/3584-119-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3584-120-0x00000000048C0000-0x00000000048C1000-memory.dmp

Filesize
4KB

Download
memory/3584-117-0x00000000022F0000-0x00000000022FC000-memory.dmp

Filesize
48KB

Download
memory/3584-116-0x000000000040188B-mapping.dmp

Download
memory/3888-136-0x0000000002050000-0x0000000002073000-memory.dmp

Filesize
140KB

Download
memory/3888-130-0x0000000000000000-mapping.dmp

Download
memory/3968-125-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads