asyncrat | 643bb75abd587887ae08a595d8c194324896a35e67e7e1f9d0cbca072d80a35f

General

Target

purchase order 0234.exe
Size

810KB
MD5

b7293e08d74bd46679ba9d8676c905ad
SHA1

b64e7adaa11fa0d7ef383812978ffb0346d4ccf9
SHA256

643bb75abd587887ae08a595d8c194324896a35e67e7e1f9d0cbca072d80a35f
SHA512

125e62710e469b5349bc4d7b5415273fabc3c73883b41cd797512c5e7867f7af2ab4f228b2017e6921a86fde6479b41580729ba36b42172ce150edf783a0f9a4

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

185.140.53.143:7707

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
UVVbfz0hjdu2nFdIsYB5P1g2SduP4tkw
anti_detection
false
autorun
false
bdos
false
delay
Default
host
185.140.53.143
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
7707
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/576-68-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/576-69-0x000000000040C71E-mapping.dmp	asyncrat
behavioral1/memory/576-70-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Suspicious use of SetThreadContext 1 IoCs

Processes:

purchase order 0234.exe

description pid process target process

PID 784 set thread context of 576 784 purchase order 0234.exe purchase order 0234.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

688 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

purchase order 0234.exe

pid process

784 purchase order 0234.exe
784 purchase order 0234.exe
784 purchase order 0234.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

purchase order 0234.exe

description pid process

Token: SeDebugPrivilege 784 purchase order 0234.exe

description	pid	process	target process
PID 784 set thread context of 576	784	purchase order 0234.exe	purchase order 0234.exe

pid	process
688	schtasks.exe

pid	process
784	purchase order 0234.exe
784	purchase order 0234.exe
784	purchase order 0234.exe

description	pid	process
Token: SeDebugPrivilege	784	purchase order 0234.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

purchase order 0234.exe

description	pid	process	target process
PID 784 wrote to memory of 688	784	purchase order 0234.exe	schtasks.exe
PID 784 wrote to memory of 688	784	purchase order 0234.exe	schtasks.exe
PID 784 wrote to memory of 688	784	purchase order 0234.exe	schtasks.exe
PID 784 wrote to memory of 688	784	purchase order 0234.exe	schtasks.exe
PID 784 wrote to memory of 576	784	purchase order 0234.exe	purchase order 0234.exe
PID 784 wrote to memory of 576	784	purchase order 0234.exe	purchase order 0234.exe
PID 784 wrote to memory of 576	784	purchase order 0234.exe	purchase order 0234.exe
PID 784 wrote to memory of 576	784	purchase order 0234.exe	purchase order 0234.exe
PID 784 wrote to memory of 576	784	purchase order 0234.exe	purchase order 0234.exe
PID 784 wrote to memory of 576	784	purchase order 0234.exe	purchase order 0234.exe
PID 784 wrote to memory of 576	784	purchase order 0234.exe	purchase order 0234.exe
PID 784 wrote to memory of 576	784	purchase order 0234.exe	purchase order 0234.exe
PID 784 wrote to memory of 576	784	purchase order 0234.exe	purchase order 0234.exe

C:\Users\Admin\AppData\Local\Temp\purchase order 0234.exe
"C:\Users\Admin\AppData\Local\Temp\purchase order 0234.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:784

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kgXAYFo" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1FFF.tmp"
2⤵
- Creates scheduled task(s)
PID:688

C:\Users\Admin\AppData\Local\Temp\purchase order 0234.exe
"{path}"
2⤵
PID:576

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1FFF.tmp
MD5
d4209416452a112796c13fbcbaf68c75

SHA1
82d63eb0d68e698d88b0999ddce1820cebb30d5f

SHA256
f512b817a6c6a6af6734c6e402a9426037d98d2052aa9a78820c2baa6271347f

SHA512
df8094092de74e16c07314bc9b2bdba1e34837266749c73262a9f2e409f556f4b942cab1fe8f4aa9e068cc512e72d0fadb992261b8c6fa74bb0bc762b3c92737

Download Submit
memory/576-68-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/576-69-0x000000000040C71E-mapping.dmp

Download
memory/576-70-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/576-72-0x0000000075AA1000-0x0000000075AA3000-memory.dmp

Filesize
8KB

Download
memory/576-73-0x00000000048B0000-0x00000000048B1000-memory.dmp

Filesize
4KB

Download
memory/688-66-0x0000000000000000-mapping.dmp

Download
memory/784-60-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/784-62-0x0000000006F30000-0x0000000006F31000-memory.dmp

Filesize
4KB

Download
memory/784-63-0x00000000004F0000-0x00000000004FE000-memory.dmp

Filesize
56KB

Download
memory/784-64-0x0000000004CA0000-0x0000000004D19000-memory.dmp

Filesize
484KB

Download
memory/784-65-0x00000000005C0000-0x00000000005E8000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads