asyncrat | 643bb75abd587887ae08a595d8c194324896a35e67e7e1f9d0cbca072d80a35f

General

Target

purchase order 0234.exe
Size

810KB
MD5

b7293e08d74bd46679ba9d8676c905ad
SHA1

b64e7adaa11fa0d7ef383812978ffb0346d4ccf9
SHA256

643bb75abd587887ae08a595d8c194324896a35e67e7e1f9d0cbca072d80a35f
SHA512

125e62710e469b5349bc4d7b5415273fabc3c73883b41cd797512c5e7867f7af2ab4f228b2017e6921a86fde6479b41580729ba36b42172ce150edf783a0f9a4

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

185.140.53.143:7707

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
UVVbfz0hjdu2nFdIsYB5P1g2SduP4tkw
anti_detection
false
autorun
false
bdos
false
delay
Default
host
185.140.53.143
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
7707
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1308-126-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/1308-127-0x000000000040C71E-mapping.dmp	asyncrat

Suspicious use of SetThreadContext 1 IoCs

Processes:

purchase order 0234.exe

description pid process target process

PID 2256 set thread context of 1308 2256 purchase order 0234.exe purchase order 0234.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3332 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

purchase order 0234.exe

pid process

2256 purchase order 0234.exe
2256 purchase order 0234.exe
2256 purchase order 0234.exe
2256 purchase order 0234.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

purchase order 0234.exe

description pid process

Token: SeDebugPrivilege 2256 purchase order 0234.exe

description	pid	process	target process
PID 2256 set thread context of 1308	2256	purchase order 0234.exe	purchase order 0234.exe

pid	process
3332	schtasks.exe

pid	process
2256	purchase order 0234.exe
2256	purchase order 0234.exe
2256	purchase order 0234.exe
2256	purchase order 0234.exe

description	pid	process
Token: SeDebugPrivilege	2256	purchase order 0234.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

purchase order 0234.exe

description	pid	process	target process
PID 2256 wrote to memory of 3332	2256	purchase order 0234.exe	schtasks.exe
PID 2256 wrote to memory of 3332	2256	purchase order 0234.exe	schtasks.exe
PID 2256 wrote to memory of 3332	2256	purchase order 0234.exe	schtasks.exe
PID 2256 wrote to memory of 1308	2256	purchase order 0234.exe	purchase order 0234.exe
PID 2256 wrote to memory of 1308	2256	purchase order 0234.exe	purchase order 0234.exe
PID 2256 wrote to memory of 1308	2256	purchase order 0234.exe	purchase order 0234.exe
PID 2256 wrote to memory of 1308	2256	purchase order 0234.exe	purchase order 0234.exe
PID 2256 wrote to memory of 1308	2256	purchase order 0234.exe	purchase order 0234.exe
PID 2256 wrote to memory of 1308	2256	purchase order 0234.exe	purchase order 0234.exe
PID 2256 wrote to memory of 1308	2256	purchase order 0234.exe	purchase order 0234.exe
PID 2256 wrote to memory of 1308	2256	purchase order 0234.exe	purchase order 0234.exe

C:\Users\Admin\AppData\Local\Temp\purchase order 0234.exe
"C:\Users\Admin\AppData\Local\Temp\purchase order 0234.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kgXAYFo" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD7B8.tmp"
2⤵
- Creates scheduled task(s)
PID:3332

C:\Users\Admin\AppData\Local\Temp\purchase order 0234.exe
"{path}"
2⤵
PID:1308

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD7B8.tmp
MD5
86a2a33391f86ff7c23f68429094d55d

SHA1
1eeb68c9191881b66f657378ae2f539280845a02

SHA256
0187cbd25716c2efc30d7e9f4412f2c515caeebae1edd6b5dbfe4051ab89e2c0

SHA512
a5ff7e7e63b0603ea0d4311ffffd9a70647c157bbfd84a12beff3fc297b827bdc39401246621d17a1db80a8817f20134498b5cef1ff62f62bc4bded132c17251

Download Submit
memory/1308-130-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download
memory/1308-127-0x000000000040C71E-mapping.dmp

Download
memory/1308-126-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2256-121-0x0000000004F20000-0x0000000004F2E000-memory.dmp

Filesize
56KB

Download
memory/2256-120-0x0000000009790000-0x0000000009791000-memory.dmp

Filesize
4KB

Download
memory/2256-114-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/2256-122-0x0000000005880000-0x00000000058F9000-memory.dmp

Filesize
484KB

Download
memory/2256-123-0x0000000005F00000-0x0000000005F28000-memory.dmp

Filesize
160KB

Download
memory/2256-119-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download
memory/2256-118-0x0000000007D00000-0x0000000007D01000-memory.dmp

Filesize
4KB

Download
memory/2256-117-0x0000000007D30000-0x0000000007D31000-memory.dmp

Filesize
4KB

Download
memory/2256-116-0x0000000008150000-0x0000000008151000-memory.dmp

Filesize
4KB

Download
memory/3332-124-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads