asyncrat | fc15f958384227e0df809fe1f0e043c2c596d88d0de5b6c799799529626a414c

General

Target

Letter of Demand.doc
Size

36KB
MD5

55fc048da179b62b3bb1ba86120ed35d
SHA1

55b2f166b64ff820287bf7dd27ee6249df73cbc2
SHA256

fc15f958384227e0df809fe1f0e043c2c596d88d0de5b6c799799529626a414c
SHA512

101d32109ddcbdfcbd5955281809cf078a95cac2be962585bb2f85590dbab475210439a9fcad605ab4950bfbee526b6c40e046a904c46759a04eca9df7f8ac95

Score

10^/10

asyncrat rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

185.136.169.24:6606

185.136.169.24:7707

185.136.169.24:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
LGDVTniOeH5YeueYvvfJNtR2bIW9Ox7U
anti_detection
false
autorun
false
bdos
false
delay
Em-Gee
host
185.136.169.24
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
6606,7707,8808
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2036-78-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/2036-79-0x000000000040C71E-mapping.dmp	asyncrat
behavioral1/memory/2036-81-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

qQFHf.exeqQFHf.exe

pid process

1012 qQFHf.exe
2036 qQFHf.exe
Loads dropped DLL 2 IoCs

Processes:

WINWORD.EXEqQFHf.exe

pid process

1632 WINWORD.EXE
1012 qQFHf.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

qQFHf.exe

description pid process target process

PID 1012 set thread context of 2036 1012 qQFHf.exe qQFHf.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

564 schtasks.exe

pid	process
1012	qQFHf.exe
2036	qQFHf.exe

pid	process
1632	WINWORD.EXE
1012	qQFHf.exe

description	pid	process	target process
PID 1012 set thread context of 2036	1012	qQFHf.exe	qQFHf.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
564	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1632 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

qQFHf.exe

pid process

1012 qQFHf.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

qQFHf.exeqQFHf.exe

description pid process

Token: SeDebugPrivilege 1012 qQFHf.exe
Token: SeDebugPrivilege 2036 qQFHf.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1632 WINWORD.EXE
1632 WINWORD.EXE

pid	process
1632	WINWORD.EXE

pid	process
1012	qQFHf.exe

description	pid	process
Token: SeDebugPrivilege	1012	qQFHf.exe
Token: SeDebugPrivilege	2036	qQFHf.exe

pid	process
1632	WINWORD.EXE
1632	WINWORD.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

WINWORD.EXEqQFHf.exe

description	pid	process	target process
PID 1632 wrote to memory of 1216	1632	WINWORD.EXE	splwow64.exe
PID 1632 wrote to memory of 1216	1632	WINWORD.EXE	splwow64.exe
PID 1632 wrote to memory of 1216	1632	WINWORD.EXE	splwow64.exe
PID 1632 wrote to memory of 1216	1632	WINWORD.EXE	splwow64.exe
PID 1632 wrote to memory of 1012	1632	WINWORD.EXE	qQFHf.exe
PID 1632 wrote to memory of 1012	1632	WINWORD.EXE	qQFHf.exe
PID 1632 wrote to memory of 1012	1632	WINWORD.EXE	qQFHf.exe
PID 1632 wrote to memory of 1012	1632	WINWORD.EXE	qQFHf.exe
PID 1012 wrote to memory of 564	1012	qQFHf.exe	schtasks.exe
PID 1012 wrote to memory of 564	1012	qQFHf.exe	schtasks.exe
PID 1012 wrote to memory of 564	1012	qQFHf.exe	schtasks.exe
PID 1012 wrote to memory of 564	1012	qQFHf.exe	schtasks.exe
PID 1012 wrote to memory of 2036	1012	qQFHf.exe	qQFHf.exe
PID 1012 wrote to memory of 2036	1012	qQFHf.exe	qQFHf.exe
PID 1012 wrote to memory of 2036	1012	qQFHf.exe	qQFHf.exe
PID 1012 wrote to memory of 2036	1012	qQFHf.exe	qQFHf.exe
PID 1012 wrote to memory of 2036	1012	qQFHf.exe	qQFHf.exe
PID 1012 wrote to memory of 2036	1012	qQFHf.exe	qQFHf.exe
PID 1012 wrote to memory of 2036	1012	qQFHf.exe	qQFHf.exe
PID 1012 wrote to memory of 2036	1012	qQFHf.exe	qQFHf.exe
PID 1012 wrote to memory of 2036	1012	qQFHf.exe	qQFHf.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Letter of Demand.doc"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1216

C:\Users\Admin\AppData\Local\Temp\qQFHf.exe
C:\Users\Admin\AppData\Local\Temp\qQFHf.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\azzBJWZB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp166E.tmp"
3⤵
- Creates scheduled task(s)
PID:564

C:\Users\Admin\AppData\Local\Temp\qQFHf.exe
"{path}"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\qQFHf.exe
MD5
d2090d6b03c4c37de4e1e8e615d578b2

SHA1
b18d58d947d4f0ea9a215bed4b279b555c299270

SHA256
cd933deed6ad151dbc88561ea55dc128b464843b481a474b94ab909e0bcef85d

SHA512
a19478748f18957c9ff9c487d27f946faa1272c6fae4293393a133156e2793b4cf0d827757cfd07014c81842b4c02117f1a6e2d443af46f4b345d0ec4bb9621a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQFHf.exe
MD5
d2090d6b03c4c37de4e1e8e615d578b2

SHA1
b18d58d947d4f0ea9a215bed4b279b555c299270

SHA256
cd933deed6ad151dbc88561ea55dc128b464843b481a474b94ab909e0bcef85d

SHA512
a19478748f18957c9ff9c487d27f946faa1272c6fae4293393a133156e2793b4cf0d827757cfd07014c81842b4c02117f1a6e2d443af46f4b345d0ec4bb9621a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQFHf.exe
MD5
d2090d6b03c4c37de4e1e8e615d578b2

SHA1
b18d58d947d4f0ea9a215bed4b279b555c299270

SHA256
cd933deed6ad151dbc88561ea55dc128b464843b481a474b94ab909e0bcef85d

SHA512
a19478748f18957c9ff9c487d27f946faa1272c6fae4293393a133156e2793b4cf0d827757cfd07014c81842b4c02117f1a6e2d443af46f4b345d0ec4bb9621a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp166E.tmp
MD5
5eb656fbce8cfac0fe07ea3a131f3182

SHA1
976d1a73078365fc25d17e2398444123ce6c4b17

SHA256
ec45a74791ecda33d31df88cd5fa1fafac3d2f2f2183c3e96832ac8a617f5e89

SHA512
6b048a2d16f260c47d281f60ec70e07b84f1197375247989f388b2d1a894a4cf2f9d1bd648039e8d56b695b88800e359086a2cf6c093f13a4adcd717d70599b1

Download Submit
\Users\Admin\AppData\Local\Temp\qQFHf.exe
MD5
d2090d6b03c4c37de4e1e8e615d578b2

SHA1
b18d58d947d4f0ea9a215bed4b279b555c299270

SHA256
cd933deed6ad151dbc88561ea55dc128b464843b481a474b94ab909e0bcef85d

SHA512
a19478748f18957c9ff9c487d27f946faa1272c6fae4293393a133156e2793b4cf0d827757cfd07014c81842b4c02117f1a6e2d443af46f4b345d0ec4bb9621a

Download Submit
\Users\Admin\AppData\Local\Temp\qQFHf.exe
MD5
d2090d6b03c4c37de4e1e8e615d578b2

SHA1
b18d58d947d4f0ea9a215bed4b279b555c299270

SHA256
cd933deed6ad151dbc88561ea55dc128b464843b481a474b94ab909e0bcef85d

SHA512
a19478748f18957c9ff9c487d27f946faa1272c6fae4293393a133156e2793b4cf0d827757cfd07014c81842b4c02117f1a6e2d443af46f4b345d0ec4bb9621a

Download Submit
memory/564-75-0x0000000000000000-mapping.dmp

Download
memory/1012-69-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1012-71-0x0000000004950000-0x0000000004951000-memory.dmp

Filesize
4KB

Download
memory/1012-72-0x0000000000310000-0x000000000031E000-memory.dmp

Filesize
56KB

Download
memory/1012-73-0x00000000057A0000-0x0000000005819000-memory.dmp

Filesize
484KB

Download
memory/1012-74-0x0000000000780000-0x00000000007A9000-memory.dmp

Filesize
164KB

Download
memory/1012-66-0x0000000000000000-mapping.dmp

Download
memory/1216-64-0x000007FEFC031000-0x000007FEFC033000-memory.dmp

Filesize
8KB

Download
memory/1216-63-0x0000000000000000-mapping.dmp

Download
memory/1632-61-0x00000000705B1000-0x00000000705B3000-memory.dmp

Filesize
8KB

Download
memory/1632-60-0x0000000072B31000-0x0000000072B34000-memory.dmp

Filesize
12KB

Download
memory/1632-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1632-89-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2036-78-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2036-81-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2036-83-0x0000000075551000-0x0000000075553000-memory.dmp

Filesize
8KB

Download
memory/2036-84-0x0000000004C40000-0x0000000004C41000-memory.dmp

Filesize
4KB

Download
memory/2036-85-0x00000000056A0000-0x0000000005719000-memory.dmp

Filesize
484KB

Download
memory/2036-86-0x00000000005E0000-0x00000000005E4000-memory.dmp

Filesize
16KB

Download
memory/2036-87-0x0000000006310000-0x000000000639D000-memory.dmp

Filesize
564KB

Download
memory/2036-88-0x0000000005A90000-0x0000000005AE9000-memory.dmp

Filesize
356KB

Download
memory/2036-79-0x000000000040C71E-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads