asyncrat | 86a970ceae4a26b7b3cca4894885278b76aede70d85c92a2c55d9fe4d950a879

General

Target

Request For Quote.exe
Size

723KB
MD5

60b38fcb88892b72f97c72a04b03ce29
SHA1

90a9b8272b1c39aba84ceb9c53aa1b041fb61f6b
SHA256

86a970ceae4a26b7b3cca4894885278b76aede70d85c92a2c55d9fe4d950a879
SHA512

a5fe465d7fd3dc278c85be115ae060b85a069f445d3a768064e34fa51de08221368890bce5f958bc2133fbc4bfbc8393b7a0fff7a9093f80ef82dd6d8fad4477

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

kingmethod.duckdns.org:6606

kingmethod.duckdns.org:7707

kingmethod.duckdns.org:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
OZXGLSBOBV86soeiTb9Hf1tQxfBtCgFw
anti_detection
false
autorun
false
bdos
false
delay
Default
host
,kingmethod.duckdns.org
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
6606,7707,8808
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4056-127-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/4056-128-0x000000000040C73E-mapping.dmp	asyncrat

Suspicious use of SetThreadContext 1 IoCs

Processes:

Request For Quote.exe

description pid process target process

PID 3916 set thread context of 4056 3916 Request For Quote.exe Request For Quote.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3548 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Request For Quote.exe

pid process

3916 Request For Quote.exe
3916 Request For Quote.exe
3916 Request For Quote.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Request For Quote.exeRequest For Quote.exe

description pid process

Token: SeDebugPrivilege 3916 Request For Quote.exe
Token: SeDebugPrivilege 4056 Request For Quote.exe

description	pid	process	target process
PID 3916 set thread context of 4056	3916	Request For Quote.exe	Request For Quote.exe

pid	process
3548	schtasks.exe

pid	process
3916	Request For Quote.exe
3916	Request For Quote.exe
3916	Request For Quote.exe

description	pid	process
Token: SeDebugPrivilege	3916	Request For Quote.exe
Token: SeDebugPrivilege	4056	Request For Quote.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

Request For Quote.exe

description	pid	process	target process
PID 3916 wrote to memory of 3548	3916	Request For Quote.exe	schtasks.exe
PID 3916 wrote to memory of 3548	3916	Request For Quote.exe	schtasks.exe
PID 3916 wrote to memory of 3548	3916	Request For Quote.exe	schtasks.exe
PID 3916 wrote to memory of 3652	3916	Request For Quote.exe	Request For Quote.exe
PID 3916 wrote to memory of 3652	3916	Request For Quote.exe	Request For Quote.exe
PID 3916 wrote to memory of 3652	3916	Request For Quote.exe	Request For Quote.exe
PID 3916 wrote to memory of 4056	3916	Request For Quote.exe	Request For Quote.exe
PID 3916 wrote to memory of 4056	3916	Request For Quote.exe	Request For Quote.exe
PID 3916 wrote to memory of 4056	3916	Request For Quote.exe	Request For Quote.exe
PID 3916 wrote to memory of 4056	3916	Request For Quote.exe	Request For Quote.exe
PID 3916 wrote to memory of 4056	3916	Request For Quote.exe	Request For Quote.exe
PID 3916 wrote to memory of 4056	3916	Request For Quote.exe	Request For Quote.exe
PID 3916 wrote to memory of 4056	3916	Request For Quote.exe	Request For Quote.exe
PID 3916 wrote to memory of 4056	3916	Request For Quote.exe	Request For Quote.exe

C:\Users\Admin\AppData\Local\Temp\Request For Quote.exe
"C:\Users\Admin\AppData\Local\Temp\Request For Quote.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3916

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wTWgfPg" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC024.tmp"
2⤵
- Creates scheduled task(s)
PID:3548

C:\Users\Admin\AppData\Local\Temp\Request For Quote.exe
"C:\Users\Admin\AppData\Local\Temp\Request For Quote.exe"
2⤵
PID:3652

C:\Users\Admin\AppData\Local\Temp\Request For Quote.exe
"C:\Users\Admin\AppData\Local\Temp\Request For Quote.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4056

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Request For Quote.exe.log
MD5
90acfd72f14a512712b1a7380c0faf60

SHA1
40ba4accb8faa75887e84fb8e38d598dc8cf0f12

SHA256
20806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86

SHA512
29dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC024.tmp
MD5
e99b1c98f3a43a252eae45521ff2d50a

SHA1
94acaf12c621be6a426993f634403e4b51e32ee9

SHA256
62a5bf3f69a7feeddfa571271dc73b188d946e70700e5182f4667ad9f4b4fa64

SHA512
2e8c83d70d543bcb0adb00cf0afe785d50b1501c2e954d1a50247d91d8c24a8f6c1f6a62102c4c3bba2f95610d4cbe9675736e23ec02e48b1d1a00c313ef59eb

Download Submit
memory/3548-125-0x0000000000000000-mapping.dmp

Download
memory/3916-123-0x0000000005AF0000-0x0000000005B5F000-memory.dmp

Filesize
444KB

Download
memory/3916-118-0x0000000005670000-0x0000000005671000-memory.dmp

Filesize
4KB

Download
memory/3916-120-0x0000000005870000-0x0000000005871000-memory.dmp

Filesize
4KB

Download
memory/3916-121-0x0000000005640000-0x000000000565E000-memory.dmp

Filesize
120KB

Download
memory/3916-122-0x0000000005670000-0x0000000005B6E000-memory.dmp

Filesize
5.0MB

Download
memory/3916-114-0x0000000000C70000-0x0000000000C71000-memory.dmp

Filesize
4KB

Download
memory/3916-124-0x0000000008740000-0x0000000008768000-memory.dmp

Filesize
160KB

Download
memory/3916-119-0x0000000005530000-0x0000000005531000-memory.dmp

Filesize
4KB

Download
memory/3916-117-0x0000000005B70000-0x0000000005B71000-memory.dmp

Filesize
4KB

Download
memory/3916-116-0x0000000005580000-0x0000000005581000-memory.dmp

Filesize
4KB

Download
memory/4056-128-0x000000000040C73E-mapping.dmp

Download
memory/4056-127-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4056-132-0x00000000019D0000-0x00000000019D1000-memory.dmp

Filesize
4KB

Download
memory/4056-135-0x00000000064C0000-0x00000000064C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads