asyncrat | 2f26650c608fd0f9a206313627fc9274e5149f3a91000a4efd22edad7e66a380

General

Target

b0b110907b803c315662fafcf1893595.exe
Size

525KB
MD5

b0b110907b803c315662fafcf1893595
SHA1

f3afc612ea9b2aeecacb4b4e1792b6b1800ef870
SHA256

2f26650c608fd0f9a206313627fc9274e5149f3a91000a4efd22edad7e66a380
SHA512

e3beb668ce9745064a6f74df99ef45bfab1cb4f908a9628174e506d725a00ca9c4c2c875cd6e2b4659bcfe596adf05715e4842286cada05ab7f20396b181ba19

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

icando.ug:6970

icacxndo.ac.ug:6970

Mutex

6SI8OkPnkxzcasd

Attributes

aes_key
rkDO6u9Rg2tQZ5crWRxI7ttwjOqPWDog
anti_detection
false
autorun
false
bdos
false
delay
XX
host
icando.ug,icacxndo.ac.ug
hwid
3
install_file
install_folder
%AppData%
mutex
6SI8OkPnkxzcasd
pastebin_config
null
port
6970
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1584-67-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1584-68-0x000000000040C71E-mapping.dmp	asyncrat
behavioral1/memory/1584-69-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Suspicious use of SetThreadContext 1 IoCs

Processes:

b0b110907b803c315662fafcf1893595.exe

description pid process target process

PID 1028 set thread context of 1584 1028 b0b110907b803c315662fafcf1893595.exe b0b110907b803c315662fafcf1893595.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

528 schtasks.exe

description	pid	process	target process
PID 1028 set thread context of 1584	1028	b0b110907b803c315662fafcf1893595.exe	b0b110907b803c315662fafcf1893595.exe

pid	process
528	schtasks.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

b0b110907b803c315662fafcf1893595.exe

description	pid	process	target process
PID 1028 wrote to memory of 528	1028	b0b110907b803c315662fafcf1893595.exe	schtasks.exe
PID 1028 wrote to memory of 528	1028	b0b110907b803c315662fafcf1893595.exe	schtasks.exe
PID 1028 wrote to memory of 528	1028	b0b110907b803c315662fafcf1893595.exe	schtasks.exe
PID 1028 wrote to memory of 528	1028	b0b110907b803c315662fafcf1893595.exe	schtasks.exe
PID 1028 wrote to memory of 1584	1028	b0b110907b803c315662fafcf1893595.exe	b0b110907b803c315662fafcf1893595.exe
PID 1028 wrote to memory of 1584	1028	b0b110907b803c315662fafcf1893595.exe	b0b110907b803c315662fafcf1893595.exe
PID 1028 wrote to memory of 1584	1028	b0b110907b803c315662fafcf1893595.exe	b0b110907b803c315662fafcf1893595.exe
PID 1028 wrote to memory of 1584	1028	b0b110907b803c315662fafcf1893595.exe	b0b110907b803c315662fafcf1893595.exe
PID 1028 wrote to memory of 1584	1028	b0b110907b803c315662fafcf1893595.exe	b0b110907b803c315662fafcf1893595.exe
PID 1028 wrote to memory of 1584	1028	b0b110907b803c315662fafcf1893595.exe	b0b110907b803c315662fafcf1893595.exe
PID 1028 wrote to memory of 1584	1028	b0b110907b803c315662fafcf1893595.exe	b0b110907b803c315662fafcf1893595.exe
PID 1028 wrote to memory of 1584	1028	b0b110907b803c315662fafcf1893595.exe	b0b110907b803c315662fafcf1893595.exe
PID 1028 wrote to memory of 1584	1028	b0b110907b803c315662fafcf1893595.exe	b0b110907b803c315662fafcf1893595.exe

C:\Users\Admin\AppData\Local\Temp\b0b110907b803c315662fafcf1893595.exe
"C:\Users\Admin\AppData\Local\Temp\b0b110907b803c315662fafcf1893595.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ddoAzF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp49FB.tmp"
2⤵
- Creates scheduled task(s)
PID:528

C:\Users\Admin\AppData\Local\Temp\b0b110907b803c315662fafcf1893595.exe
"{path}"
2⤵
PID:1584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp49FB.tmp
MD5
8d623187b28ca9c7e6abe0f9b67b3869

SHA1
d2f570a8866b729f40c0affafad8758d9139ddee

SHA256
c477c91808f1182ce06eb0e0f52a41980d5d822e8c7db4377e670274505cca46

SHA512
7c46cab850c9835096e45583c73abb08cfc7249b1e475dc8afdf64f2e4951ca9d014d00ed45fdbb961dc274d7bfe01a783b2b893304ccc1daebb38fb57e33bbc

Download Submit
memory/528-65-0x0000000000000000-mapping.dmp

Download
memory/1028-59-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/1028-61-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/1028-62-0x00000000003A0000-0x00000000003A2000-memory.dmp

Filesize
8KB

Download
memory/1028-63-0x0000000005920000-0x00000000059A1000-memory.dmp

Filesize
516KB

Download
memory/1028-64-0x00000000005C0000-0x00000000005F0000-memory.dmp

Filesize
192KB

Download
memory/1584-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1584-68-0x000000000040C71E-mapping.dmp

Download
memory/1584-69-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1584-71-0x0000000075591000-0x0000000075593000-memory.dmp

Filesize
8KB

Download
memory/1584-72-0x0000000004750000-0x0000000004751000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads