asyncrat | 9a3234c1c90aaf637ab14fb27a55c4ef9fb1c351f2b6d56a302abc6f0255f49c

General

Target

18722BAF8C4B518C0DFFBF4F37827CB9.exe
Size

45KB
MD5

18722baf8c4b518c0dffbf4f37827cb9
SHA1

d417aed0bf424562f02cfd5bd616f57c3059783c
SHA256

9a3234c1c90aaf637ab14fb27a55c4ef9fb1c351f2b6d56a302abc6f0255f49c
SHA512

b3ae36f20a592522af5a5f68daec0bd6878c2ed2191499cbddcace627370ea5dd7737959fe83ff0b2dd83aa7ad037618a357d5298c73fb7f48315d8989ff9617

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

null:null

Mutex

AsyncMutex_6SI4OuKnd

Attributes

aes_key
aafded797es2No3OOH0JDTQJRDm7oijE
anti_detection
false
autorun
true
bdos
false
delay
Mailify<3<3
host
null
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI4OuKnd
pastebin_config
https://pastebin.com/raw/bHKKgu6n
port
null
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\svchost.exe	asyncrat
C:\Users\Admin\AppData\Roaming\svchost.exe	asyncrat
C:\Users\Admin\AppData\Roaming\svchost.exe	asyncrat

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

768 svchost.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1528 cmd.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

820 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1600 timeout.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

18722BAF8C4B518C0DFFBF4F37827CB9.exe

pid process

528 18722BAF8C4B518C0DFFBF4F37827CB9.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

18722BAF8C4B518C0DFFBF4F37827CB9.exesvchost.exe

description pid process

Token: SeDebugPrivilege 528 18722BAF8C4B518C0DFFBF4F37827CB9.exe
Token: SeDebugPrivilege 768 svchost.exe

pid	process
768	svchost.exe

pid	process
1528	cmd.exe

pid	process
820	schtasks.exe

pid	process
1600	timeout.exe

pid	process
528	18722BAF8C4B518C0DFFBF4F37827CB9.exe

description	pid	process
Token: SeDebugPrivilege	528	18722BAF8C4B518C0DFFBF4F37827CB9.exe
Token: SeDebugPrivilege	768	svchost.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

18722BAF8C4B518C0DFFBF4F37827CB9.execmd.execmd.exe

description	pid	process	target process
PID 528 wrote to memory of 1392	528	18722BAF8C4B518C0DFFBF4F37827CB9.exe	cmd.exe
PID 528 wrote to memory of 1392	528	18722BAF8C4B518C0DFFBF4F37827CB9.exe	cmd.exe
PID 528 wrote to memory of 1392	528	18722BAF8C4B518C0DFFBF4F37827CB9.exe	cmd.exe
PID 528 wrote to memory of 1392	528	18722BAF8C4B518C0DFFBF4F37827CB9.exe	cmd.exe
PID 528 wrote to memory of 1528	528	18722BAF8C4B518C0DFFBF4F37827CB9.exe	cmd.exe
PID 528 wrote to memory of 1528	528	18722BAF8C4B518C0DFFBF4F37827CB9.exe	cmd.exe
PID 528 wrote to memory of 1528	528	18722BAF8C4B518C0DFFBF4F37827CB9.exe	cmd.exe
PID 528 wrote to memory of 1528	528	18722BAF8C4B518C0DFFBF4F37827CB9.exe	cmd.exe
PID 1392 wrote to memory of 820	1392	cmd.exe	schtasks.exe
PID 1392 wrote to memory of 820	1392	cmd.exe	schtasks.exe
PID 1392 wrote to memory of 820	1392	cmd.exe	schtasks.exe
PID 1392 wrote to memory of 820	1392	cmd.exe	schtasks.exe
PID 1528 wrote to memory of 1600	1528	cmd.exe	timeout.exe
PID 1528 wrote to memory of 1600	1528	cmd.exe	timeout.exe
PID 1528 wrote to memory of 1600	1528	cmd.exe	timeout.exe
PID 1528 wrote to memory of 1600	1528	cmd.exe	timeout.exe
PID 1528 wrote to memory of 768	1528	cmd.exe	svchost.exe
PID 1528 wrote to memory of 768	1528	cmd.exe	svchost.exe
PID 1528 wrote to memory of 768	1528	cmd.exe	svchost.exe
PID 1528 wrote to memory of 768	1528	cmd.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\18722BAF8C4B518C0DFFBF4F37827CB9.exe
"C:\Users\Admin\AppData\Local\Temp\18722BAF8C4B518C0DFFBF4F37827CB9.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:528

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
3⤵
- Creates scheduled task(s)
PID:820

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8085.tmp.bat""
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1600

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8085.tmp.bat
MD5
ae7410ca6438ae01ec6361956421050c

SHA1
e2e686e348635987b11ac68fd3e36ba602118532

SHA256
a7f23c6203accf5d4e16af1403b2c641a7ecb2aa4e60dc99db61893d34f7d86c

SHA512
140ed2e0937e518ee8bfb90b6423d19122b78845e2b83a54c09a61bb9dd127de407741f1d43099e0def177796a6788d0a34a6a3666394a9ecacda40121e813ce

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
MD5
18722baf8c4b518c0dffbf4f37827cb9

SHA1
d417aed0bf424562f02cfd5bd616f57c3059783c

SHA256
9a3234c1c90aaf637ab14fb27a55c4ef9fb1c351f2b6d56a302abc6f0255f49c

SHA512
b3ae36f20a592522af5a5f68daec0bd6878c2ed2191499cbddcace627370ea5dd7737959fe83ff0b2dd83aa7ad037618a357d5298c73fb7f48315d8989ff9617

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
MD5
18722baf8c4b518c0dffbf4f37827cb9

SHA1
d417aed0bf424562f02cfd5bd616f57c3059783c

SHA256
9a3234c1c90aaf637ab14fb27a55c4ef9fb1c351f2b6d56a302abc6f0255f49c

SHA512
b3ae36f20a592522af5a5f68daec0bd6878c2ed2191499cbddcace627370ea5dd7737959fe83ff0b2dd83aa7ad037618a357d5298c73fb7f48315d8989ff9617

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe
MD5
18722baf8c4b518c0dffbf4f37827cb9

SHA1
d417aed0bf424562f02cfd5bd616f57c3059783c

SHA256
9a3234c1c90aaf637ab14fb27a55c4ef9fb1c351f2b6d56a302abc6f0255f49c

SHA512
b3ae36f20a592522af5a5f68daec0bd6878c2ed2191499cbddcace627370ea5dd7737959fe83ff0b2dd83aa7ad037618a357d5298c73fb7f48315d8989ff9617

Download Submit
memory/528-61-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download
memory/528-62-0x00000000047E0000-0x00000000047E1000-memory.dmp

Filesize
4KB

Download
memory/528-59-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/768-70-0x0000000000000000-mapping.dmp

Download
memory/768-75-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/768-72-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/820-66-0x0000000000000000-mapping.dmp

Download
memory/1392-63-0x0000000000000000-mapping.dmp

Download
memory/1528-64-0x0000000000000000-mapping.dmp

Download
memory/1600-67-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads