asyncrat | 17d1c0045155ad9c523c07e0f37aa16cd036915f38b73090d8d8ba930db149fb

General

Target

ASTRO-GREP.bin.exe
Size

47KB
MD5

432f0e0aab658de046d8b41d2cef8253
SHA1

7ba5b175ffb4bb976c54177f9c40a7339a088654
SHA256

17d1c0045155ad9c523c07e0f37aa16cd036915f38b73090d8d8ba930db149fb
SHA512

bac97805d8fcba49b7bde5067911b293622c610a65f2a2fc527a6c890be8e79c6ca9c9676786b1eaac19ecbdb16562efee2d7c985707fc04e57e4e3033c75b0b

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

null:null

Mutex

Mutex_6SI8OkPnk

Attributes

aes_key
ZgOTIhSVzSTSosv4ITYrzailHXWOHyEM
anti_detection
true
autorun
true
bdos
false
delay
SWARM-SHOP
host
null
hwid
20
install_file
install_folder
%AppData%
mutex
Mutex_6SI8OkPnk
pastebin_config
https://pastebin.com/raw/VTByvKGM
port
null
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\astro-grep.exe	asyncrat
C:\Users\Admin\AppData\Roaming\astro-grep.exe	asyncrat
C:\Users\Admin\AppData\Roaming\astro-grep.exe	asyncrat

Executes dropped EXE 1 IoCs

Processes:

astro-grep.exe

pid process

808 astro-grep.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

996 cmd.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

324 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1972 timeout.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

ASTRO-GREP.bin.exe

pid process

1104 ASTRO-GREP.bin.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ASTRO-GREP.bin.exeastro-grep.exe

description pid process

Token: SeDebugPrivilege 1104 ASTRO-GREP.bin.exe
Token: SeDebugPrivilege 808 astro-grep.exe

pid	process
808	astro-grep.exe

pid	process
996	cmd.exe

pid	process
324	schtasks.exe

pid	process
1972	timeout.exe

pid	process
1104	ASTRO-GREP.bin.exe

description	pid	process
Token: SeDebugPrivilege	1104	ASTRO-GREP.bin.exe
Token: SeDebugPrivilege	808	astro-grep.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

ASTRO-GREP.bin.execmd.execmd.exe

description	pid	process	target process
PID 1104 wrote to memory of 1128	1104	ASTRO-GREP.bin.exe	cmd.exe
PID 1104 wrote to memory of 1128	1104	ASTRO-GREP.bin.exe	cmd.exe
PID 1104 wrote to memory of 1128	1104	ASTRO-GREP.bin.exe	cmd.exe
PID 1104 wrote to memory of 1128	1104	ASTRO-GREP.bin.exe	cmd.exe
PID 1104 wrote to memory of 996	1104	ASTRO-GREP.bin.exe	cmd.exe
PID 1104 wrote to memory of 996	1104	ASTRO-GREP.bin.exe	cmd.exe
PID 1104 wrote to memory of 996	1104	ASTRO-GREP.bin.exe	cmd.exe
PID 1104 wrote to memory of 996	1104	ASTRO-GREP.bin.exe	cmd.exe
PID 1128 wrote to memory of 324	1128	cmd.exe	schtasks.exe
PID 1128 wrote to memory of 324	1128	cmd.exe	schtasks.exe
PID 1128 wrote to memory of 324	1128	cmd.exe	schtasks.exe
PID 1128 wrote to memory of 324	1128	cmd.exe	schtasks.exe
PID 996 wrote to memory of 1972	996	cmd.exe	timeout.exe
PID 996 wrote to memory of 1972	996	cmd.exe	timeout.exe
PID 996 wrote to memory of 1972	996	cmd.exe	timeout.exe
PID 996 wrote to memory of 1972	996	cmd.exe	timeout.exe
PID 996 wrote to memory of 808	996	cmd.exe	astro-grep.exe
PID 996 wrote to memory of 808	996	cmd.exe	astro-grep.exe
PID 996 wrote to memory of 808	996	cmd.exe	astro-grep.exe
PID 996 wrote to memory of 808	996	cmd.exe	astro-grep.exe

C:\Users\Admin\AppData\Local\Temp\ASTRO-GREP.bin.exe
"C:\Users\Admin\AppData\Local\Temp\ASTRO-GREP.bin.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "astro-grep" /tr '"C:\Users\Admin\AppData\Roaming\astro-grep.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "astro-grep" /tr '"C:\Users\Admin\AppData\Roaming\astro-grep.exe"'
3⤵
- Creates scheduled task(s)
PID:324

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp898.tmp.bat""
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1972

C:\Users\Admin\AppData\Roaming\astro-grep.exe
"C:\Users\Admin\AppData\Roaming\astro-grep.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:808

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp898.tmp.bat
MD5
fcbfaa89b344aa623d5b6bdc0a05c82c

SHA1
9d5fd0f2f786b06fc6eeb2dccd0e7a7d652c0d82

SHA256
5e16f030cda2090ed44e432c43cd82205789ff584fbea5e36ee9dd17f7942e3b

SHA512
f2f62e0f958bde7138450a1c5305650d5fb88654a1550b5af8d2844a60932f12b3999464bec0adb28d9f2945f4a860734067f318037e840024a50526fbe428c1

Download Submit
C:\Users\Admin\AppData\Roaming\astro-grep.exe
MD5
432f0e0aab658de046d8b41d2cef8253

SHA1
7ba5b175ffb4bb976c54177f9c40a7339a088654

SHA256
17d1c0045155ad9c523c07e0f37aa16cd036915f38b73090d8d8ba930db149fb

SHA512
bac97805d8fcba49b7bde5067911b293622c610a65f2a2fc527a6c890be8e79c6ca9c9676786b1eaac19ecbdb16562efee2d7c985707fc04e57e4e3033c75b0b

Download Submit
C:\Users\Admin\AppData\Roaming\astro-grep.exe
MD5
432f0e0aab658de046d8b41d2cef8253

SHA1
7ba5b175ffb4bb976c54177f9c40a7339a088654

SHA256
17d1c0045155ad9c523c07e0f37aa16cd036915f38b73090d8d8ba930db149fb

SHA512
bac97805d8fcba49b7bde5067911b293622c610a65f2a2fc527a6c890be8e79c6ca9c9676786b1eaac19ecbdb16562efee2d7c985707fc04e57e4e3033c75b0b

Download Submit
\Users\Admin\AppData\Roaming\astro-grep.exe
MD5
432f0e0aab658de046d8b41d2cef8253

SHA1
7ba5b175ffb4bb976c54177f9c40a7339a088654

SHA256
17d1c0045155ad9c523c07e0f37aa16cd036915f38b73090d8d8ba930db149fb

SHA512
bac97805d8fcba49b7bde5067911b293622c610a65f2a2fc527a6c890be8e79c6ca9c9676786b1eaac19ecbdb16562efee2d7c985707fc04e57e4e3033c75b0b

Download Submit
memory/324-66-0x0000000000000000-mapping.dmp

Download
memory/808-70-0x0000000000000000-mapping.dmp

Download
memory/808-72-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/808-75-0x00000000043F0000-0x00000000043F1000-memory.dmp

Filesize
4KB

Download
memory/996-64-0x0000000000000000-mapping.dmp

Download
memory/1104-59-0x0000000001230000-0x0000000001231000-memory.dmp

Filesize
4KB

Download
memory/1104-62-0x00000000011E0000-0x00000000011E1000-memory.dmp

Filesize
4KB

Download
memory/1104-61-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

Filesize
8KB

Download
memory/1128-63-0x0000000000000000-mapping.dmp

Download
memory/1972-67-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads