asyncrat | 2e150347b1355fa8b940ee1e4cede6663f2040729c05b719a5805d948e5c868a

General

Target

Voc684613.exe
Size

793KB
MD5

3d40326708b7186af8226903bacd81aa
SHA1

6c4b885d599da487929528345bb0c507eb61d7c0
SHA256

2e150347b1355fa8b940ee1e4cede6663f2040729c05b719a5805d948e5c868a
SHA512

1b6825246f46d228d138781588acb0a594ed2ffeaa5665ba75365c5609d30183a73428b504ec0e1e68361bf13f6632f726d88c2391bcef0519d1ba392577fa2e

Score

10^/10

asyncrat rat suricata

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

ericanabou.duckdns.org:6606

ericanabou.duckdns.org:7707

ericanabou.duckdns.org:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
4kJtWmou5B8Pyku5qYd1MCPGzkoPTXE7
anti_detection
false
autorun
false
bdos
false
delay
Default
host
ericanabou.duckdns.org
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
6606,7707,8808
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3680-128-0x000000000040C73E-mapping.dmp	asyncrat
behavioral2/memory/3680-127-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Suspicious use of SetThreadContext 1 IoCs

Processes:

Voc684613.exe

description pid process target process

PID 3128 set thread context of 3680 3128 Voc684613.exe Voc684613.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1996 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Voc684613.exe

pid process

3128 Voc684613.exe
3128 Voc684613.exe
3128 Voc684613.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Voc684613.exeVoc684613.exe

description pid process

Token: SeDebugPrivilege 3128 Voc684613.exe
Token: SeDebugPrivilege 3680 Voc684613.exe

description	pid	process	target process
PID 3128 set thread context of 3680	3128	Voc684613.exe	Voc684613.exe

pid	process
1996	schtasks.exe

pid	process
3128	Voc684613.exe
3128	Voc684613.exe
3128	Voc684613.exe

description	pid	process
Token: SeDebugPrivilege	3128	Voc684613.exe
Token: SeDebugPrivilege	3680	Voc684613.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

Voc684613.exe

description	pid	process	target process
PID 3128 wrote to memory of 1996	3128	Voc684613.exe	schtasks.exe
PID 3128 wrote to memory of 1996	3128	Voc684613.exe	schtasks.exe
PID 3128 wrote to memory of 1996	3128	Voc684613.exe	schtasks.exe
PID 3128 wrote to memory of 4084	3128	Voc684613.exe	Voc684613.exe
PID 3128 wrote to memory of 4084	3128	Voc684613.exe	Voc684613.exe
PID 3128 wrote to memory of 4084	3128	Voc684613.exe	Voc684613.exe
PID 3128 wrote to memory of 3680	3128	Voc684613.exe	Voc684613.exe
PID 3128 wrote to memory of 3680	3128	Voc684613.exe	Voc684613.exe
PID 3128 wrote to memory of 3680	3128	Voc684613.exe	Voc684613.exe
PID 3128 wrote to memory of 3680	3128	Voc684613.exe	Voc684613.exe
PID 3128 wrote to memory of 3680	3128	Voc684613.exe	Voc684613.exe
PID 3128 wrote to memory of 3680	3128	Voc684613.exe	Voc684613.exe
PID 3128 wrote to memory of 3680	3128	Voc684613.exe	Voc684613.exe
PID 3128 wrote to memory of 3680	3128	Voc684613.exe	Voc684613.exe

C:\Users\Admin\AppData\Local\Temp\Voc684613.exe
"C:\Users\Admin\AppData\Local\Temp\Voc684613.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3128

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\akyiPO" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA5F5.tmp"
2⤵
- Creates scheduled task(s)
PID:1996

C:\Users\Admin\AppData\Local\Temp\Voc684613.exe
"C:\Users\Admin\AppData\Local\Temp\Voc684613.exe"
2⤵
PID:4084

C:\Users\Admin\AppData\Local\Temp\Voc684613.exe
"C:\Users\Admin\AppData\Local\Temp\Voc684613.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3680

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Voc684613.exe.log
MD5
90acfd72f14a512712b1a7380c0faf60

SHA1
40ba4accb8faa75887e84fb8e38d598dc8cf0f12

SHA256
20806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86

SHA512
29dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA5F5.tmp
MD5
f3e9b38aaa4120e01e756646c9498c00

SHA1
cf31a81b642cd8ed0357f81bef7283d18df95241

SHA256
4423d626ff05a391b8b7e759b1a8669c9ce8692b4f5a866fd1e1817a9282f23e

SHA512
7e1d67b2c2ee4f187c045247a797ff6011c2e7fca7568d92ccebfd719f631cc3378456550cf789c360abebb929d4a4acb834771716516f564413efcd065a8c1f

Download Submit
memory/1996-125-0x0000000000000000-mapping.dmp

Download
memory/3128-123-0x0000000000960000-0x00000000009B3000-memory.dmp

Filesize
332KB

Download
memory/3128-118-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/3128-119-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/3128-121-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/3128-122-0x0000000004D70000-0x0000000004D8B000-memory.dmp

Filesize
108KB

Download
memory/3128-114-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/3128-124-0x0000000000740000-0x000000000074E000-memory.dmp

Filesize
56KB

Download
memory/3128-120-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/3128-117-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/3128-116-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/3680-127-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3680-128-0x000000000040C73E-mapping.dmp

Download
memory/3680-132-0x00000000054A0000-0x00000000054A1000-memory.dmp

Filesize
4KB

Download
memory/3680-135-0x0000000005FA0000-0x0000000005FA1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads