asyncrat | d49479f1e5b04736f8bab7ff79f8cd3574234fa244b1f414b74b1fd91f87d1fb

General

Target

877446a3230a1bdc809f50ad1477c3fd.exe
Size

385KB
MD5

877446a3230a1bdc809f50ad1477c3fd
SHA1

54480aba9a090e9efb15695a55888c19b3dc183e
SHA256

d49479f1e5b04736f8bab7ff79f8cd3574234fa244b1f414b74b1fd91f87d1fb
SHA512

484c7dcf5a04f68f7b76ce5fee094cecf1353d0e46c9368b105cbe0b1fa18d18d584a679f4bbd95b658b898e668767ed69df546e411939141c158cfe2ed130b1

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

omomom.ac.ug:6970

omkarusdajvc.ac.ug:6970

Mutex

6SI8OkPnkxzcasd

Attributes

aes_key
sEiaxlqpFmHMU8l5j0Ycz8apFoEBTERY
anti_detection
false
autorun
false
bdos
false
delay
XX
host
omomom.ac.ug,omkarusdajvc.ac.ug
hwid
3
install_file
install_folder
%AppData%
mutex
6SI8OkPnkxzcasd
pastebin_config
null
port
6970
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3448-129-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/3448-130-0x000000000040C71E-mapping.dmp	asyncrat

Suspicious use of SetThreadContext 1 IoCs

Processes:

877446a3230a1bdc809f50ad1477c3fd.exe

description pid process target process

PID 772 set thread context of 3448 772 877446a3230a1bdc809f50ad1477c3fd.exe 877446a3230a1bdc809f50ad1477c3fd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1332 schtasks.exe

description	pid	process	target process
PID 772 set thread context of 3448	772	877446a3230a1bdc809f50ad1477c3fd.exe	877446a3230a1bdc809f50ad1477c3fd.exe

pid	process
1332	schtasks.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

877446a3230a1bdc809f50ad1477c3fd.exe

description	pid	process	target process
PID 772 wrote to memory of 1332	772	877446a3230a1bdc809f50ad1477c3fd.exe	schtasks.exe
PID 772 wrote to memory of 1332	772	877446a3230a1bdc809f50ad1477c3fd.exe	schtasks.exe
PID 772 wrote to memory of 1332	772	877446a3230a1bdc809f50ad1477c3fd.exe	schtasks.exe
PID 772 wrote to memory of 3448	772	877446a3230a1bdc809f50ad1477c3fd.exe	877446a3230a1bdc809f50ad1477c3fd.exe
PID 772 wrote to memory of 3448	772	877446a3230a1bdc809f50ad1477c3fd.exe	877446a3230a1bdc809f50ad1477c3fd.exe
PID 772 wrote to memory of 3448	772	877446a3230a1bdc809f50ad1477c3fd.exe	877446a3230a1bdc809f50ad1477c3fd.exe
PID 772 wrote to memory of 3448	772	877446a3230a1bdc809f50ad1477c3fd.exe	877446a3230a1bdc809f50ad1477c3fd.exe
PID 772 wrote to memory of 3448	772	877446a3230a1bdc809f50ad1477c3fd.exe	877446a3230a1bdc809f50ad1477c3fd.exe
PID 772 wrote to memory of 3448	772	877446a3230a1bdc809f50ad1477c3fd.exe	877446a3230a1bdc809f50ad1477c3fd.exe
PID 772 wrote to memory of 3448	772	877446a3230a1bdc809f50ad1477c3fd.exe	877446a3230a1bdc809f50ad1477c3fd.exe
PID 772 wrote to memory of 3448	772	877446a3230a1bdc809f50ad1477c3fd.exe	877446a3230a1bdc809f50ad1477c3fd.exe

C:\Users\Admin\AppData\Local\Temp\877446a3230a1bdc809f50ad1477c3fd.exe
"C:\Users\Admin\AppData\Local\Temp\877446a3230a1bdc809f50ad1477c3fd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:772

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\awXFuL" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA55E.tmp"
2⤵
- Creates scheduled task(s)
PID:1332

C:\Users\Admin\AppData\Local\Temp\877446a3230a1bdc809f50ad1477c3fd.exe
"{path}"
2⤵
PID:3448

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA55E.tmp
MD5
44389c2d8cde4a70120c766eb5ef6612

SHA1
e6625705ff5c139f8ca4df8185170b128d0415f8

SHA256
2121b3bf694d0e422841326d357a59305d22bd69ea8c448660b0b106d6383021

SHA512
6bf20b1e8e0452669f91fd92dc7d16747d7c7a4c563cb431961f184fba60283bd572703219fb6c190079c1deddb1bb0932436fc9a9425820b14a1001e842619f

Download Submit
memory/772-123-0x0000000006290000-0x0000000006291000-memory.dmp

Filesize
4KB

Download
memory/772-122-0x00000000061E0000-0x00000000061E2000-memory.dmp

Filesize
8KB

Download
memory/772-118-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download
memory/772-119-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/772-124-0x0000000004B83000-0x0000000004B85000-memory.dmp

Filesize
8KB

Download
memory/772-121-0x000000000A4B0000-0x000000000A4B1000-memory.dmp

Filesize
4KB

Download
memory/772-117-0x00000000092E0000-0x00000000092E1000-memory.dmp

Filesize
4KB

Download
memory/772-114-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/772-120-0x0000000004B80000-0x0000000004B81000-memory.dmp

Filesize
4KB

Download
memory/772-125-0x0000000006AF0000-0x0000000006B59000-memory.dmp

Filesize
420KB

Download
memory/772-126-0x0000000004920000-0x0000000004939000-memory.dmp

Filesize
100KB

Download
memory/772-116-0x0000000004B20000-0x0000000004B62000-memory.dmp

Filesize
264KB

Download
memory/1332-127-0x0000000000000000-mapping.dmp

Download
memory/3448-129-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3448-130-0x000000000040C71E-mapping.dmp

Download
memory/3448-133-0x00000000058A0000-0x00000000058A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads