asyncrat | ebea93500eadbd81e08f6e45207b3b173f6493a561c5db5f0e2293db46299d01

General

Target

change of bank account.exe
Size

786KB
MD5

47c7620387d81bc7542cbb49a3cbbec2
SHA1

3597f35885eb29c5b2f4f925f965880e8882a164
SHA256

ebea93500eadbd81e08f6e45207b3b173f6493a561c5db5f0e2293db46299d01
SHA512

15fb834fdb28f815354109c35f9d620f6aa4035f0a00b3db9ae6dfd7622d1bbcc1eec4e793a30a0b782ce46d0ba18cded908f439e5e83d158ceb255aa87b0e6b

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.6D

C2

79.134.225.44:7450

Mutex

zesdluuiwc

Attributes

aes_key
xEGeI9b9ebYU1KIyt6o56TUQ5Zun1NL4
anti_detection
false
autorun
false
bdos
false
delay
Default
host
79.134.225.44
hwid
5
install_file
install_folder
%AppData%
mutex
zesdluuiwc
pastebin_config
null
port
7450
version
0.5.6D

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1304-127-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/1304-128-0x000000000040C61E-mapping.dmp	asyncrat

Suspicious use of SetThreadContext 1 IoCs

Processes:

change of bank account.exe

description pid process target process

PID 4036 set thread context of 1304 4036 change of bank account.exe change of bank account.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

800 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

change of bank account.exe

pid process

4036 change of bank account.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

change of bank account.exe

description pid process

Token: SeDebugPrivilege 4036 change of bank account.exe

description	pid	process	target process
PID 4036 set thread context of 1304	4036	change of bank account.exe	change of bank account.exe

pid	process
800	schtasks.exe

pid	process
4036	change of bank account.exe

description	pid	process
Token: SeDebugPrivilege	4036	change of bank account.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

change of bank account.exe

description	pid	process	target process
PID 4036 wrote to memory of 800	4036	change of bank account.exe	schtasks.exe
PID 4036 wrote to memory of 800	4036	change of bank account.exe	schtasks.exe
PID 4036 wrote to memory of 800	4036	change of bank account.exe	schtasks.exe
PID 4036 wrote to memory of 1304	4036	change of bank account.exe	change of bank account.exe
PID 4036 wrote to memory of 1304	4036	change of bank account.exe	change of bank account.exe
PID 4036 wrote to memory of 1304	4036	change of bank account.exe	change of bank account.exe
PID 4036 wrote to memory of 1304	4036	change of bank account.exe	change of bank account.exe
PID 4036 wrote to memory of 1304	4036	change of bank account.exe	change of bank account.exe
PID 4036 wrote to memory of 1304	4036	change of bank account.exe	change of bank account.exe
PID 4036 wrote to memory of 1304	4036	change of bank account.exe	change of bank account.exe
PID 4036 wrote to memory of 1304	4036	change of bank account.exe	change of bank account.exe

C:\Users\Admin\AppData\Local\Temp\change of bank account.exe
"C:\Users\Admin\AppData\Local\Temp\change of bank account.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4036

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PdfRSF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB9B1.tmp"
2⤵
- Creates scheduled task(s)
PID:800

C:\Users\Admin\AppData\Local\Temp\change of bank account.exe
"C:\Users\Admin\AppData\Local\Temp\change of bank account.exe"
2⤵
PID:1304

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\change of bank account.exe.log
MD5
90acfd72f14a512712b1a7380c0faf60

SHA1
40ba4accb8faa75887e84fb8e38d598dc8cf0f12

SHA256
20806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86

SHA512
29dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB9B1.tmp
MD5
1a0b943e6f95588ee6f8778cc02221e7

SHA1
d7e67c12f8435735c6062fd243f28a4b7f26079e

SHA256
2bf22db68c7580d320d636d28522027ef90e034370d6ae39c1aaff75cee797a2

SHA512
8d4cc8c794c62e3673b9f0c4ef7918a96cb5459e0e9e6b0b1b276ed559029217383ed15328a558fdf6e05aea20097fcdf88005193cc8015792007cba73b39009

Download Submit
memory/800-125-0x0000000000000000-mapping.dmp

Download
memory/1304-132-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/1304-128-0x000000000040C61E-mapping.dmp

Download
memory/1304-127-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4036-119-0x0000000005780000-0x0000000005781000-memory.dmp

Filesize
4KB

Download
memory/4036-122-0x0000000005AF0000-0x0000000005B0B000-memory.dmp

Filesize
108KB

Download
memory/4036-123-0x0000000007D30000-0x0000000007D81000-memory.dmp

Filesize
324KB

Download
memory/4036-124-0x0000000007DB0000-0x0000000007DBF000-memory.dmp

Filesize
60KB

Download
memory/4036-121-0x0000000005840000-0x0000000005D3E000-memory.dmp

Filesize
5.0MB

Download
memory/4036-120-0x0000000005A40000-0x0000000005A41000-memory.dmp

Filesize
4KB

Download
memory/4036-114-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/4036-118-0x00000000058E0000-0x00000000058E1000-memory.dmp

Filesize
4KB

Download
memory/4036-117-0x0000000005D40000-0x0000000005D41000-memory.dmp

Filesize
4KB

Download
memory/4036-116-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads