asyncrat | 33e822406d5cea835a7a9bba3f0d82d9c4aef806c1dfeb8d332e5ee51e496780

Analysis

max time kernel
129s
max time network
150s
platform
windows7_x64
resource
win7v20210410
submitted
23-07-2021 08:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AC2A2C9E743A2F8E39BB36D37F45D829.exe
Size

107KB
MD5

ac2a2c9e743a2f8e39bb36d37f45d829
SHA1

b021985e80954624f0273bef8396bb193107118c
SHA256

33e822406d5cea835a7a9bba3f0d82d9c4aef806c1dfeb8d332e5ee51e496780
SHA512

5d0870797a54948ef787f732dd9fffeb21c63a11ff4dd677526716fa44219bedcfccc4d78f50050fbf42c36123616e9730964a9c3f17f93d8452359b50a1d3bf

Score

10^/10

asyncrat xmrig miner rat suricata

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

vlhoangkimpk.net:6606

vlhoangkimpk.net:7707

vlhoangkimpk.net:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
2nGMTIdBgqeoX9uhURxc6auPzZ95baS0
anti_detection
false
autorun
true
bdos
false
delay
Default
host
vlhoangkimpk.net
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
6606,7707,8808
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
suricata: ET MALWARE Blue Bot DDoS Blog Request
suricata
suricata: ET MALWARE Blue Bot DDoS Logger Request
suricata
suricata: ET MALWARE Blue Bot DDoS Proxy Request
suricata
suricata: ET MALWARE Blue Bot DDoS Target Request
suricata
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Async RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
\Windows\SysWOW64\ism.exe	asyncrat
C:\Windows\SysWOW64\ism.exe	asyncrat
C:\Windows\SysWOW64\ism.exe	asyncrat
C:\Users\Admin\AppData\Roaming\ism.exe	asyncrat
C:\Users\Admin\AppData\Roaming\ism.exe	asyncrat
\Users\Admin\AppData\Roaming\ism.exe	asyncrat

Executes dropped EXE 3 IoCs

Processes:

sihost.exeism.exeism.exe

pid process

1128 sihost.exe
1976 ism.exe
724 ism.exe
Loads dropped DLL 3 IoCs

Processes:

AC2A2C9E743A2F8E39BB36D37F45D829.execmd.exe

pid process

1072 AC2A2C9E743A2F8E39BB36D37F45D829.exe
1072 AC2A2C9E743A2F8E39BB36D37F45D829.exe
1012 cmd.exe

pid	process
1128	sihost.exe
1976	ism.exe
724	ism.exe

pid	process
1072	AC2A2C9E743A2F8E39BB36D37F45D829.exe
1072	AC2A2C9E743A2F8E39BB36D37F45D829.exe
1012	cmd.exe

Drops file in System32 directory 3 IoCs

Processes:

AC2A2C9E743A2F8E39BB36D37F45D829.exe

description	ioc	process
File created	C:\Windows\SysWOW64\sihost.exe	AC2A2C9E743A2F8E39BB36D37F45D829.exe
File created	C:\Windows\SysWOW64\ism.exe	AC2A2C9E743A2F8E39BB36D37F45D829.exe
File created	C:\Windows\SysWOW64\svchost.exe	AC2A2C9E743A2F8E39BB36D37F45D829.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

560 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1064 timeout.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

ism.exe

pid process

1976 ism.exe
1976 ism.exe
1976 ism.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ism.exeism.exe

description pid process

Token: SeDebugPrivilege 1976 ism.exe
Token: SeDebugPrivilege 724 ism.exe

pid	process
560	schtasks.exe

pid	process
1064	timeout.exe

pid	process
1976	ism.exe
1976	ism.exe
1976	ism.exe

description	pid	process
Token: SeDebugPrivilege	1976	ism.exe
Token: SeDebugPrivilege	724	ism.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

AC2A2C9E743A2F8E39BB36D37F45D829.exeism.execmd.execmd.exe

description	pid	process	target process
PID 1072 wrote to memory of 1128	1072	AC2A2C9E743A2F8E39BB36D37F45D829.exe	sihost.exe
PID 1072 wrote to memory of 1128	1072	AC2A2C9E743A2F8E39BB36D37F45D829.exe	sihost.exe
PID 1072 wrote to memory of 1128	1072	AC2A2C9E743A2F8E39BB36D37F45D829.exe	sihost.exe
PID 1072 wrote to memory of 1128	1072	AC2A2C9E743A2F8E39BB36D37F45D829.exe	sihost.exe
PID 1072 wrote to memory of 1976	1072	AC2A2C9E743A2F8E39BB36D37F45D829.exe	ism.exe
PID 1072 wrote to memory of 1976	1072	AC2A2C9E743A2F8E39BB36D37F45D829.exe	ism.exe
PID 1072 wrote to memory of 1976	1072	AC2A2C9E743A2F8E39BB36D37F45D829.exe	ism.exe
PID 1072 wrote to memory of 1976	1072	AC2A2C9E743A2F8E39BB36D37F45D829.exe	ism.exe
PID 1072 wrote to memory of 1956	1072	AC2A2C9E743A2F8E39BB36D37F45D829.exe	svchost.exe
PID 1072 wrote to memory of 1956	1072	AC2A2C9E743A2F8E39BB36D37F45D829.exe	svchost.exe
PID 1072 wrote to memory of 1956	1072	AC2A2C9E743A2F8E39BB36D37F45D829.exe	svchost.exe
PID 1072 wrote to memory of 1956	1072	AC2A2C9E743A2F8E39BB36D37F45D829.exe	svchost.exe
PID 1976 wrote to memory of 664	1976	ism.exe	cmd.exe
PID 1976 wrote to memory of 664	1976	ism.exe	cmd.exe
PID 1976 wrote to memory of 664	1976	ism.exe	cmd.exe
PID 1976 wrote to memory of 664	1976	ism.exe	cmd.exe
PID 664 wrote to memory of 560	664	cmd.exe	schtasks.exe
PID 664 wrote to memory of 560	664	cmd.exe	schtasks.exe
PID 664 wrote to memory of 560	664	cmd.exe	schtasks.exe
PID 664 wrote to memory of 560	664	cmd.exe	schtasks.exe
PID 1976 wrote to memory of 1012	1976	ism.exe	cmd.exe
PID 1976 wrote to memory of 1012	1976	ism.exe	cmd.exe
PID 1976 wrote to memory of 1012	1976	ism.exe	cmd.exe
PID 1976 wrote to memory of 1012	1976	ism.exe	cmd.exe
PID 1012 wrote to memory of 1064	1012	cmd.exe	timeout.exe
PID 1012 wrote to memory of 1064	1012	cmd.exe	timeout.exe
PID 1012 wrote to memory of 1064	1012	cmd.exe	timeout.exe
PID 1012 wrote to memory of 1064	1012	cmd.exe	timeout.exe
PID 1012 wrote to memory of 724	1012	cmd.exe	ism.exe
PID 1012 wrote to memory of 724	1012	cmd.exe	ism.exe
PID 1012 wrote to memory of 724	1012	cmd.exe	ism.exe
PID 1012 wrote to memory of 724	1012	cmd.exe	ism.exe

C:\Users\Admin\AppData\Local\Temp\AC2A2C9E743A2F8E39BB36D37F45D829.exe
"C:\Users\Admin\AppData\Local\Temp\AC2A2C9E743A2F8E39BB36D37F45D829.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\SysWOW64\sihost.exe
"C:\Windows\system32\sihost.exe"
2⤵
- Executes dropped EXE
PID:1128

C:\Windows\SysWOW64\ism.exe
"C:\Windows\system32\ism.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "ism" /tr '"C:\Users\Admin\AppData\Roaming\ism.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "ism" /tr '"C:\Users\Admin\AppData\Roaming\ism.exe"'
4⤵
- Creates scheduled task(s)
PID:560

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8881.tmp.bat""
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:1064

C:\Users\Admin\AppData\Roaming\ism.exe
"C:\Users\Admin\AppData\Roaming\ism.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:724

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
2⤵
PID:1956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8881.tmp.bat
MD5
43d7aa4eb2610c16d575f4cea3daa8e3

SHA1
a0ba252bdfdbb58b6f1fd23a832806078f81ba5d

SHA256
ded323b9fd2350c0a480c55b969a30240d8d09a1469c38e9c05f09d48cd285b4

SHA512
ca24e2a41d5db8fcd007e80bff9c5f7aa853fe1c1c26d55eb168724e1efed73f0cbe3ac9b6d8126787faffa9cc7a7495dccece7bf4184e3b106030a7729009e6

Download Submit
C:\Users\Admin\AppData\Roaming\ism.exe
MD5
f587d501970f32f655bdeaaa34278ac9

SHA1
093bba8e6b4135b7dfcbe4643ebf923ca408552b

SHA256
8586c4743921009c7e34986d69d8928518d6e24b5c169ca22be4533f8ece23fc

SHA512
2e90d12d3432e2f5e709e22c94f2ea33641525b3a72836da33a6aba332923f137ea8809aaf91d4dd2d87f5cf710bb0d60a8391c6c3797c5da59f67b587569175

Download Submit
C:\Users\Admin\AppData\Roaming\ism.exe
MD5
f587d501970f32f655bdeaaa34278ac9

SHA1
093bba8e6b4135b7dfcbe4643ebf923ca408552b

SHA256
8586c4743921009c7e34986d69d8928518d6e24b5c169ca22be4533f8ece23fc

SHA512
2e90d12d3432e2f5e709e22c94f2ea33641525b3a72836da33a6aba332923f137ea8809aaf91d4dd2d87f5cf710bb0d60a8391c6c3797c5da59f67b587569175

Download Submit
C:\Windows\SysWOW64\ism.exe
MD5
f587d501970f32f655bdeaaa34278ac9

SHA1
093bba8e6b4135b7dfcbe4643ebf923ca408552b

SHA256
8586c4743921009c7e34986d69d8928518d6e24b5c169ca22be4533f8ece23fc

SHA512
2e90d12d3432e2f5e709e22c94f2ea33641525b3a72836da33a6aba332923f137ea8809aaf91d4dd2d87f5cf710bb0d60a8391c6c3797c5da59f67b587569175

Download Submit
C:\Windows\SysWOW64\ism.exe
MD5
f587d501970f32f655bdeaaa34278ac9

SHA1
093bba8e6b4135b7dfcbe4643ebf923ca408552b

SHA256
8586c4743921009c7e34986d69d8928518d6e24b5c169ca22be4533f8ece23fc

SHA512
2e90d12d3432e2f5e709e22c94f2ea33641525b3a72836da33a6aba332923f137ea8809aaf91d4dd2d87f5cf710bb0d60a8391c6c3797c5da59f67b587569175

Download Submit
C:\Windows\SysWOW64\sihost.exe
MD5
5d591359f3e3d22d8cfabb85a83d7aa6

SHA1
b1d2bdd5d4ce99cc7b80c4bb343e4abc3efd0c9a

SHA256
5bdeefa2d641c7caaaf87bd936d0327342e8f70408f18b73ae43a72542c71579

SHA512
21f4e4312f187dff38423216a9c8abaab0d5eb94d31c7a8397a75873e2512eed9cf96fc329955386f690f9d192d77d9b9cd87456468372eef1143b876c172a1e

Download Submit
C:\Windows\SysWOW64\sihost.exe
MD5
5d591359f3e3d22d8cfabb85a83d7aa6

SHA1
b1d2bdd5d4ce99cc7b80c4bb343e4abc3efd0c9a

SHA256
5bdeefa2d641c7caaaf87bd936d0327342e8f70408f18b73ae43a72542c71579

SHA512
21f4e4312f187dff38423216a9c8abaab0d5eb94d31c7a8397a75873e2512eed9cf96fc329955386f690f9d192d77d9b9cd87456468372eef1143b876c172a1e

Download Submit
\Users\Admin\AppData\Roaming\ism.exe
MD5
f587d501970f32f655bdeaaa34278ac9

SHA1
093bba8e6b4135b7dfcbe4643ebf923ca408552b

SHA256
8586c4743921009c7e34986d69d8928518d6e24b5c169ca22be4533f8ece23fc

SHA512
2e90d12d3432e2f5e709e22c94f2ea33641525b3a72836da33a6aba332923f137ea8809aaf91d4dd2d87f5cf710bb0d60a8391c6c3797c5da59f67b587569175

Download Submit
\Windows\SysWOW64\ism.exe
MD5
f587d501970f32f655bdeaaa34278ac9

SHA1
093bba8e6b4135b7dfcbe4643ebf923ca408552b

SHA256
8586c4743921009c7e34986d69d8928518d6e24b5c169ca22be4533f8ece23fc

SHA512
2e90d12d3432e2f5e709e22c94f2ea33641525b3a72836da33a6aba332923f137ea8809aaf91d4dd2d87f5cf710bb0d60a8391c6c3797c5da59f67b587569175

Download Submit
\Windows\SysWOW64\sihost.exe
MD5
5d591359f3e3d22d8cfabb85a83d7aa6

SHA1
b1d2bdd5d4ce99cc7b80c4bb343e4abc3efd0c9a

SHA256
5bdeefa2d641c7caaaf87bd936d0327342e8f70408f18b73ae43a72542c71579

SHA512
21f4e4312f187dff38423216a9c8abaab0d5eb94d31c7a8397a75873e2512eed9cf96fc329955386f690f9d192d77d9b9cd87456468372eef1143b876c172a1e

Download Submit
memory/560-78-0x0000000000000000-mapping.dmp

Download
memory/664-77-0x0000000000000000-mapping.dmp

Download
memory/724-84-0x0000000000000000-mapping.dmp

Download
memory/724-89-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/724-86-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/1012-79-0x0000000000000000-mapping.dmp

Download
memory/1064-81-0x0000000000000000-mapping.dmp

Download
memory/1072-60-0x0000000075411000-0x0000000075413000-memory.dmp

Filesize
8KB

Download
memory/1128-72-0x0000000000940000-0x0000000000942000-memory.dmp

Filesize
8KB

Download
memory/1128-73-0x000007FEF2840000-0x000007FEF38D6000-memory.dmp

Filesize
16.6MB

Download
memory/1128-76-0x0000000000946000-0x0000000000965000-memory.dmp

Filesize
124KB

Download
memory/1128-62-0x0000000000000000-mapping.dmp

Download
memory/1956-68-0x0000000000000000-mapping.dmp

Download
memory/1976-66-0x0000000000000000-mapping.dmp

Download
memory/1976-75-0x0000000002110000-0x0000000002111000-memory.dmp

Filesize
4KB

Download
memory/1976-70-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download