asyncrat | 33e822406d5cea835a7a9bba3f0d82d9c4aef806c1dfeb8d332e5ee51e496780

General

Target

AC2A2C9E743A2F8E39BB36D37F45D829.exe
Size

107KB
MD5

ac2a2c9e743a2f8e39bb36d37f45d829
SHA1

b021985e80954624f0273bef8396bb193107118c
SHA256

33e822406d5cea835a7a9bba3f0d82d9c4aef806c1dfeb8d332e5ee51e496780
SHA512

5d0870797a54948ef787f732dd9fffeb21c63a11ff4dd677526716fa44219bedcfccc4d78f50050fbf42c36123616e9730964a9c3f17f93d8452359b50a1d3bf

Score

10^/10

asyncrat xmrig miner rat suricata

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

vlhoangkimpk.net:6606

vlhoangkimpk.net:7707

vlhoangkimpk.net:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
2nGMTIdBgqeoX9uhURxc6auPzZ95baS0
anti_detection
false
autorun
true
bdos
false
delay
Default
host
vlhoangkimpk.net
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
6606,7707,8808
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
suricata: ET MALWARE Blue Bot DDoS Blog Request
suricata
suricata: ET MALWARE Blue Bot DDoS Logger Request
suricata
suricata: ET MALWARE Blue Bot DDoS Proxy Request
suricata
suricata: ET MALWARE Blue Bot DDoS Target Request
suricata
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Async RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\SysWOW64\ism.exe	asyncrat
C:\Windows\SysWOW64\ism.exe	asyncrat
C:\Users\Admin\AppData\Roaming\ism.exe	asyncrat
C:\Users\Admin\AppData\Roaming\ism.exe	asyncrat

Executes dropped EXE 3 IoCs

Processes:

sihost.exeism.exeism.exe

pid process

3540 sihost.exe
1492 ism.exe
2012 ism.exe

pid	process
3540	sihost.exe
1492	ism.exe
2012	ism.exe

Drops file in System32 directory 3 IoCs

Processes:

AC2A2C9E743A2F8E39BB36D37F45D829.exe

description	ioc	process
File created	C:\Windows\SysWOW64\sihost.exe	AC2A2C9E743A2F8E39BB36D37F45D829.exe
File created	C:\Windows\SysWOW64\ism.exe	AC2A2C9E743A2F8E39BB36D37F45D829.exe
File created	C:\Windows\SysWOW64\svchost.exe	AC2A2C9E743A2F8E39BB36D37F45D829.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3716 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2128 timeout.exe

pid	process
3716	schtasks.exe

pid	process
2128	timeout.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

ism.exe

pid	process
1492	ism.exe
1492	ism.exe
1492	ism.exe
1492	ism.exe
1492	ism.exe
1492	ism.exe
1492	ism.exe
1492	ism.exe
1492	ism.exe
1492	ism.exe
1492	ism.exe
1492	ism.exe
1492	ism.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ism.exeism.exe

description pid process

Token: SeDebugPrivilege 1492 ism.exe
Token: SeDebugPrivilege 2012 ism.exe

description	pid	process
Token: SeDebugPrivilege	1492	ism.exe
Token: SeDebugPrivilege	2012	ism.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

AC2A2C9E743A2F8E39BB36D37F45D829.exeism.execmd.execmd.exe

description	pid	process	target process
PID 996 wrote to memory of 3540	996	AC2A2C9E743A2F8E39BB36D37F45D829.exe	sihost.exe
PID 996 wrote to memory of 3540	996	AC2A2C9E743A2F8E39BB36D37F45D829.exe	sihost.exe
PID 996 wrote to memory of 1492	996	AC2A2C9E743A2F8E39BB36D37F45D829.exe	ism.exe
PID 996 wrote to memory of 1492	996	AC2A2C9E743A2F8E39BB36D37F45D829.exe	ism.exe
PID 996 wrote to memory of 1492	996	AC2A2C9E743A2F8E39BB36D37F45D829.exe	ism.exe
PID 996 wrote to memory of 640	996	AC2A2C9E743A2F8E39BB36D37F45D829.exe	svchost.exe
PID 996 wrote to memory of 640	996	AC2A2C9E743A2F8E39BB36D37F45D829.exe	svchost.exe
PID 996 wrote to memory of 640	996	AC2A2C9E743A2F8E39BB36D37F45D829.exe	svchost.exe
PID 1492 wrote to memory of 3176	1492	ism.exe	cmd.exe
PID 1492 wrote to memory of 3176	1492	ism.exe	cmd.exe
PID 1492 wrote to memory of 3176	1492	ism.exe	cmd.exe
PID 1492 wrote to memory of 1332	1492	ism.exe	cmd.exe
PID 1492 wrote to memory of 1332	1492	ism.exe	cmd.exe
PID 1492 wrote to memory of 1332	1492	ism.exe	cmd.exe
PID 1332 wrote to memory of 2128	1332	cmd.exe	timeout.exe
PID 1332 wrote to memory of 2128	1332	cmd.exe	timeout.exe
PID 1332 wrote to memory of 2128	1332	cmd.exe	timeout.exe
PID 3176 wrote to memory of 3716	3176	cmd.exe	schtasks.exe
PID 3176 wrote to memory of 3716	3176	cmd.exe	schtasks.exe
PID 3176 wrote to memory of 3716	3176	cmd.exe	schtasks.exe
PID 1332 wrote to memory of 2012	1332	cmd.exe	ism.exe
PID 1332 wrote to memory of 2012	1332	cmd.exe	ism.exe
PID 1332 wrote to memory of 2012	1332	cmd.exe	ism.exe

C:\Users\Admin\AppData\Local\Temp\AC2A2C9E743A2F8E39BB36D37F45D829.exe
"C:\Users\Admin\AppData\Local\Temp\AC2A2C9E743A2F8E39BB36D37F45D829.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\SysWOW64\sihost.exe
"C:\Windows\system32\sihost.exe"
2⤵
- Executes dropped EXE
PID:3540

C:\Windows\SysWOW64\ism.exe
"C:\Windows\system32\ism.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "ism" /tr '"C:\Users\Admin\AppData\Roaming\ism.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:3176

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "ism" /tr '"C:\Users\Admin\AppData\Roaming\ism.exe"'
4⤵
- Creates scheduled task(s)
PID:3716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9D6E.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:2128

C:\Users\Admin\AppData\Roaming\ism.exe
"C:\Users\Admin\AppData\Roaming\ism.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
2⤵
PID:640

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ism.exe.log
MD5
29ac3d31c772ba5e216f15cd6d85cd29

SHA1
45d682f8f9f8658e4b1c717782811f24b08be250

SHA256
82cb10a670e760c3159ae57f943dbd2b478727a9e82b307edd559e54ffad0f9d

SHA512
87403b70e4ba9a19f96eaef900cffe6769c3aa35d047cac26175f27ffbed8e625a8f8a12d191a6e63f75ef4b8b1bee2078f4659325a12d534d61427d58ceb8a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9D6E.tmp.bat
MD5
531e8826b27a163ed997052a775f8865

SHA1
c1131f3019f4a888aa35897a19057cbc52c295a7

SHA256
9f69d93da2a6301ee780e76493248d398be1a948974e1573b8cb85185c86e660

SHA512
ebb731b879aabca03b2b338e40d5e0022cdfa75a0a64bc36b4bd04225d6398a6c0579ad6a5d34daba3908734280859a3d067ce113d57f4f1f05d5c18c1b3143f

Download Submit
C:\Users\Admin\AppData\Roaming\ism.exe
MD5
f587d501970f32f655bdeaaa34278ac9

SHA1
093bba8e6b4135b7dfcbe4643ebf923ca408552b

SHA256
8586c4743921009c7e34986d69d8928518d6e24b5c169ca22be4533f8ece23fc

SHA512
2e90d12d3432e2f5e709e22c94f2ea33641525b3a72836da33a6aba332923f137ea8809aaf91d4dd2d87f5cf710bb0d60a8391c6c3797c5da59f67b587569175

Download Submit
C:\Users\Admin\AppData\Roaming\ism.exe
MD5
f587d501970f32f655bdeaaa34278ac9

SHA1
093bba8e6b4135b7dfcbe4643ebf923ca408552b

SHA256
8586c4743921009c7e34986d69d8928518d6e24b5c169ca22be4533f8ece23fc

SHA512
2e90d12d3432e2f5e709e22c94f2ea33641525b3a72836da33a6aba332923f137ea8809aaf91d4dd2d87f5cf710bb0d60a8391c6c3797c5da59f67b587569175

Download Submit
C:\Windows\SysWOW64\ism.exe
MD5
f587d501970f32f655bdeaaa34278ac9

SHA1
093bba8e6b4135b7dfcbe4643ebf923ca408552b

SHA256
8586c4743921009c7e34986d69d8928518d6e24b5c169ca22be4533f8ece23fc

SHA512
2e90d12d3432e2f5e709e22c94f2ea33641525b3a72836da33a6aba332923f137ea8809aaf91d4dd2d87f5cf710bb0d60a8391c6c3797c5da59f67b587569175

Download Submit
C:\Windows\SysWOW64\ism.exe
MD5
f587d501970f32f655bdeaaa34278ac9

SHA1
093bba8e6b4135b7dfcbe4643ebf923ca408552b

SHA256
8586c4743921009c7e34986d69d8928518d6e24b5c169ca22be4533f8ece23fc

SHA512
2e90d12d3432e2f5e709e22c94f2ea33641525b3a72836da33a6aba332923f137ea8809aaf91d4dd2d87f5cf710bb0d60a8391c6c3797c5da59f67b587569175

Download Submit
C:\Windows\SysWOW64\sihost.exe
MD5
5d591359f3e3d22d8cfabb85a83d7aa6

SHA1
b1d2bdd5d4ce99cc7b80c4bb343e4abc3efd0c9a

SHA256
5bdeefa2d641c7caaaf87bd936d0327342e8f70408f18b73ae43a72542c71579

SHA512
21f4e4312f187dff38423216a9c8abaab0d5eb94d31c7a8397a75873e2512eed9cf96fc329955386f690f9d192d77d9b9cd87456468372eef1143b876c172a1e

Download Submit
C:\Windows\SysWOW64\sihost.exe
MD5
5d591359f3e3d22d8cfabb85a83d7aa6

SHA1
b1d2bdd5d4ce99cc7b80c4bb343e4abc3efd0c9a

SHA256
5bdeefa2d641c7caaaf87bd936d0327342e8f70408f18b73ae43a72542c71579

SHA512
21f4e4312f187dff38423216a9c8abaab0d5eb94d31c7a8397a75873e2512eed9cf96fc329955386f690f9d192d77d9b9cd87456468372eef1143b876c172a1e

Download Submit
memory/640-119-0x0000000000000000-mapping.dmp

Download
memory/1332-128-0x0000000000000000-mapping.dmp

Download
memory/1492-117-0x0000000000000000-mapping.dmp

Download
memory/1492-126-0x00000000055D0000-0x00000000055D1000-memory.dmp

Filesize
4KB

Download
memory/1492-124-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download
memory/1492-121-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/2012-132-0x0000000000000000-mapping.dmp

Download
memory/2012-138-0x0000000005510000-0x0000000005511000-memory.dmp

Filesize
4KB

Download
memory/2012-140-0x0000000006210000-0x0000000006211000-memory.dmp

Filesize
4KB

Download
memory/2012-141-0x0000000005D90000-0x0000000005D91000-memory.dmp

Filesize
4KB

Download
memory/2128-130-0x0000000000000000-mapping.dmp

Download
memory/3176-127-0x0000000000000000-mapping.dmp

Download
memory/3540-114-0x0000000000000000-mapping.dmp

Download
memory/3540-125-0x0000000002A92000-0x0000000002A94000-memory.dmp

Filesize
8KB

Download
memory/3540-123-0x0000000002A90000-0x0000000002A92000-memory.dmp

Filesize
8KB

Download
memory/3716-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads