asyncrat | d49479f1e5b04736f8bab7ff79f8cd3574234fa244b1f414b74b1fd91f87d1fb

General

Target

877446a3230a1bdc809f50ad1477c3fd.exe
Size

385KB
MD5

877446a3230a1bdc809f50ad1477c3fd
SHA1

54480aba9a090e9efb15695a55888c19b3dc183e
SHA256

d49479f1e5b04736f8bab7ff79f8cd3574234fa244b1f414b74b1fd91f87d1fb
SHA512

484c7dcf5a04f68f7b76ce5fee094cecf1353d0e46c9368b105cbe0b1fa18d18d584a679f4bbd95b658b898e668767ed69df546e411939141c158cfe2ed130b1

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

omomom.ac.ug:6970

omkarusdajvc.ac.ug:6970

Mutex

6SI8OkPnkxzcasd

Attributes

aes_key
sEiaxlqpFmHMU8l5j0Ycz8apFoEBTERY
anti_detection
false
autorun
false
bdos
false
delay
XX
host
omomom.ac.ug,omkarusdajvc.ac.ug
hwid
3
install_file
install_folder
%AppData%
mutex
6SI8OkPnkxzcasd
pastebin_config
null
port
6970
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4076-129-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/4076-130-0x000000000040C71E-mapping.dmp	asyncrat

Suspicious use of SetThreadContext 1 IoCs

Processes:

877446a3230a1bdc809f50ad1477c3fd.exe

description pid process target process

PID 3128 set thread context of 4076 3128 877446a3230a1bdc809f50ad1477c3fd.exe 877446a3230a1bdc809f50ad1477c3fd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1524 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

877446a3230a1bdc809f50ad1477c3fd.exe

pid process

3128 877446a3230a1bdc809f50ad1477c3fd.exe
3128 877446a3230a1bdc809f50ad1477c3fd.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

877446a3230a1bdc809f50ad1477c3fd.exe

description pid process

Token: SeDebugPrivilege 3128 877446a3230a1bdc809f50ad1477c3fd.exe

description	pid	process	target process
PID 3128 set thread context of 4076	3128	877446a3230a1bdc809f50ad1477c3fd.exe	877446a3230a1bdc809f50ad1477c3fd.exe

pid	process
1524	schtasks.exe

pid	process
3128	877446a3230a1bdc809f50ad1477c3fd.exe
3128	877446a3230a1bdc809f50ad1477c3fd.exe

description	pid	process
Token: SeDebugPrivilege	3128	877446a3230a1bdc809f50ad1477c3fd.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

877446a3230a1bdc809f50ad1477c3fd.exe

description	pid	process	target process
PID 3128 wrote to memory of 1524	3128	877446a3230a1bdc809f50ad1477c3fd.exe	schtasks.exe
PID 3128 wrote to memory of 1524	3128	877446a3230a1bdc809f50ad1477c3fd.exe	schtasks.exe
PID 3128 wrote to memory of 1524	3128	877446a3230a1bdc809f50ad1477c3fd.exe	schtasks.exe
PID 3128 wrote to memory of 2696	3128	877446a3230a1bdc809f50ad1477c3fd.exe	877446a3230a1bdc809f50ad1477c3fd.exe
PID 3128 wrote to memory of 2696	3128	877446a3230a1bdc809f50ad1477c3fd.exe	877446a3230a1bdc809f50ad1477c3fd.exe
PID 3128 wrote to memory of 2696	3128	877446a3230a1bdc809f50ad1477c3fd.exe	877446a3230a1bdc809f50ad1477c3fd.exe
PID 3128 wrote to memory of 4076	3128	877446a3230a1bdc809f50ad1477c3fd.exe	877446a3230a1bdc809f50ad1477c3fd.exe
PID 3128 wrote to memory of 4076	3128	877446a3230a1bdc809f50ad1477c3fd.exe	877446a3230a1bdc809f50ad1477c3fd.exe
PID 3128 wrote to memory of 4076	3128	877446a3230a1bdc809f50ad1477c3fd.exe	877446a3230a1bdc809f50ad1477c3fd.exe
PID 3128 wrote to memory of 4076	3128	877446a3230a1bdc809f50ad1477c3fd.exe	877446a3230a1bdc809f50ad1477c3fd.exe
PID 3128 wrote to memory of 4076	3128	877446a3230a1bdc809f50ad1477c3fd.exe	877446a3230a1bdc809f50ad1477c3fd.exe
PID 3128 wrote to memory of 4076	3128	877446a3230a1bdc809f50ad1477c3fd.exe	877446a3230a1bdc809f50ad1477c3fd.exe
PID 3128 wrote to memory of 4076	3128	877446a3230a1bdc809f50ad1477c3fd.exe	877446a3230a1bdc809f50ad1477c3fd.exe
PID 3128 wrote to memory of 4076	3128	877446a3230a1bdc809f50ad1477c3fd.exe	877446a3230a1bdc809f50ad1477c3fd.exe

C:\Users\Admin\AppData\Local\Temp\877446a3230a1bdc809f50ad1477c3fd.exe
"C:\Users\Admin\AppData\Local\Temp\877446a3230a1bdc809f50ad1477c3fd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3128

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\awXFuL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1406.tmp"
2⤵
- Creates scheduled task(s)
PID:1524

C:\Users\Admin\AppData\Local\Temp\877446a3230a1bdc809f50ad1477c3fd.exe
"{path}"
2⤵
PID:2696

C:\Users\Admin\AppData\Local\Temp\877446a3230a1bdc809f50ad1477c3fd.exe
"{path}"
2⤵
PID:4076

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\877446a3230a1bdc809f50ad1477c3fd.exe.log
MD5
f63538e8f46716277d99afa59b82627f

SHA1
ac748880c856cc6269169df63ce0a3f5f2b3baba

SHA256
6074019b388daccdfd1267e5366c9d6fbf84abc98800313d44d66a6534a4cbed

SHA512
cb2e56c260d98371d86aa3c9eeda86da0ad47ebcad73050feb32cb6c3c4c446386caca95f948757c54d7921e16e8450aa960bda89626cdd153462a66ba3c2d5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1406.tmp
MD5
1daa404579fd5fde6cb29ca110681076

SHA1
7582077fe3515a7bcebecf7e85c0074dfc3f4b97

SHA256
46de4e86229ae66dbceae5b5d486ef7f8b7c52aa3a99a900de9bf553a7673f53

SHA512
9d16e057503cb76da1a34520da272e029e050c1b14be4f315f02e2cb813f7c8e3de28f8d962c3f8d0deedd949c59dce791320524a1eee5a139eab3f73636a066

Download Submit
memory/1524-127-0x0000000000000000-mapping.dmp

Download
memory/3128-119-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/3128-125-0x0000000005110000-0x0000000005179000-memory.dmp

Filesize
420KB

Download
memory/3128-120-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/3128-121-0x000000000A6A0000-0x000000000A6A1000-memory.dmp

Filesize
4KB

Download
memory/3128-122-0x0000000005C30000-0x0000000005C32000-memory.dmp

Filesize
8KB

Download
memory/3128-123-0x0000000007070000-0x0000000007071000-memory.dmp

Filesize
4KB

Download
memory/3128-124-0x0000000004AD3000-0x0000000004AD5000-memory.dmp

Filesize
8KB

Download
memory/3128-114-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/3128-126-0x0000000004BD0000-0x0000000004BE9000-memory.dmp

Filesize
100KB

Download
memory/3128-118-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/3128-117-0x00000000094D0000-0x00000000094D1000-memory.dmp

Filesize
4KB

Download
memory/3128-116-0x0000000004A40000-0x0000000004A82000-memory.dmp

Filesize
264KB

Download
memory/4076-130-0x000000000040C71E-mapping.dmp

Download
memory/4076-129-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4076-134-0x0000000001820000-0x0000000001821000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads