asyncrat | 0eaeac1a39068d23fb3a986002b67044a3cc6f1fa88f9fbd3e77884c67510030

General

Target

126F9F212F9F6EBB9558E5A23F5A9AAD.exe
Size

531KB
MD5

126f9f212f9f6ebb9558e5a23f5a9aad
SHA1

7e7ec218f4b9aef17cb65166b1af8f3945c4b1e1
SHA256

0eaeac1a39068d23fb3a986002b67044a3cc6f1fa88f9fbd3e77884c67510030
SHA512

3fcc040a75541e8847cb4d8b5e5a5c31b128c1ff8246717d8ee146aef7eded96c519df26d60dba127e81b0cdd29a9ef10ceaa3b442a6b5d28c6c80dc62fd9377

Score

10^/10

asyncrat rat suricata

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

213.226.119.176:6606

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
7YYlMXTYocool4mir4Z8aKqdoFTXfP2f
anti_detection
false
autorun
false
bdos
false
delay
Default
host
213.226.119.176
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
6606
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata

Async RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1440-64-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1440-65-0x000000000040C70E-mapping.dmp	asyncrat
behavioral1/memory/1440-66-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1440-70-0x0000000000460000-0x0000000000480000-memory.dmp	asyncrat

Downloads MZ/PE file
Suspicious use of SetThreadContext 1 IoCs

Processes:

126F9F212F9F6EBB9558E5A23F5A9AAD.exe

description pid process target process

PID 1828 set thread context of 1440 1828 126F9F212F9F6EBB9558E5A23F5A9AAD.exe 126F9F212F9F6EBB9558E5A23F5A9AAD.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

126F9F212F9F6EBB9558E5A23F5A9AAD.exe126F9F212F9F6EBB9558E5A23F5A9AAD.exe

description pid process

Token: SeDebugPrivilege 1828 126F9F212F9F6EBB9558E5A23F5A9AAD.exe
Token: SeDebugPrivilege 1440 126F9F212F9F6EBB9558E5A23F5A9AAD.exe

description	pid	process	target process
PID 1828 set thread context of 1440	1828	126F9F212F9F6EBB9558E5A23F5A9AAD.exe	126F9F212F9F6EBB9558E5A23F5A9AAD.exe

description	pid	process
Token: SeDebugPrivilege	1828	126F9F212F9F6EBB9558E5A23F5A9AAD.exe
Token: SeDebugPrivilege	1440	126F9F212F9F6EBB9558E5A23F5A9AAD.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

126F9F212F9F6EBB9558E5A23F5A9AAD.exe

description	pid	process	target process
PID 1828 wrote to memory of 1440	1828	126F9F212F9F6EBB9558E5A23F5A9AAD.exe	126F9F212F9F6EBB9558E5A23F5A9AAD.exe
PID 1828 wrote to memory of 1440	1828	126F9F212F9F6EBB9558E5A23F5A9AAD.exe	126F9F212F9F6EBB9558E5A23F5A9AAD.exe
PID 1828 wrote to memory of 1440	1828	126F9F212F9F6EBB9558E5A23F5A9AAD.exe	126F9F212F9F6EBB9558E5A23F5A9AAD.exe
PID 1828 wrote to memory of 1440	1828	126F9F212F9F6EBB9558E5A23F5A9AAD.exe	126F9F212F9F6EBB9558E5A23F5A9AAD.exe
PID 1828 wrote to memory of 1440	1828	126F9F212F9F6EBB9558E5A23F5A9AAD.exe	126F9F212F9F6EBB9558E5A23F5A9AAD.exe
PID 1828 wrote to memory of 1440	1828	126F9F212F9F6EBB9558E5A23F5A9AAD.exe	126F9F212F9F6EBB9558E5A23F5A9AAD.exe
PID 1828 wrote to memory of 1440	1828	126F9F212F9F6EBB9558E5A23F5A9AAD.exe	126F9F212F9F6EBB9558E5A23F5A9AAD.exe
PID 1828 wrote to memory of 1440	1828	126F9F212F9F6EBB9558E5A23F5A9AAD.exe	126F9F212F9F6EBB9558E5A23F5A9AAD.exe
PID 1828 wrote to memory of 1440	1828	126F9F212F9F6EBB9558E5A23F5A9AAD.exe	126F9F212F9F6EBB9558E5A23F5A9AAD.exe

C:\Users\Admin\AppData\Local\Temp\126F9F212F9F6EBB9558E5A23F5A9AAD.exe
"C:\Users\Admin\AppData\Local\Temp\126F9F212F9F6EBB9558E5A23F5A9AAD.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1828

C:\Users\Admin\AppData\Local\Temp\126F9F212F9F6EBB9558E5A23F5A9AAD.exe
"C:\Users\Admin\AppData\Local\Temp\126F9F212F9F6EBB9558E5A23F5A9AAD.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1440

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1440-64-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1440-65-0x000000000040C70E-mapping.dmp

Download
memory/1440-66-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1440-69-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/1440-70-0x0000000000460000-0x0000000000480000-memory.dmp

Filesize
128KB

Download
memory/1828-59-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/1828-61-0x00000000762C1000-0x00000000762C3000-memory.dmp

Filesize
8KB

Download
memory/1828-62-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/1828-63-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing