asyncrat | 6696105b5c08ad9a5c5ffcd5a397612d4908a034ad4faa1e8f1df9352ad41cc5

General

Target

8ad6032daa80a5adaa61010895ed78ce.exe
Size

431KB
MD5

8ad6032daa80a5adaa61010895ed78ce
SHA1

95e3899672ba3f7352806a6b663959c888911069
SHA256

6696105b5c08ad9a5c5ffcd5a397612d4908a034ad4faa1e8f1df9352ad41cc5
SHA512

61c9723ef7458a8da34913a9e80a440d9094c52dde2ac13bc29c6f7c4c7a92903449917c1d64ae07b56102817f2a80e6d754e2195a701748d9f8a12f85043469

Score

10^/10

asyncrat evasion rat suricata

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1788-137-0x000001FEA6A00000-0x000001FEA6A11000-memory.dmp	asyncrat
behavioral2/memory/1788-140-0x000001FEC1BC0000-0x000001FEC26D8000-memory.dmp	asyncrat

Blocklisted process makes network request 6 IoCs

Processes:

powershell.exe

flow pid process

21 4048 powershell.exe
23 4048 powershell.exe
25 4048 powershell.exe
30 4048 powershell.exe
31 4048 powershell.exe
33 4048 powershell.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

8ad6032daa80a5adaa61010895ed78ce.exe

description pid process target process

PID 652 set thread context of 1788 652 8ad6032daa80a5adaa61010895ed78ce.exe MSBuild.exe

flow	pid	process
21	4048	powershell.exe
23	4048	powershell.exe
25	4048	powershell.exe
30	4048	powershell.exe
31	4048	powershell.exe
33	4048	powershell.exe

flow	ioc
13	checkip.dyndns.org

description	pid	process	target process
PID 652 set thread context of 1788	652	8ad6032daa80a5adaa61010895ed78ce.exe	MSBuild.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MSBuild.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

MSBuild.exepowershell.exe

pid process

1788 MSBuild.exe
1788 MSBuild.exe
1788 MSBuild.exe
4048 powershell.exe
4048 powershell.exe
4048 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

MSBuild.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1788 MSBuild.exe
Token: SeDebugPrivilege 4048 powershell.exe

pid	process
1788	MSBuild.exe
1788	MSBuild.exe
1788	MSBuild.exe
4048	powershell.exe
4048	powershell.exe
4048	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1788	MSBuild.exe
Token: SeDebugPrivilege	4048	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

8ad6032daa80a5adaa61010895ed78ce.exeMSBuild.execsc.exe

description	pid	process	target process
PID 652 wrote to memory of 1788	652	8ad6032daa80a5adaa61010895ed78ce.exe	MSBuild.exe
PID 652 wrote to memory of 1788	652	8ad6032daa80a5adaa61010895ed78ce.exe	MSBuild.exe
PID 652 wrote to memory of 1788	652	8ad6032daa80a5adaa61010895ed78ce.exe	MSBuild.exe
PID 652 wrote to memory of 1788	652	8ad6032daa80a5adaa61010895ed78ce.exe	MSBuild.exe
PID 652 wrote to memory of 1788	652	8ad6032daa80a5adaa61010895ed78ce.exe	MSBuild.exe
PID 652 wrote to memory of 1788	652	8ad6032daa80a5adaa61010895ed78ce.exe	MSBuild.exe
PID 652 wrote to memory of 1788	652	8ad6032daa80a5adaa61010895ed78ce.exe	MSBuild.exe
PID 652 wrote to memory of 1788	652	8ad6032daa80a5adaa61010895ed78ce.exe	MSBuild.exe
PID 652 wrote to memory of 1788	652	8ad6032daa80a5adaa61010895ed78ce.exe	MSBuild.exe
PID 652 wrote to memory of 1788	652	8ad6032daa80a5adaa61010895ed78ce.exe	MSBuild.exe
PID 652 wrote to memory of 1788	652	8ad6032daa80a5adaa61010895ed78ce.exe	MSBuild.exe
PID 1788 wrote to memory of 3200	1788	MSBuild.exe	csc.exe
PID 1788 wrote to memory of 3200	1788	MSBuild.exe	csc.exe
PID 3200 wrote to memory of 204	3200	csc.exe	cvtres.exe
PID 3200 wrote to memory of 204	3200	csc.exe	cvtres.exe
PID 1788 wrote to memory of 4000	1788	MSBuild.exe	netsh.exe
PID 1788 wrote to memory of 4000	1788	MSBuild.exe	netsh.exe
PID 1788 wrote to memory of 4048	1788	MSBuild.exe	powershell.exe
PID 1788 wrote to memory of 4048	1788	MSBuild.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\8ad6032daa80a5adaa61010895ed78ce.exe
"C:\Users\Admin\AppData\Local\Temp\8ad6032daa80a5adaa61010895ed78ce.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\Microsoft.Net\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.Net\Framework64\v4.0.30319\MSBuild.exe
2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mao05ro4\mao05ro4.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:3200

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES70B1.tmp" "c:\Users\Admin\AppData\Local\Temp\mao05ro4\CSCF10C2D959DC4BA09A7732822F29BE1D.TMP"
4⤵
PID:204

C:\Windows\SYSTEM32\netsh.exe
"netsh.exe" firewall add allowedprogram C:\Windows\Microsoft.Net\Framework64\v4.0.30319\MSBuild.exe SystemUpdate ENABLE
3⤵
PID:4000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -enc dwBoAGkAbABlACgAJAB0AHIAdQBlACkAewAKAHQAcgB5AHsAaQB3AHIAIAAnAGgAdAB0AHAAcwA6AC8ALwBnAG8AbwBnAGwAZQAuAGMAbwBtACcAfQBjAGEAdABjAGgAewAKACQAcgBlAGcASwBlAHkAPQAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAEkAbgB0AGUAcgBuAGUAdAAgAFMAZQB0AHQAaQBuAGcAcwAiADsAUwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AcABhAHQAaAAgACQAcgBlAGcASwBlAHkAIABQAHIAbwB4AHkARQBuAGEAYgBsAGUAIAAtAHYAYQBsAHUAZQAgADAAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAdABvAHAAIAA7AFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAHAAYQB0AGgAIAAkAHIAZQBnAEsAZQB5ACAAUAByAG8AeAB5AFMAZQByAHYAZQByACAALQB2AGEAbAB1AGUAIAAiACIAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAdABvAHAAOwAgAFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAHAAYQB0AGgAIAAkAHIAZQBnAEsAZQB5ACAAQQB1AHQAbwBDAG8AbgBmAGkAZwBVAFIATAAgAC0AVgBhAGwAdQBlACAAIgAiACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAHQAbwBwAAoAfQAKAHMAbABlAGUAcAAgADIAfQA=
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4048

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES70B1.tmp
MD5
8b47363f0819546a59b8fda114d14de0

SHA1
8708185c7706c7bb76d9e40657ea25451910df2c

SHA256
a5ee52a27a25898d9bc63518ccb44bc3621402209eb339e635c44b6674c8f45f

SHA512
05747efceb0a1899d9f6c62f09f73088afce8b789ff90ed4c0117177532e6491f6403edb61b81d622346af2cdc560c643fc70935728ea81407e61db1b480a77d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mao05ro4\mao05ro4.dll
MD5
4f636997342f0235215a3bdf9f561730

SHA1
ff8b38eeebc7a1aa43627954ccb6f9581ebf7317

SHA256
421083701376b7994f83d5a71ad83d639b5c17c5f1194299a2ef838ac6f48ae0

SHA512
026550e06ea2f33e8d44c99e055c348b92adc2f3addf2d1e36ea9a8a9e8007409b1105a53c6e0b80b797c1400efd3664fa5fcb03dee3f3a9f169bd50a07eba63

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mao05ro4\CSCF10C2D959DC4BA09A7732822F29BE1D.TMP
MD5
4b5e04bcd9382c1f130a3a56fe1e98ee

SHA1
bc0115b69e11a2b1d65a60b90d960813a3696b74

SHA256
65cc39f801cda822b470eeb167be02468ccb181548a8eb84f3e0bdb3cbd32f4d

SHA512
240be6f2ee2f93d3fff5ed82b06d752f6151c51b0cf4e5b4c73c5b9d8562316ef71b0827b4e1978285e05f5ca4342827ac447bfccccc920939cae887d612b056

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mao05ro4\mao05ro4.0.cs
MD5
eb9d1ba75e2a29b96e3c75b73b41df4c

SHA1
093bd046abe146fc1fffe45f073e0306d365ccbf

SHA256
12480589381d69c1eb1abd50b4eaa33b49dcacbef78e358a757d1d7d11de3bda

SHA512
f03442a0fff3b85ff37d44f071366ea97884f48675433f967317d656dc8e00b184bc51c63c39987fd310a763d1dd9beb8878e0445edc3aa76fd6f62aba94571f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mao05ro4\mao05ro4.cmdline
MD5
a7a074dd0e60e8cdcff021ebf0579c26

SHA1
9d34fa0c0227e1232100e66000718122d792d5fa

SHA256
264d5e7ea1b4a25c5992baf9dc363bca5bff124e0d989dd4c941e17b5c1dd5ae

SHA512
0bfb139155ec432c437ee55e2fd76ecd290e46c919000aebf9db9bcb7d8098c8ea9db05d87ecf697383bccf3d76390b05ebc21e6593895b67396e13ae0465004

Download Submit
memory/204-132-0x0000000000000000-mapping.dmp

Download
memory/652-114-0x0000025B82A20000-0x0000025B82A21000-memory.dmp

Filesize
4KB

Download
memory/652-116-0x0000025B9CFC0000-0x0000025B9CFC2000-memory.dmp

Filesize
8KB

Download
memory/1788-124-0x000001FEBF436000-0x000001FEBF437000-memory.dmp

Filesize
4KB

Download
memory/1788-137-0x000001FEA6A00000-0x000001FEA6A11000-memory.dmp

Filesize
68KB

Download
memory/1788-126-0x000001FEC1410000-0x000001FEC1411000-memory.dmp

Filesize
4KB

Download
memory/1788-128-0x000001FEBF438000-0x000001FEBF43A000-memory.dmp

Filesize
8KB

Download
memory/1788-127-0x000001FEBF437000-0x000001FEBF438000-memory.dmp

Filesize
4KB

Download
memory/1788-144-0x000001FEA6A90000-0x000001FEA6A96000-memory.dmp

Filesize
24KB

Download
memory/1788-123-0x000001FEBF433000-0x000001FEBF435000-memory.dmp

Filesize
8KB

Download
memory/1788-122-0x000001FEBF430000-0x000001FEBF432000-memory.dmp

Filesize
8KB

Download
memory/1788-121-0x0000000140000000-0x0000000140047000-memory.dmp

Filesize
284KB

Download
memory/1788-119-0x000001FEA6770000-0x000001FEA678F000-memory.dmp

Filesize
124KB

Download
memory/1788-117-0x0000000140000000-0x0000000140047000-memory.dmp

Filesize
284KB

Download
memory/1788-118-0x0000000140008630-mapping.dmp

Download
memory/1788-136-0x000001FEA69F0000-0x000001FEA69F1000-memory.dmp

Filesize
4KB

Download
memory/1788-125-0x000001FEA69C0000-0x000001FEA69C1000-memory.dmp

Filesize
4KB

Download
memory/1788-138-0x000001FEBF43A000-0x000001FEBF43F000-memory.dmp

Filesize
20KB

Download
memory/1788-139-0x000001FEBF3C0000-0x000001FEBF3C1000-memory.dmp

Filesize
4KB

Download
memory/1788-140-0x000001FEC1BC0000-0x000001FEC26D8000-memory.dmp

Filesize
11.1MB

Download
memory/1788-141-0x000001FEBF390000-0x000001FEBF391000-memory.dmp

Filesize
4KB

Download
memory/3200-129-0x0000000000000000-mapping.dmp

Download
memory/4000-142-0x0000000000000000-mapping.dmp

Download
memory/4048-143-0x0000000000000000-mapping.dmp

Download
memory/4048-160-0x00000285A2010000-0x00000285A2012000-memory.dmp

Filesize
8KB

Download
memory/4048-161-0x00000285A2013000-0x00000285A2015000-memory.dmp

Filesize
8KB

Download
memory/4048-162-0x00000285A2016000-0x00000285A2018000-memory.dmp

Filesize
8KB

Download
memory/4048-163-0x00000285A4F00000-0x00000285A4F01000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads