asyncrat | 46aaee021fec9564e323cbb46072b15696f53cb48e153a6575ec8abc8feba35e

General

Target

VZ8WSCNqI5hk6UO.exe
Size

1.1MB
MD5

5624c43315cd655ce3162930ca5feecf
SHA1

9fe4a649a4c12e15bb19157c11f166d811e8e56a
SHA256

46aaee021fec9564e323cbb46072b15696f53cb48e153a6575ec8abc8feba35e
SHA512

8ddd7f8bf8283af1c28a3ac55793b3e9f761531ad3d11d7a9548dc686082ec924beb8468b7644486df403a8447178aebc4b6048bd7083633342442ce3ece0a9c

Score

10^/10

asyncrat rat suricata

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

wabbus02.duckdns.org:6606

wabbus02.duckdns.org:7707

wabbus02.duckdns.org:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
9qwxkQ2pkGzKNYyg3Ocjqt8oTvsTstZQ
anti_detection
false
autorun
false
bdos
false
delay
Default
host
wabbus02.duckdns.org
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
6606,7707,8808
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3600-126-0x000000000040C73E-mapping.dmp	asyncrat
behavioral2/memory/3600-125-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral2/memory/3944-122-0x0000000007DA0000-0x0000000007DAB000-memory.dmp	CustAttr

Suspicious use of SetThreadContext 1 IoCs

Processes:

VZ8WSCNqI5hk6UO.exe

description pid process target process

PID 3944 set thread context of 3600 3944 VZ8WSCNqI5hk6UO.exe VZ8WSCNqI5hk6UO.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

VZ8WSCNqI5hk6UO.exe

description pid process

Token: SeDebugPrivilege 3600 VZ8WSCNqI5hk6UO.exe

description	pid	process	target process
PID 3944 set thread context of 3600	3944	VZ8WSCNqI5hk6UO.exe	VZ8WSCNqI5hk6UO.exe

description	pid	process
Token: SeDebugPrivilege	3600	VZ8WSCNqI5hk6UO.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

VZ8WSCNqI5hk6UO.exe

description	pid	process	target process
PID 3944 wrote to memory of 3600	3944	VZ8WSCNqI5hk6UO.exe	VZ8WSCNqI5hk6UO.exe
PID 3944 wrote to memory of 3600	3944	VZ8WSCNqI5hk6UO.exe	VZ8WSCNqI5hk6UO.exe
PID 3944 wrote to memory of 3600	3944	VZ8WSCNqI5hk6UO.exe	VZ8WSCNqI5hk6UO.exe
PID 3944 wrote to memory of 3600	3944	VZ8WSCNqI5hk6UO.exe	VZ8WSCNqI5hk6UO.exe
PID 3944 wrote to memory of 3600	3944	VZ8WSCNqI5hk6UO.exe	VZ8WSCNqI5hk6UO.exe
PID 3944 wrote to memory of 3600	3944	VZ8WSCNqI5hk6UO.exe	VZ8WSCNqI5hk6UO.exe
PID 3944 wrote to memory of 3600	3944	VZ8WSCNqI5hk6UO.exe	VZ8WSCNqI5hk6UO.exe
PID 3944 wrote to memory of 3600	3944	VZ8WSCNqI5hk6UO.exe	VZ8WSCNqI5hk6UO.exe

C:\Users\Admin\AppData\Local\Temp\VZ8WSCNqI5hk6UO.exe
"C:\Users\Admin\AppData\Local\Temp\VZ8WSCNqI5hk6UO.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3944

C:\Users\Admin\AppData\Local\Temp\VZ8WSCNqI5hk6UO.exe
"C:\Users\Admin\AppData\Local\Temp\VZ8WSCNqI5hk6UO.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3600

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VZ8WSCNqI5hk6UO.exe.log
MD5
90acfd72f14a512712b1a7380c0faf60

SHA1
40ba4accb8faa75887e84fb8e38d598dc8cf0f12

SHA256
20806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86

SHA512
29dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9

Download Submit
memory/3600-126-0x000000000040C73E-mapping.dmp

Download
memory/3600-133-0x0000000005940000-0x0000000005941000-memory.dmp

Filesize
4KB

Download
memory/3600-130-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/3600-125-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3944-121-0x00000000055D0000-0x0000000005ACE000-memory.dmp

Filesize
5.0MB

Download
memory/3944-114-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/3944-122-0x0000000007DA0000-0x0000000007DAB000-memory.dmp

Filesize
44KB

Download
memory/3944-123-0x0000000007AA0000-0x0000000007AF7000-memory.dmp

Filesize
348KB

Download
memory/3944-124-0x0000000007C40000-0x0000000007C52000-memory.dmp

Filesize
72KB

Download
memory/3944-120-0x0000000005690000-0x0000000005691000-memory.dmp

Filesize
4KB

Download
memory/3944-119-0x00000000016B0000-0x00000000016B1000-memory.dmp

Filesize
4KB

Download
memory/3944-118-0x0000000005520000-0x0000000005521000-memory.dmp

Filesize
4KB

Download
memory/3944-117-0x0000000005AD0000-0x0000000005AD1000-memory.dmp

Filesize
4KB

Download
memory/3944-116-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads