asyncrat | ba3c244413f003bbd093b5e3e082bb9b0914d5bd9e03526b0e4b4faf4eacc411

General

Target

2f858b2cdd1332777a75cb98481fe425.exe
Size

262KB
MD5

2f858b2cdd1332777a75cb98481fe425
SHA1

3ff58b35d77a3f9759aad0168a52d95d6eb21643
SHA256

ba3c244413f003bbd093b5e3e082bb9b0914d5bd9e03526b0e4b4faf4eacc411
SHA512

57ba0490b16b4205ca328aebbbafa181dca48f24e3668e40e099922bde363571bbe6f8ee5f35059b7cdafdf1cece6e23c8926c0b7658076d827a033f3a9a8844

Score

10^/10

asyncrat evasion rat spyware stealer suricata

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/568-130-0x0000023760BC0000-0x0000023760BD1000-memory.dmp	asyncrat
behavioral2/memory/568-139-0x0000023761A00000-0x0000023762518000-memory.dmp	asyncrat

Blocklisted process makes network request 6 IoCs

Processes:

powershell.exe

flow pid process

26 2976 powershell.exe
28 2976 powershell.exe
30 2976 powershell.exe
34 2976 powershell.exe
35 2976 powershell.exe
37 2976 powershell.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

19 ipinfo.io
16 checkip.dyndns.org

flow	pid	process
26	2976	powershell.exe
28	2976	powershell.exe
30	2976	powershell.exe
34	2976	powershell.exe
35	2976	powershell.exe
37	2976	powershell.exe

flow	ioc
19	ipinfo.io
16	checkip.dyndns.org

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2f858b2cdd1332777a75cb98481fe425.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2f858b2cdd1332777a75cb98481fe425.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2f858b2cdd1332777a75cb98481fe425.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

2f858b2cdd1332777a75cb98481fe425.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Certificates\1A11FBFA5642ED8EB0880A66278474A76B4C6CDB	2f858b2cdd1332777a75cb98481fe425.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Certificates\1A11FBFA5642ED8EB0880A66278474A76B4C6CDB\Blob = 0300000001000000140000001a11fbfa5642ed8eb0880a66278474a76b4c6cdb0200000001000000a40000001c00000044000000010000000000000000000000000000000100000043004e003d004f005600200056006500720069005300690067006e002000430041000000000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000001e0000004f005600200056006500720069005300690067006e0020004300410000002000000001000000e0020000308202dc308201c4a003020102020827c6afe460e74754300d06092a864886f70d01010b050030193117301506035504030c0e4f5620566572695369676e204341301e170d3230303732353139343530345a170d3233313032393139343530345a30193117301506035504030c0e4f5620566572695369676e20434130820122300d06092a864886f70d01010105000382010f003082010a02820101009412eebd9a85c69c85f06791bfe5da1d65d9a054f743eb79085c09e25f6314f3ebd0141f6688e84999194471f9d732aea9879f53e2f2eb0d6bacf18643a3b16184b95e7c5e9e7e1b6b6dcadaa97fee4c1ccbde45d4cc1ea9a9d1d5e18ff6d21e6cb01a449506f07966fc2c16196c4f8f1fca8b4f5c252aeb809a1e82461a6156f640eb4eb3c73347dd3d5e89028daf9f5ca212ccd1e1b2a6fc972821876ca839a7d61d8af74803bf423cb46b477c793a87e262e48f0b0f25ecbc121a4f49f284128b719abf42b20593bfd0c91bcfcb686a736362d834e6c48e94e18c69cca791631fa57324c19efea212beddb5bab099664e291d042abb7d943b3a6bedb69a230203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b050003820101006a441042755184b74221f3fd604c48e3a0aa9538adf4a9ff7e9c33ca8f3d856dfd2ec3c639779383965640d2c0c6f19e2b5bbcd903cf27c40abea426f0db9712d8bec3c64f27610b020064398fc6cedbd3f5097b28518e6175f41d08008b5f539116cf2950aae64d9bc81b9d21544691994a3d903255f9f1f676bdff9cad8e059b041232758a35b1bffc41612bd23a948e9b110a584f15e222a0631393194ca3c70f33887516a25f9ce9fbffd3b9f8f8fae60e9d70d8d0fbc99bae418a13e7bb8b0cf094348a23bc7a73fb505367fb06c632f82aa871c1334b99f41b138ed80c20007d37d464bfc973d522dc79b4eb899fa902a29f09d6e370f09fd2db4a11f8	2f858b2cdd1332777a75cb98481fe425.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Certificates\1A11FBFA5642ED8EB0880A66278474A76B4C6CDB\Blob = 140000000100000014000000a7156e54de0968d1400e51dd6ea547ad9191f6d70b000000010000001e0000004f005600200056006500720069005300690067006e0020004300410000000200000001000000a40000001c00000044000000010000000000000000000000000000000100000043004e003d004f005600200056006500720069005300690067006e002000430041000000000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000300000001000000140000001a11fbfa5642ed8eb0880a66278474a76b4c6cdb2000000001000000e0020000308202dc308201c4a003020102020827c6afe460e74754300d06092a864886f70d01010b050030193117301506035504030c0e4f5620566572695369676e204341301e170d3230303732353139343530345a170d3233313032393139343530345a30193117301506035504030c0e4f5620566572695369676e20434130820122300d06092a864886f70d01010105000382010f003082010a02820101009412eebd9a85c69c85f06791bfe5da1d65d9a054f743eb79085c09e25f6314f3ebd0141f6688e84999194471f9d732aea9879f53e2f2eb0d6bacf18643a3b16184b95e7c5e9e7e1b6b6dcadaa97fee4c1ccbde45d4cc1ea9a9d1d5e18ff6d21e6cb01a449506f07966fc2c16196c4f8f1fca8b4f5c252aeb809a1e82461a6156f640eb4eb3c73347dd3d5e89028daf9f5ca212ccd1e1b2a6fc972821876ca839a7d61d8af74803bf423cb46b477c793a87e262e48f0b0f25ecbc121a4f49f284128b719abf42b20593bfd0c91bcfcb686a736362d834e6c48e94e18c69cca791631fa57324c19efea212beddb5bab099664e291d042abb7d943b3a6bedb69a230203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b050003820101006a441042755184b74221f3fd604c48e3a0aa9538adf4a9ff7e9c33ca8f3d856dfd2ec3c639779383965640d2c0c6f19e2b5bbcd903cf27c40abea426f0db9712d8bec3c64f27610b020064398fc6cedbd3f5097b28518e6175f41d08008b5f539116cf2950aae64d9bc81b9d21544691994a3d903255f9f1f676bdff9cad8e059b041232758a35b1bffc41612bd23a948e9b110a584f15e222a0631393194ca3c70f33887516a25f9ce9fbffd3b9f8f8fae60e9d70d8d0fbc99bae418a13e7bb8b0cf094348a23bc7a73fb505367fb06c632f82aa871c1334b99f41b138ed80c20007d37d464bfc973d522dc79b4eb899fa902a29f09d6e370f09fd2db4a11f8	2f858b2cdd1332777a75cb98481fe425.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1A11FBFA5642ED8EB0880A66278474A76B4C6CDB	2f858b2cdd1332777a75cb98481fe425.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1A11FBFA5642ED8EB0880A66278474A76B4C6CDB\Blob = 0300000001000000140000001a11fbfa5642ed8eb0880a66278474a76b4c6cdb0200000001000000a40000001c00000044000000010000000000000000000000000000000100000043004e003d004f005600200056006500720069005300690067006e002000430041000000000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000001e0000004f005600200056006500720069005300690067006e0020004300410000002000000001000000e0020000308202dc308201c4a003020102020827c6afe460e74754300d06092a864886f70d01010b050030193117301506035504030c0e4f5620566572695369676e204341301e170d3230303732353139343530345a170d3233313032393139343530345a30193117301506035504030c0e4f5620566572695369676e20434130820122300d06092a864886f70d01010105000382010f003082010a02820101009412eebd9a85c69c85f06791bfe5da1d65d9a054f743eb79085c09e25f6314f3ebd0141f6688e84999194471f9d732aea9879f53e2f2eb0d6bacf18643a3b16184b95e7c5e9e7e1b6b6dcadaa97fee4c1ccbde45d4cc1ea9a9d1d5e18ff6d21e6cb01a449506f07966fc2c16196c4f8f1fca8b4f5c252aeb809a1e82461a6156f640eb4eb3c73347dd3d5e89028daf9f5ca212ccd1e1b2a6fc972821876ca839a7d61d8af74803bf423cb46b477c793a87e262e48f0b0f25ecbc121a4f49f284128b719abf42b20593bfd0c91bcfcb686a736362d834e6c48e94e18c69cca791631fa57324c19efea212beddb5bab099664e291d042abb7d943b3a6bedb69a230203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b050003820101006a441042755184b74221f3fd604c48e3a0aa9538adf4a9ff7e9c33ca8f3d856dfd2ec3c639779383965640d2c0c6f19e2b5bbcd903cf27c40abea426f0db9712d8bec3c64f27610b020064398fc6cedbd3f5097b28518e6175f41d08008b5f539116cf2950aae64d9bc81b9d21544691994a3d903255f9f1f676bdff9cad8e059b041232758a35b1bffc41612bd23a948e9b110a584f15e222a0631393194ca3c70f33887516a25f9ce9fbffd3b9f8f8fae60e9d70d8d0fbc99bae418a13e7bb8b0cf094348a23bc7a73fb505367fb06c632f82aa871c1334b99f41b138ed80c20007d37d464bfc973d522dc79b4eb899fa902a29f09d6e370f09fd2db4a11f8	2f858b2cdd1332777a75cb98481fe425.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

2f858b2cdd1332777a75cb98481fe425.exepowershell.exe

pid	process
568	2f858b2cdd1332777a75cb98481fe425.exe
568	2f858b2cdd1332777a75cb98481fe425.exe
568	2f858b2cdd1332777a75cb98481fe425.exe
2976	powershell.exe
2976	powershell.exe
2976	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2f858b2cdd1332777a75cb98481fe425.exepowershell.exe

description pid process

Token: SeDebugPrivilege 568 2f858b2cdd1332777a75cb98481fe425.exe
Token: SeDebugPrivilege 2976 powershell.exe

description	pid	process
Token: SeDebugPrivilege	568	2f858b2cdd1332777a75cb98481fe425.exe
Token: SeDebugPrivilege	2976	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

2f858b2cdd1332777a75cb98481fe425.execsc.exe

description	pid	process	target process
PID 568 wrote to memory of 3528	568	2f858b2cdd1332777a75cb98481fe425.exe	csc.exe
PID 568 wrote to memory of 3528	568	2f858b2cdd1332777a75cb98481fe425.exe	csc.exe
PID 3528 wrote to memory of 4080	3528	csc.exe	cvtres.exe
PID 3528 wrote to memory of 4080	3528	csc.exe	cvtres.exe
PID 568 wrote to memory of 2980	568	2f858b2cdd1332777a75cb98481fe425.exe	netsh.exe
PID 568 wrote to memory of 2980	568	2f858b2cdd1332777a75cb98481fe425.exe	netsh.exe
PID 568 wrote to memory of 2976	568	2f858b2cdd1332777a75cb98481fe425.exe	powershell.exe
PID 568 wrote to memory of 2976	568	2f858b2cdd1332777a75cb98481fe425.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\2f858b2cdd1332777a75cb98481fe425.exe
"C:\Users\Admin\AppData\Local\Temp\2f858b2cdd1332777a75cb98481fe425.exe"
1⤵
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\b0emybft\b0emybft.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:3528

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7219.tmp" "c:\Users\Admin\AppData\Local\Temp\b0emybft\CSCD69476789DD402D891B26519471B16C.TMP"
3⤵
PID:4080

C:\Windows\SYSTEM32\netsh.exe
"netsh.exe" firewall add allowedprogram C:\Users\Admin\AppData\Local\Temp\2f858b2cdd1332777a75cb98481fe425.exe SystemUpdate ENABLE
2⤵
PID:2980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -enc dwBoAGkAbABlACgAJAB0AHIAdQBlACkAewAKAHQAcgB5AHsAaQB3AHIAIAAnAGgAdAB0AHAAcwA6AC8ALwBnAG8AbwBnAGwAZQAuAGMAbwBtACcAfQBjAGEAdABjAGgAewAKACQAcgBlAGcASwBlAHkAPQAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAEkAbgB0AGUAcgBuAGUAdAAgAFMAZQB0AHQAaQBuAGcAcwAiADsAUwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AcABhAHQAaAAgACQAcgBlAGcASwBlAHkAIABQAHIAbwB4AHkARQBuAGEAYgBsAGUAIAAtAHYAYQBsAHUAZQAgADAAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAdABvAHAAIAA7AFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAHAAYQB0AGgAIAAkAHIAZQBnAEsAZQB5ACAAUAByAG8AeAB5AFMAZQByAHYAZQByACAALQB2AGEAbAB1AGUAIAAiACIAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAdABvAHAAOwAgAFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAHAAYQB0AGgAIAAkAHIAZQBnAEsAZQB5ACAAQQB1AHQAbwBDAG8AbgBmAGkAZwBVAFIATAAgAC0AVgBhAGwAdQBlACAAIgAiACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAHQAbwBwAAoAfQAKAHMAbABlAGUAcAAgADIAfQA=
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2976

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7219.tmp
MD5
ab3580c7fbec130ccf90c59128cb8a34

SHA1
f46fe07432ee1bd7fb1ab4aedfbb132c0ac3d75f

SHA256
717ab895c16105353a87309e47573f31033e028e5b2ccffbc01bbcb3fd1c4a99

SHA512
bc779e567e9a1d5eaf47937bbf4b051dbfee4b33a63f8a0e89c984955bfb90be69654bcc04afbe4fb3e61dbd73224b05e952c06f74ece32f8961787e8eaa5b61

Download Submit
C:\Users\Admin\AppData\Local\Temp\b0emybft\b0emybft.dll
MD5
df2a87895e458f8b1ec381ae55ff2857

SHA1
79a8ac3f2b0316f43a694057ff6315a9f04caf36

SHA256
461f8f2ac563c037db54483b19ea7fccf466a926f633c0a9d67079cc6246cb9a

SHA512
13a960f4ed3b4d54913dec06bf925b8619b3cc9df9b79dff4a5d3f1029032a1173e9aa61b06d8eb841eaeb71f317643bf2eee64163b48b6acf04b970d731be39

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\b0emybft\CSCD69476789DD402D891B26519471B16C.TMP
MD5
a11d9feafbb97902e664740357f1a57c

SHA1
2be85009c4d8ad7bf356529e8afd8b1c1e21f498

SHA256
58875fd2646a569fa2d4aa0cf88f8a58d39b409774b85836305692df4955e7d1

SHA512
43da7676936e089c2d298e065af45d555cad5000356a5011cf6bef4ab33bd8d566c3a97847c4af45f48731c09c7086d140085d9d4fb5202b58c1d43ae20f23ba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\b0emybft\b0emybft.0.cs
MD5
eb9d1ba75e2a29b96e3c75b73b41df4c

SHA1
093bd046abe146fc1fffe45f073e0306d365ccbf

SHA256
12480589381d69c1eb1abd50b4eaa33b49dcacbef78e358a757d1d7d11de3bda

SHA512
f03442a0fff3b85ff37d44f071366ea97884f48675433f967317d656dc8e00b184bc51c63c39987fd310a763d1dd9beb8878e0445edc3aa76fd6f62aba94571f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\b0emybft\b0emybft.cmdline
MD5
f4664a4f6d6c395d7a13d5932540ee0f

SHA1
9f0b368d31880cb1bad8cb073221e5425f807d08

SHA256
450d90515874602c54e4d94fa30b2b4b71b0a193365c46d5ae47d2a6b614b785

SHA512
a3253c397d62b548e0aef140b59e4c934f09ffc9486788409da15fdbd5c65185e84c418fec1aae95633ff557efec6ea92c86df6142834f8bb047f332e24e79d5

Download Submit
memory/568-131-0x0000023760BEA000-0x0000023760BEF000-memory.dmp

Filesize
20KB

Download
memory/568-133-0x00000237617E0000-0x00000237617E1000-memory.dmp

Filesize
4KB

Download
memory/568-142-0x00000237617A0000-0x00000237617A6000-memory.dmp

Filesize
24KB

Download
memory/568-120-0x0000023760FE0000-0x0000023760FE1000-memory.dmp

Filesize
4KB

Download
memory/568-119-0x0000023760A80000-0x0000023760A81000-memory.dmp

Filesize
4KB

Download
memory/568-139-0x0000023761A00000-0x0000023762518000-memory.dmp

Filesize
11.1MB

Download
memory/568-118-0x0000023760BE6000-0x0000023760BE7000-memory.dmp

Filesize
4KB

Download
memory/568-116-0x0000023760BE0000-0x0000023760BE2000-memory.dmp

Filesize
8KB

Download
memory/568-117-0x0000023760BE3000-0x0000023760BE5000-memory.dmp

Filesize
8KB

Download
memory/568-129-0x0000023760BB0000-0x0000023760BB1000-memory.dmp

Filesize
4KB

Download
memory/568-130-0x0000023760BC0000-0x0000023760BD1000-memory.dmp

Filesize
68KB

Download
memory/568-114-0x0000023748070000-0x000002374808F000-memory.dmp

Filesize
124KB

Download
memory/568-132-0x0000023760BE8000-0x0000023760BEA000-memory.dmp

Filesize
8KB

Download
memory/568-121-0x0000023760BE7000-0x0000023760BE8000-memory.dmp

Filesize
4KB

Download
memory/568-134-0x0000023761830000-0x0000023761895000-memory.dmp

Filesize
404KB

Download
memory/568-135-0x00000237617B0000-0x00000237617B1000-memory.dmp

Filesize
4KB

Download
memory/568-136-0x0000023760FD0000-0x0000023760FD5000-memory.dmp

Filesize
20KB

Download
memory/568-137-0x00000237618A0000-0x00000237618F9000-memory.dmp

Filesize
356KB

Download
memory/568-138-0x0000023761900000-0x000002376198D000-memory.dmp

Filesize
564KB

Download
memory/2976-141-0x0000000000000000-mapping.dmp

Download
memory/2976-156-0x0000026702043000-0x0000026702045000-memory.dmp

Filesize
8KB

Download
memory/2976-154-0x0000026702040000-0x0000026702042000-memory.dmp

Filesize
8KB

Download
memory/2976-157-0x0000026702046000-0x0000026702048000-memory.dmp

Filesize
8KB

Download
memory/2976-158-0x000002671B910000-0x000002671B911000-memory.dmp

Filesize
4KB

Download
memory/2980-140-0x0000000000000000-mapping.dmp

Download
memory/3528-122-0x0000000000000000-mapping.dmp

Download
memory/4080-125-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads