asyncrat | ba3c244413f003bbd093b5e3e082bb9b0914d5bd9e03526b0e4b4faf4eacc411

General

Target

2f858b2cdd1332777a75cb98481fe425.exe
Size

262KB
MD5

2f858b2cdd1332777a75cb98481fe425
SHA1

3ff58b35d77a3f9759aad0168a52d95d6eb21643
SHA256

ba3c244413f003bbd093b5e3e082bb9b0914d5bd9e03526b0e4b4faf4eacc411
SHA512

57ba0490b16b4205ca328aebbbafa181dca48f24e3668e40e099922bde363571bbe6f8ee5f35059b7cdafdf1cece6e23c8926c0b7658076d827a033f3a9a8844

Score

10^/10

asyncrat evasion rat spyware stealer suricata

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4068-130-0x0000027618AE0000-0x0000027618AF1000-memory.dmp	asyncrat
behavioral2/memory/4068-134-0x0000027619840000-0x000002761A358000-memory.dmp	asyncrat

Blocklisted process makes network request 6 IoCs

Processes:

powershell.exe

flow pid process

25 2008 powershell.exe
27 2008 powershell.exe
29 2008 powershell.exe
31 2008 powershell.exe
32 2008 powershell.exe
34 2008 powershell.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 checkip.dyndns.org

flow	pid	process
25	2008	powershell.exe
27	2008	powershell.exe
29	2008	powershell.exe
31	2008	powershell.exe
32	2008	powershell.exe
34	2008	powershell.exe

flow	ioc
16	checkip.dyndns.org

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2f858b2cdd1332777a75cb98481fe425.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2f858b2cdd1332777a75cb98481fe425.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	2f858b2cdd1332777a75cb98481fe425.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

2f858b2cdd1332777a75cb98481fe425.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Certificates\DAB8FBB41A4CADA7BFE02728D5788CFB11B32486\Blob = 14000000010000001400000069771117b9bcebb9fb41aa6fbc7529ba8d2257b00b000000010000001e0000004f005600200056006500720069005300690067006e0020004300410000000200000001000000a40000001c00000044000000010000000000000000000000000000000100000043004e003d004f005600200056006500720069005300690067006e002000430041000000000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000dab8fbb41a4cada7bfe02728d5788cfb11b324862000000001000000e0020000308202dc308201c4a0030201020208407e2f85a5be7000300d06092a864886f70d01010b050030193117301506035504030c0e4f5620566572695369676e204341301e170d3230303732353138303633395a170d3233313032393138303633395a30193117301506035504030c0e4f5620566572695369676e20434130820122300d06092a864886f70d01010105000382010f003082010a028201010082889db3fc30cb0912c061ad094ced7edda42bdf7e81f3940ece29baaa1fa02ad62ed551675467811cb53413b9b1f7ed8ce70866ea5d0e8cb7d90caca0a736e1ebc327d16b29aade2fe57bc81d30844d484b80f3b37be44023f682cd591582df26f386c590e4d5fb37ee03d1f7a545baebc57b2ac66a1a1b6a0c6a9f4bf3098c12ff6fad4cbb9739786c01f82eefb185aed0fdb179829f92020c106ee8fbfc614e1c81fec239664c9318d8f905177e83563533ce63b6440cd620b18e1d1eaec512d4121d79bb3d66cbb2d88c7c3a91182ea64f8919627657ec7cdd4d8771d3612e712f726be16a29f52e741c86e4061cc84a04596ed5f8aa9ec7a030687ebf6d0203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b050003820101005590c176602706abf58820b3838036ce2bd168514bb857eed9d815c13f8a713db5a6136f7e639683291b150a1fef3c8b6405df77c237f9c82885689bcc27cb59b36e78fbc46574fff6b8b1aa72d974045ca47b6e19fa0694ee64fa8ebff5a1850eb1f5fbd069176ad184df358f6e99dbc58dfca8cca16c6ee663e5c546767df51f270a2c1030b1bf846333dd9618da3eadb824dfe106fbd83cfc9e81dfb4fee8d883e2233697bbac5e9c3a4977e2d724a5aa8c381b27e4b971d6ff7f0b29872891312714f21c33efd4c8df099fb3c0bb1ab9097c6945dc4607f0f9438ff6777a32630e73c263f4f12509bf0249c93d9a2126c0ddfbfc69c6f4d09af0aa64493a	2f858b2cdd1332777a75cb98481fe425.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DAB8FBB41A4CADA7BFE02728D5788CFB11B32486	2f858b2cdd1332777a75cb98481fe425.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DAB8FBB41A4CADA7BFE02728D5788CFB11B32486\Blob = 030000000100000014000000dab8fbb41a4cada7bfe02728d5788cfb11b324860200000001000000a40000001c00000044000000010000000000000000000000000000000100000043004e003d004f005600200056006500720069005300690067006e002000430041000000000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000001e0000004f005600200056006500720069005300690067006e0020004300410000002000000001000000e0020000308202dc308201c4a0030201020208407e2f85a5be7000300d06092a864886f70d01010b050030193117301506035504030c0e4f5620566572695369676e204341301e170d3230303732353138303633395a170d3233313032393138303633395a30193117301506035504030c0e4f5620566572695369676e20434130820122300d06092a864886f70d01010105000382010f003082010a028201010082889db3fc30cb0912c061ad094ced7edda42bdf7e81f3940ece29baaa1fa02ad62ed551675467811cb53413b9b1f7ed8ce70866ea5d0e8cb7d90caca0a736e1ebc327d16b29aade2fe57bc81d30844d484b80f3b37be44023f682cd591582df26f386c590e4d5fb37ee03d1f7a545baebc57b2ac66a1a1b6a0c6a9f4bf3098c12ff6fad4cbb9739786c01f82eefb185aed0fdb179829f92020c106ee8fbfc614e1c81fec239664c9318d8f905177e83563533ce63b6440cd620b18e1d1eaec512d4121d79bb3d66cbb2d88c7c3a91182ea64f8919627657ec7cdd4d8771d3612e712f726be16a29f52e741c86e4061cc84a04596ed5f8aa9ec7a030687ebf6d0203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b050003820101005590c176602706abf58820b3838036ce2bd168514bb857eed9d815c13f8a713db5a6136f7e639683291b150a1fef3c8b6405df77c237f9c82885689bcc27cb59b36e78fbc46574fff6b8b1aa72d974045ca47b6e19fa0694ee64fa8ebff5a1850eb1f5fbd069176ad184df358f6e99dbc58dfca8cca16c6ee663e5c546767df51f270a2c1030b1bf846333dd9618da3eadb824dfe106fbd83cfc9e81dfb4fee8d883e2233697bbac5e9c3a4977e2d724a5aa8c381b27e4b971d6ff7f0b29872891312714f21c33efd4c8df099fb3c0bb1ab9097c6945dc4607f0f9438ff6777a32630e73c263f4f12509bf0249c93d9a2126c0ddfbfc69c6f4d09af0aa64493a	2f858b2cdd1332777a75cb98481fe425.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Certificates\DAB8FBB41A4CADA7BFE02728D5788CFB11B32486	2f858b2cdd1332777a75cb98481fe425.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Certificates\DAB8FBB41A4CADA7BFE02728D5788CFB11B32486\Blob = 030000000100000014000000dab8fbb41a4cada7bfe02728d5788cfb11b324860200000001000000a40000001c00000044000000010000000000000000000000000000000100000043004e003d004f005600200056006500720069005300690067006e002000430041000000000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000001e0000004f005600200056006500720069005300690067006e0020004300410000002000000001000000e0020000308202dc308201c4a0030201020208407e2f85a5be7000300d06092a864886f70d01010b050030193117301506035504030c0e4f5620566572695369676e204341301e170d3230303732353138303633395a170d3233313032393138303633395a30193117301506035504030c0e4f5620566572695369676e20434130820122300d06092a864886f70d01010105000382010f003082010a028201010082889db3fc30cb0912c061ad094ced7edda42bdf7e81f3940ece29baaa1fa02ad62ed551675467811cb53413b9b1f7ed8ce70866ea5d0e8cb7d90caca0a736e1ebc327d16b29aade2fe57bc81d30844d484b80f3b37be44023f682cd591582df26f386c590e4d5fb37ee03d1f7a545baebc57b2ac66a1a1b6a0c6a9f4bf3098c12ff6fad4cbb9739786c01f82eefb185aed0fdb179829f92020c106ee8fbfc614e1c81fec239664c9318d8f905177e83563533ce63b6440cd620b18e1d1eaec512d4121d79bb3d66cbb2d88c7c3a91182ea64f8919627657ec7cdd4d8771d3612e712f726be16a29f52e741c86e4061cc84a04596ed5f8aa9ec7a030687ebf6d0203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b050003820101005590c176602706abf58820b3838036ce2bd168514bb857eed9d815c13f8a713db5a6136f7e639683291b150a1fef3c8b6405df77c237f9c82885689bcc27cb59b36e78fbc46574fff6b8b1aa72d974045ca47b6e19fa0694ee64fa8ebff5a1850eb1f5fbd069176ad184df358f6e99dbc58dfca8cca16c6ee663e5c546767df51f270a2c1030b1bf846333dd9618da3eadb824dfe106fbd83cfc9e81dfb4fee8d883e2233697bbac5e9c3a4977e2d724a5aa8c381b27e4b971d6ff7f0b29872891312714f21c33efd4c8df099fb3c0bb1ab9097c6945dc4607f0f9438ff6777a32630e73c263f4f12509bf0249c93d9a2126c0ddfbfc69c6f4d09af0aa64493a	2f858b2cdd1332777a75cb98481fe425.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

2f858b2cdd1332777a75cb98481fe425.exepowershell.exe

pid	process
4068	2f858b2cdd1332777a75cb98481fe425.exe
4068	2f858b2cdd1332777a75cb98481fe425.exe
4068	2f858b2cdd1332777a75cb98481fe425.exe
2008	powershell.exe
2008	powershell.exe
2008	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2f858b2cdd1332777a75cb98481fe425.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4068 2f858b2cdd1332777a75cb98481fe425.exe
Token: SeDebugPrivilege 2008 powershell.exe

description	pid	process
Token: SeDebugPrivilege	4068	2f858b2cdd1332777a75cb98481fe425.exe
Token: SeDebugPrivilege	2008	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

2f858b2cdd1332777a75cb98481fe425.execsc.exe

description	pid	process	target process
PID 4068 wrote to memory of 2688	4068	2f858b2cdd1332777a75cb98481fe425.exe	csc.exe
PID 4068 wrote to memory of 2688	4068	2f858b2cdd1332777a75cb98481fe425.exe	csc.exe
PID 2688 wrote to memory of 3344	2688	csc.exe	cvtres.exe
PID 2688 wrote to memory of 3344	2688	csc.exe	cvtres.exe
PID 4068 wrote to memory of 2616	4068	2f858b2cdd1332777a75cb98481fe425.exe	netsh.exe
PID 4068 wrote to memory of 2616	4068	2f858b2cdd1332777a75cb98481fe425.exe	netsh.exe
PID 4068 wrote to memory of 2008	4068	2f858b2cdd1332777a75cb98481fe425.exe	powershell.exe
PID 4068 wrote to memory of 2008	4068	2f858b2cdd1332777a75cb98481fe425.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\2f858b2cdd1332777a75cb98481fe425.exe
"C:\Users\Admin\AppData\Local\Temp\2f858b2cdd1332777a75cb98481fe425.exe"
1⤵
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4068

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5zopmuov\5zopmuov.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2688

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES257F.tmp" "c:\Users\Admin\AppData\Local\Temp\5zopmuov\CSC8123F92FD1014562A33FFA28F47B295.TMP"
3⤵
PID:3344

C:\Windows\SYSTEM32\netsh.exe
"netsh.exe" firewall add allowedprogram C:\Users\Admin\AppData\Local\Temp\2f858b2cdd1332777a75cb98481fe425.exe SystemUpdate ENABLE
2⤵
PID:2616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -enc dwBoAGkAbABlACgAJAB0AHIAdQBlACkAewAKAHQAcgB5AHsAaQB3AHIAIAAnAGgAdAB0AHAAcwA6AC8ALwBnAG8AbwBnAGwAZQAuAGMAbwBtACcAfQBjAGEAdABjAGgAewAKACQAcgBlAGcASwBlAHkAPQAiAEgASwBDAFUAOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAEkAbgB0AGUAcgBuAGUAdAAgAFMAZQB0AHQAaQBuAGcAcwAiADsAUwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAC0AcABhAHQAaAAgACQAcgBlAGcASwBlAHkAIABQAHIAbwB4AHkARQBuAGEAYgBsAGUAIAAtAHYAYQBsAHUAZQAgADAAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAdABvAHAAIAA7AFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAHAAYQB0AGgAIAAkAHIAZQBnAEsAZQB5ACAAUAByAG8AeAB5AFMAZQByAHYAZQByACAALQB2AGEAbAB1AGUAIAAiACIAIAAtAEUAcgByAG8AcgBBAGMAdABpAG8AbgAgAFMAdABvAHAAOwAgAFMAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAHAAYQB0AGgAIAAkAHIAZQBnAEsAZQB5ACAAQQB1AHQAbwBDAG8AbgBmAGkAZwBVAFIATAAgAC0AVgBhAGwAdQBlACAAIgAiACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAHQAbwBwAAoAfQAKAHMAbABlAGUAcAAgADIAfQA=
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5zopmuov\5zopmuov.dll
MD5
db9505799935efd6268e0d22bba77aa4

SHA1
d45cb2a4c078238ba65089b8a6898f861e091df5

SHA256
e66e62c3b1e871fead3b3ad701c0d81cb382f19b63fd3c25a80f9dff6d352e68

SHA512
c2eaf45831454ca887b22ed8675f4500bae3d35681ac21dbcf8b50ec0d1777d685468e4634a897d5d2b9ed2c049ba6f37c1dd4e8aa8596da6c0421b925016ad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES257F.tmp
MD5
4ea1504a3bc9b09bc13065b1aaf8ea7e

SHA1
e7b4a8e20638800229c17f474911b7c7a4a98454

SHA256
948dc88a7d6f267ff5a4616bb06d6ac0b77db2e20fccf4a30eb3ecdf2f5ccbb5

SHA512
61a6b2cfbda62c5b568fa539cd730c47bf5eaf4ca64b741e412c673d250b55cc144f19bff6f7a4ff6a0d09f1b5d9a0f1ae534e34baa42ed1daf8649062e8fab4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5zopmuov\5zopmuov.0.cs
MD5
eb9d1ba75e2a29b96e3c75b73b41df4c

SHA1
093bd046abe146fc1fffe45f073e0306d365ccbf

SHA256
12480589381d69c1eb1abd50b4eaa33b49dcacbef78e358a757d1d7d11de3bda

SHA512
f03442a0fff3b85ff37d44f071366ea97884f48675433f967317d656dc8e00b184bc51c63c39987fd310a763d1dd9beb8878e0445edc3aa76fd6f62aba94571f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5zopmuov\5zopmuov.cmdline
MD5
cec88f39904bb4d369862c6abbb807c5

SHA1
fb7d0b2e0dec9a8ba0653f8fb1bc39484014b7b5

SHA256
b98ee1a109400c51a849cf6758fcd5725999ae0f7f89ba91101dcf9dc9063214

SHA512
4d58701991a42baa4749909917e5ccc82602c05fa0621a559a06af448104ab95b1873d7fe0db709200c43efaffd050a9ee559be4febc553cdc7b5ad7022bca7c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5zopmuov\CSC8123F92FD1014562A33FFA28F47B295.TMP
MD5
610b1e45e0bf97de5fccb0ed279eb310

SHA1
0bd637a5727edbdb5f76a3719ac5816fd3cc8db5

SHA256
4d0cf37b25af7668b3cbe52956a9c9f5d1b018d631f7a7d3897b551bddbee495

SHA512
1093fc16b7e8df4290d8472f573a84a284e63afcc1507898f15109f57badf1a672178d14450e72543c5aa473fc14279d8cb4cb58bc85544d205786bcb3e03034

Download Submit
memory/2008-154-0x000001E1F08B6000-0x000001E1F08B8000-memory.dmp

Filesize
8KB

Download
memory/2008-153-0x000001E1F1B10000-0x000001E1F1B11000-memory.dmp

Filesize
4KB

Download
memory/2008-147-0x000001E1F08B3000-0x000001E1F08B5000-memory.dmp

Filesize
8KB

Download
memory/2008-145-0x000001E1F08B0000-0x000001E1F08B2000-memory.dmp

Filesize
8KB

Download
memory/2008-137-0x0000000000000000-mapping.dmp

Download
memory/2616-136-0x0000000000000000-mapping.dmp

Download
memory/2688-122-0x0000000000000000-mapping.dmp

Download
memory/3344-125-0x0000000000000000-mapping.dmp

Download
memory/4068-134-0x0000027619840000-0x000002761A358000-memory.dmp

Filesize
11.1MB

Download
memory/4068-135-0x0000027618B50000-0x0000027618B51000-memory.dmp

Filesize
4KB

Download
memory/4068-130-0x0000027618AE0000-0x0000027618AF1000-memory.dmp

Filesize
68KB

Download
memory/4068-132-0x0000027618B7A000-0x0000027618B7F000-memory.dmp

Filesize
20KB

Download
memory/4068-131-0x0000027618B78000-0x0000027618B7A000-memory.dmp

Filesize
8KB

Download
memory/4068-133-0x00000276197F0000-0x00000276197F1000-memory.dmp

Filesize
4KB

Download
memory/4068-129-0x0000027618A40000-0x0000027618A41000-memory.dmp

Filesize
4KB

Download
memory/4068-121-0x0000027618B77000-0x0000027618B78000-memory.dmp

Filesize
4KB

Download
memory/4068-114-0x0000027600060000-0x000002760007F000-memory.dmp

Filesize
124KB

Download
memory/4068-120-0x0000027618FF0000-0x0000027618FF1000-memory.dmp

Filesize
4KB

Download
memory/4068-138-0x0000027618B40000-0x0000027618B46000-memory.dmp

Filesize
24KB

Download
memory/4068-119-0x0000027618B76000-0x0000027618B77000-memory.dmp

Filesize
4KB

Download
memory/4068-118-0x0000027618B73000-0x0000027618B75000-memory.dmp

Filesize
8KB

Download
memory/4068-116-0x0000027618A50000-0x0000027618A51000-memory.dmp

Filesize
4KB

Download
memory/4068-117-0x0000027618B70000-0x0000027618B72000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads