asyncrat | 79c980bfebcae8726171a7cb2ff931f0da8bad4edd0fd0beb088e32ad1d1c7a7

General

Target

4623254c01d5f7aacd77ce78329a0976.exe
Size

770KB
MD5

4623254c01d5f7aacd77ce78329a0976
SHA1

10c144749fb54444b65a2cea0f3a18fc08a5a0a2
SHA256

79c980bfebcae8726171a7cb2ff931f0da8bad4edd0fd0beb088e32ad1d1c7a7
SHA512

b0cfa65b7875b4b4a8b06d92f1595c724dc9698246cae920cbbd5e0d8da955c8f573ed459a64ad35799f31bf301c2dd5df4b350afb83225b5954196c7ac5e500

Score

10^/10

asyncrat rat suricata

Malware Config

Extracted

Family

asyncrat

Version

0.5.6D

C2

79.134.225.22:7890

Mutex

plpwufojgjumnqp

Attributes

aes_key
YRR6qoQ9k1oF6WSlJmfPDS5io7Iq9moG
anti_detection
false
autorun
false
bdos
false
delay
Muva
host
79.134.225.22
hwid
25
install_file
install_folder
%AppData%
mutex
plpwufojgjumnqp
pastebin_config
null
port
7890
version
0.5.6D

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3956-127-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/3956-128-0x000000000040C60E-mapping.dmp	asyncrat

Suspicious use of SetThreadContext 1 IoCs

Processes:

4623254c01d5f7aacd77ce78329a0976.exe

description pid process target process

PID 2184 set thread context of 3956 2184 4623254c01d5f7aacd77ce78329a0976.exe 4623254c01d5f7aacd77ce78329a0976.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3116 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

4623254c01d5f7aacd77ce78329a0976.exe

pid process

2184 4623254c01d5f7aacd77ce78329a0976.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

4623254c01d5f7aacd77ce78329a0976.exe4623254c01d5f7aacd77ce78329a0976.exe

description pid process

Token: SeDebugPrivilege 2184 4623254c01d5f7aacd77ce78329a0976.exe
Token: SeDebugPrivilege 3956 4623254c01d5f7aacd77ce78329a0976.exe

description	pid	process	target process
PID 2184 set thread context of 3956	2184	4623254c01d5f7aacd77ce78329a0976.exe	4623254c01d5f7aacd77ce78329a0976.exe

pid	process
3116	schtasks.exe

pid	process
2184	4623254c01d5f7aacd77ce78329a0976.exe

description	pid	process
Token: SeDebugPrivilege	2184	4623254c01d5f7aacd77ce78329a0976.exe
Token: SeDebugPrivilege	3956	4623254c01d5f7aacd77ce78329a0976.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

4623254c01d5f7aacd77ce78329a0976.exe

description	pid	process	target process
PID 2184 wrote to memory of 3116	2184	4623254c01d5f7aacd77ce78329a0976.exe	schtasks.exe
PID 2184 wrote to memory of 3116	2184	4623254c01d5f7aacd77ce78329a0976.exe	schtasks.exe
PID 2184 wrote to memory of 3116	2184	4623254c01d5f7aacd77ce78329a0976.exe	schtasks.exe
PID 2184 wrote to memory of 3956	2184	4623254c01d5f7aacd77ce78329a0976.exe	4623254c01d5f7aacd77ce78329a0976.exe
PID 2184 wrote to memory of 3956	2184	4623254c01d5f7aacd77ce78329a0976.exe	4623254c01d5f7aacd77ce78329a0976.exe
PID 2184 wrote to memory of 3956	2184	4623254c01d5f7aacd77ce78329a0976.exe	4623254c01d5f7aacd77ce78329a0976.exe
PID 2184 wrote to memory of 3956	2184	4623254c01d5f7aacd77ce78329a0976.exe	4623254c01d5f7aacd77ce78329a0976.exe
PID 2184 wrote to memory of 3956	2184	4623254c01d5f7aacd77ce78329a0976.exe	4623254c01d5f7aacd77ce78329a0976.exe
PID 2184 wrote to memory of 3956	2184	4623254c01d5f7aacd77ce78329a0976.exe	4623254c01d5f7aacd77ce78329a0976.exe
PID 2184 wrote to memory of 3956	2184	4623254c01d5f7aacd77ce78329a0976.exe	4623254c01d5f7aacd77ce78329a0976.exe
PID 2184 wrote to memory of 3956	2184	4623254c01d5f7aacd77ce78329a0976.exe	4623254c01d5f7aacd77ce78329a0976.exe

C:\Users\Admin\AppData\Local\Temp\4623254c01d5f7aacd77ce78329a0976.exe
"C:\Users\Admin\AppData\Local\Temp\4623254c01d5f7aacd77ce78329a0976.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CRPrKapxQE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp89D2.tmp"
2⤵
- Creates scheduled task(s)
PID:3116

C:\Users\Admin\AppData\Local\Temp\4623254c01d5f7aacd77ce78329a0976.exe
"{path}"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4623254c01d5f7aacd77ce78329a0976.exe.log
MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp89D2.tmp
MD5
953f76aecf6690a2494d73d76348edf3

SHA1
7a8f1d31a82d17d69e7295d2d9a66a6091eb3766

SHA256
0325fa28eb62280e2da8b39e81ebe4b30fe6f36fb68dba64c77e49f1008af3c6

SHA512
921c5104db488a39c0b3818b08b0b073b9f971fd141732d37a76a2f165620bb552fe5b9661a9211dde9153d80418ed9159a2219b4bcd4d8706cff2778fc02a58

Download Submit
memory/2184-123-0x00000000064C0000-0x000000000651F000-memory.dmp

Filesize
380KB

Download
memory/2184-124-0x0000000002F30000-0x0000000002F3E000-memory.dmp

Filesize
56KB

Download
memory/2184-119-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/2184-120-0x0000000005430000-0x0000000005431000-memory.dmp

Filesize
4KB

Download
memory/2184-121-0x0000000005B40000-0x0000000005B42000-memory.dmp

Filesize
8KB

Download
memory/2184-122-0x0000000005C10000-0x0000000005C11000-memory.dmp

Filesize
4KB

Download
memory/2184-114-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/2184-118-0x00000000055F0000-0x00000000055F1000-memory.dmp

Filesize
4KB

Download
memory/2184-116-0x0000000005390000-0x00000000053CB000-memory.dmp

Filesize
236KB

Download
memory/2184-117-0x0000000009DD0000-0x0000000009DD1000-memory.dmp

Filesize
4KB

Download
memory/3116-125-0x0000000000000000-mapping.dmp

Download
memory/3956-127-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3956-128-0x000000000040C60E-mapping.dmp

Download
memory/3956-132-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/3956-135-0x0000000005900000-0x0000000005901000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads