asyncrat | 3ede9e9bdf0965f93b5351cc4be670b30934bc39aca24a3f3ac5f245f47c5073

General

Target

IMAGE00037.exe
Size

1.8MB
MD5

d90d38f2dc39b8b19368a55a44841fa9
SHA1

971a1b851d914a17b97cdc95c17fc7d3f962c009
SHA256

3ede9e9bdf0965f93b5351cc4be670b30934bc39aca24a3f3ac5f245f47c5073
SHA512

ce1bc4e2e2269a3782327958f357838e1e161871c7d0b95b55ba4b17dbe762c46ba98b8dd91c35f57622f8e7512e64a385d3c2a3cbcc19fdffe94d0d3658ac5e

Score

10^/10

asyncrat formbook rat spyware stealer suricata trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

podzeye.duckdns.org:4422

podzeye.duckdns.org:4442

podzeye.duckdns.org:4433

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
KqmHiqpKk2CuoxPCgGYf22Qi6oqCTMfJ
anti_detection
false
autorun
false
bdos
false
delay
Default
host
podzeye.duckdns.org
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
4422,4442,4433
version
0.5.7B

aes.plain

Extracted

Family

formbook

Version

4.1

C2

http://www.hometowncashbuyersgroup.com/kkt/

Decoy

inspirafutebol.com

customgiftshouston.com

mycreativelending.com

psplaystore.com

newlivingsolutionshop.com

dechefamsterdam.com

servicingl0ans.com

atsdholdings.com

manifestarz.com

sequenceanalytica.com

gethealthcaresmart.com

theartofsurprises.com

pirateequitypatrick.com

alliance-ce.com

wingrushusa.com

funtimespheres.com

solevux.com

antimasathya.com

profitexcavator.com

lankeboxshop.com

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2484-154-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/2484-155-0x000000000040C73E-mapping.dmp	asyncrat

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral2/memory/3540-121-0x0000000003290000-0x000000000329B000-memory.dmp	CustAttr

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3508-167-0x000000000041EBD0-mapping.dmp	formbook
behavioral2/memory/3508-166-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/1912-175-0x0000000000B30000-0x0000000000B5E000-memory.dmp	formbook

Executes dropped EXE 4 IoCs

Processes:

rabwnZTK6eR3mtJ.exe6molUfaaYOUHEjk.exerabwnZTK6eR3mtJ.exe6molUfaaYOUHEjk.exe

pid process

2764 rabwnZTK6eR3mtJ.exe
3848 6molUfaaYOUHEjk.exe
2484 rabwnZTK6eR3mtJ.exe
3508 6molUfaaYOUHEjk.exe

pid	process
2764	rabwnZTK6eR3mtJ.exe
3848	6molUfaaYOUHEjk.exe
2484	rabwnZTK6eR3mtJ.exe
3508	6molUfaaYOUHEjk.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

IMAGE00037.exerabwnZTK6eR3mtJ.exe6molUfaaYOUHEjk.exe6molUfaaYOUHEjk.execolorcpl.exe

description	pid	process	target process
PID 3540 set thread context of 3104	3540	IMAGE00037.exe	IMAGE00037.exe
PID 2764 set thread context of 2484	2764	rabwnZTK6eR3mtJ.exe	rabwnZTK6eR3mtJ.exe
PID 3848 set thread context of 3508	3848	6molUfaaYOUHEjk.exe	6molUfaaYOUHEjk.exe
PID 3508 set thread context of 2756	3508	6molUfaaYOUHEjk.exe	Explorer.EXE
PID 1912 set thread context of 2756	1912	colorcpl.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3804 schtasks.exe

pid	process
3804	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

IMAGE00037.exe6molUfaaYOUHEjk.execolorcpl.exe

pid	process
3540	IMAGE00037.exe
3540	IMAGE00037.exe
3508	6molUfaaYOUHEjk.exe
3508	6molUfaaYOUHEjk.exe
3508	6molUfaaYOUHEjk.exe
3508	6molUfaaYOUHEjk.exe
1912	colorcpl.exe
1912	colorcpl.exe
1912	colorcpl.exe
1912	colorcpl.exe
1912	colorcpl.exe
1912	colorcpl.exe
1912	colorcpl.exe
1912	colorcpl.exe
1912	colorcpl.exe
1912	colorcpl.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

6molUfaaYOUHEjk.execolorcpl.exe

pid process

3508 6molUfaaYOUHEjk.exe
3508 6molUfaaYOUHEjk.exe
3508 6molUfaaYOUHEjk.exe
1912 colorcpl.exe
1912 colorcpl.exe

pid	process
3508	6molUfaaYOUHEjk.exe
3508	6molUfaaYOUHEjk.exe
3508	6molUfaaYOUHEjk.exe
1912	colorcpl.exe
1912	colorcpl.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

IMAGE00037.exerabwnZTK6eR3mtJ.exerabwnZTK6eR3mtJ.exe6molUfaaYOUHEjk.execolorcpl.exe

description	pid	process
Token: SeDebugPrivilege	3540	IMAGE00037.exe
Token: SeDebugPrivilege	2764	rabwnZTK6eR3mtJ.exe
Token: SeDebugPrivilege	2484	rabwnZTK6eR3mtJ.exe
Token: SeDebugPrivilege	3508	6molUfaaYOUHEjk.exe
Token: SeDebugPrivilege	1912	colorcpl.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

IMAGE00037.exe

pid process

3104 IMAGE00037.exe

pid	process
3104	IMAGE00037.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

IMAGE00037.exeIMAGE00037.exerabwnZTK6eR3mtJ.exe6molUfaaYOUHEjk.exeExplorer.EXEcolorcpl.exe

description	pid	process	target process
PID 3540 wrote to memory of 1468	3540	IMAGE00037.exe	IMAGE00037.exe
PID 3540 wrote to memory of 1468	3540	IMAGE00037.exe	IMAGE00037.exe
PID 3540 wrote to memory of 1468	3540	IMAGE00037.exe	IMAGE00037.exe
PID 3540 wrote to memory of 3104	3540	IMAGE00037.exe	IMAGE00037.exe
PID 3540 wrote to memory of 3104	3540	IMAGE00037.exe	IMAGE00037.exe
PID 3540 wrote to memory of 3104	3540	IMAGE00037.exe	IMAGE00037.exe
PID 3540 wrote to memory of 3104	3540	IMAGE00037.exe	IMAGE00037.exe
PID 3540 wrote to memory of 3104	3540	IMAGE00037.exe	IMAGE00037.exe
PID 3540 wrote to memory of 3104	3540	IMAGE00037.exe	IMAGE00037.exe
PID 3540 wrote to memory of 3104	3540	IMAGE00037.exe	IMAGE00037.exe
PID 3104 wrote to memory of 2764	3104	IMAGE00037.exe	rabwnZTK6eR3mtJ.exe
PID 3104 wrote to memory of 2764	3104	IMAGE00037.exe	rabwnZTK6eR3mtJ.exe
PID 3104 wrote to memory of 2764	3104	IMAGE00037.exe	rabwnZTK6eR3mtJ.exe
PID 3104 wrote to memory of 3848	3104	IMAGE00037.exe	6molUfaaYOUHEjk.exe
PID 3104 wrote to memory of 3848	3104	IMAGE00037.exe	6molUfaaYOUHEjk.exe
PID 3104 wrote to memory of 3848	3104	IMAGE00037.exe	6molUfaaYOUHEjk.exe
PID 2764 wrote to memory of 3804	2764	rabwnZTK6eR3mtJ.exe	schtasks.exe
PID 2764 wrote to memory of 3804	2764	rabwnZTK6eR3mtJ.exe	schtasks.exe
PID 2764 wrote to memory of 3804	2764	rabwnZTK6eR3mtJ.exe	schtasks.exe
PID 2764 wrote to memory of 2484	2764	rabwnZTK6eR3mtJ.exe	rabwnZTK6eR3mtJ.exe
PID 2764 wrote to memory of 2484	2764	rabwnZTK6eR3mtJ.exe	rabwnZTK6eR3mtJ.exe
PID 2764 wrote to memory of 2484	2764	rabwnZTK6eR3mtJ.exe	rabwnZTK6eR3mtJ.exe
PID 2764 wrote to memory of 2484	2764	rabwnZTK6eR3mtJ.exe	rabwnZTK6eR3mtJ.exe
PID 2764 wrote to memory of 2484	2764	rabwnZTK6eR3mtJ.exe	rabwnZTK6eR3mtJ.exe
PID 2764 wrote to memory of 2484	2764	rabwnZTK6eR3mtJ.exe	rabwnZTK6eR3mtJ.exe
PID 2764 wrote to memory of 2484	2764	rabwnZTK6eR3mtJ.exe	rabwnZTK6eR3mtJ.exe
PID 2764 wrote to memory of 2484	2764	rabwnZTK6eR3mtJ.exe	rabwnZTK6eR3mtJ.exe
PID 3848 wrote to memory of 3508	3848	6molUfaaYOUHEjk.exe	6molUfaaYOUHEjk.exe
PID 3848 wrote to memory of 3508	3848	6molUfaaYOUHEjk.exe	6molUfaaYOUHEjk.exe
PID 3848 wrote to memory of 3508	3848	6molUfaaYOUHEjk.exe	6molUfaaYOUHEjk.exe
PID 3848 wrote to memory of 3508	3848	6molUfaaYOUHEjk.exe	6molUfaaYOUHEjk.exe
PID 3848 wrote to memory of 3508	3848	6molUfaaYOUHEjk.exe	6molUfaaYOUHEjk.exe
PID 3848 wrote to memory of 3508	3848	6molUfaaYOUHEjk.exe	6molUfaaYOUHEjk.exe
PID 2756 wrote to memory of 1912	2756	Explorer.EXE	colorcpl.exe
PID 2756 wrote to memory of 1912	2756	Explorer.EXE	colorcpl.exe
PID 2756 wrote to memory of 1912	2756	Explorer.EXE	colorcpl.exe
PID 1912 wrote to memory of 1616	1912	colorcpl.exe	cmd.exe
PID 1912 wrote to memory of 1616	1912	colorcpl.exe	cmd.exe
PID 1912 wrote to memory of 1616	1912	colorcpl.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:2756

C:\Users\Admin\AppData\Local\Temp\IMAGE00037.exe
"C:\Users\Admin\AppData\Local\Temp\IMAGE00037.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3540

C:\Users\Admin\AppData\Local\Temp\IMAGE00037.exe
"C:\Users\Admin\AppData\Local\Temp\IMAGE00037.exe"
3⤵
PID:1468

C:\Users\Admin\AppData\Local\Temp\IMAGE00037.exe
"C:\Users\Admin\AppData\Local\Temp\IMAGE00037.exe"
3⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3104

C:\Users\Admin\AppData\Local\Temp\rabwnZTK6eR3mtJ.exe
"C:\Users\Admin\AppData\Local\Temp\rabwnZTK6eR3mtJ.exe" 0
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eYhwPQL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1A2.tmp"
5⤵
- Creates scheduled task(s)
PID:3804

C:\Users\Admin\AppData\Local\Temp\rabwnZTK6eR3mtJ.exe
"C:\Users\Admin\AppData\Local\Temp\rabwnZTK6eR3mtJ.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2484

C:\Users\Admin\AppData\Local\Temp\6molUfaaYOUHEjk.exe
"C:\Users\Admin\AppData\Local\Temp\6molUfaaYOUHEjk.exe" 0
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3848

C:\Users\Admin\AppData\Local\Temp\6molUfaaYOUHEjk.exe
"C:\Users\Admin\AppData\Local\Temp\6molUfaaYOUHEjk.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3508

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\6molUfaaYOUHEjk.exe"
3⤵
PID:1616

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rabwnZTK6eR3mtJ.exe.log
MD5
c3cc52ccca9ff2b6fa8d267fc350ca6b

SHA1
a68d4028333296d222e4afd75dea36fdc98d05f3

SHA256
3125b6071e2d78f575a06ed7ac32a83d9262ae64d1fa81ac43e8bfc1ef157c0e

SHA512
b0c7b2501b1a2c559795a9d178c0bbda0e03cbdbaaa2c4330ac1202a55373fe1b742078adcfa915bd6e805565a2daa6d35d64ef7a14ffcd09069f9ea6a691cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\6molUfaaYOUHEjk.exe
MD5
fae4eb97ef670e17d1dfd5def02055d7

SHA1
5b3d7e28242ca089aedde236dbb5982107422ede

SHA256
5861ee83ca80dbfd549f2d8132c317020de7d070c5cf965518c552656fd54d7c

SHA512
a0bf8a418435214338969291120a56ed314ca50eafaea1954a8aa35374bbf83f0a2f764c5cde8e006a3587b3ae1536381d4f81f03963f019fa7a66cf8c476b1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\6molUfaaYOUHEjk.exe
MD5
fae4eb97ef670e17d1dfd5def02055d7

SHA1
5b3d7e28242ca089aedde236dbb5982107422ede

SHA256
5861ee83ca80dbfd549f2d8132c317020de7d070c5cf965518c552656fd54d7c

SHA512
a0bf8a418435214338969291120a56ed314ca50eafaea1954a8aa35374bbf83f0a2f764c5cde8e006a3587b3ae1536381d4f81f03963f019fa7a66cf8c476b1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\6molUfaaYOUHEjk.exe
MD5
fae4eb97ef670e17d1dfd5def02055d7

SHA1
5b3d7e28242ca089aedde236dbb5982107422ede

SHA256
5861ee83ca80dbfd549f2d8132c317020de7d070c5cf965518c552656fd54d7c

SHA512
a0bf8a418435214338969291120a56ed314ca50eafaea1954a8aa35374bbf83f0a2f764c5cde8e006a3587b3ae1536381d4f81f03963f019fa7a66cf8c476b1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rabwnZTK6eR3mtJ.exe
MD5
fd1915351b866de1d53e9460d2d0b5cd

SHA1
1eb9cf61e9a7799ac3635c3040899a043c08e0c1

SHA256
b3040213159633a30e364d15cead228ab5ae84c1c8322d8a323bc77170a20acd

SHA512
0947cbbadcb7b2fbab3dad67ca900246a74e38b7db4bc5f3f440fa694e2a2102daac25aad362f97d11c3d7ecc78d6890da918e1f5533b2db78bc70e404581c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rabwnZTK6eR3mtJ.exe
MD5
fd1915351b866de1d53e9460d2d0b5cd

SHA1
1eb9cf61e9a7799ac3635c3040899a043c08e0c1

SHA256
b3040213159633a30e364d15cead228ab5ae84c1c8322d8a323bc77170a20acd

SHA512
0947cbbadcb7b2fbab3dad67ca900246a74e38b7db4bc5f3f440fa694e2a2102daac25aad362f97d11c3d7ecc78d6890da918e1f5533b2db78bc70e404581c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rabwnZTK6eR3mtJ.exe
MD5
fd1915351b866de1d53e9460d2d0b5cd

SHA1
1eb9cf61e9a7799ac3635c3040899a043c08e0c1

SHA256
b3040213159633a30e364d15cead228ab5ae84c1c8322d8a323bc77170a20acd

SHA512
0947cbbadcb7b2fbab3dad67ca900246a74e38b7db4bc5f3f440fa694e2a2102daac25aad362f97d11c3d7ecc78d6890da918e1f5533b2db78bc70e404581c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1A2.tmp
MD5
3c97ef31e83bdbc62f2f161773044ffa

SHA1
a6b426ae331abfc0dfd3c71a9010d7944b482387

SHA256
4aefb887981737bf05f336110f364c0b5100d1c17e0904dc093d877231e1c664

SHA512
03ea0879179d2c77ba3f306a79a1131e22158c1fbf0036f8a751ebcc612c5caf46fa9498c2bc985bc91077c815eec460b91b93c4e22c24e2e6ee29efa1661b2c

Download Submit
memory/1616-174-0x0000000000000000-mapping.dmp

Download
memory/1912-176-0x0000000004BF0000-0x0000000004F10000-memory.dmp

Filesize
3.1MB

Download
memory/1912-172-0x0000000000000000-mapping.dmp

Download
memory/1912-173-0x0000000000BE0000-0x0000000000BF9000-memory.dmp

Filesize
100KB

Download
memory/1912-175-0x0000000000B30000-0x0000000000B5E000-memory.dmp

Filesize
184KB

Download
memory/1912-177-0x0000000004F10000-0x0000000004FA3000-memory.dmp

Filesize
588KB

Download
memory/2484-165-0x0000000005CD0000-0x0000000005CD1000-memory.dmp

Filesize
4KB

Download
memory/2484-162-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/2484-155-0x000000000040C73E-mapping.dmp

Download
memory/2484-154-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2756-171-0x00000000026D0000-0x00000000027AF000-memory.dmp

Filesize
892KB

Download
memory/2756-178-0x0000000005E80000-0x0000000005F26000-memory.dmp

Filesize
664KB

Download
memory/2764-151-0x0000000006CA0000-0x0000000006CB3000-memory.dmp

Filesize
76KB

Download
memory/2764-133-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/2764-150-0x0000000006C30000-0x0000000006C88000-memory.dmp

Filesize
352KB

Download
memory/2764-146-0x0000000004E70000-0x000000000536E000-memory.dmp

Filesize
5.0MB

Download
memory/2764-128-0x0000000000000000-mapping.dmp

Download
memory/3104-124-0x0000000000400000-0x0000000000548000-memory.dmp

Filesize
1.3MB

Download
memory/3104-125-0x000000000040104C-mapping.dmp

Download
memory/3508-167-0x000000000041EBD0-mapping.dmp

Download
memory/3508-166-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3508-169-0x0000000001040000-0x0000000001360000-memory.dmp

Filesize
3.1MB

Download
memory/3508-170-0x0000000000BC0000-0x0000000000BD4000-memory.dmp

Filesize
80KB

Download
memory/3540-121-0x0000000003290000-0x000000000329B000-memory.dmp

Filesize
44KB

Download
memory/3540-123-0x0000000009C60000-0x0000000009DAE000-memory.dmp

Filesize
1.3MB

Download
memory/3540-116-0x0000000005EC0000-0x0000000005EC1000-memory.dmp

Filesize
4KB

Download
memory/3540-117-0x00000000059C0000-0x00000000059C1000-memory.dmp

Filesize
4KB

Download
memory/3540-114-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/3540-118-0x0000000005A60000-0x0000000005A61000-memory.dmp

Filesize
4KB

Download
memory/3540-119-0x0000000005960000-0x0000000005961000-memory.dmp

Filesize
4KB

Download
memory/3540-120-0x00000000059C0000-0x0000000005EBE000-memory.dmp

Filesize
5.0MB

Download
memory/3540-122-0x00000000099F0000-0x0000000009B83000-memory.dmp

Filesize
1.6MB

Download
memory/3804-152-0x0000000000000000-mapping.dmp

Download
memory/3848-131-0x0000000000000000-mapping.dmp

Download
memory/3848-147-0x0000000004A30000-0x0000000004F2E000-memory.dmp

Filesize
5.0MB

Download
memory/3848-160-0x0000000008140000-0x00000000081BA000-memory.dmp

Filesize
488KB

Download
memory/3848-161-0x00000000081D0000-0x0000000008205000-memory.dmp

Filesize
212KB

Download
memory/3848-136-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads