asyncrat | ecfaef9e7fc7c83be8beedfcbef268c3d5a91a904ed211fa553c9e9b6aaa9c42

General

Target

ecfaef9e7fc7c83be8beedfcbef268c3d5a91a904ed211fa553c9e9b6aaa9c42.exe
Size

47KB
MD5

eb847438f988c2a2d52bcf0f0b439980
SHA1

4290e8776f135b3f768f0ef219a41f40d58f96e6
SHA256

ecfaef9e7fc7c83be8beedfcbef268c3d5a91a904ed211fa553c9e9b6aaa9c42
SHA512

9375dda41cd1076e2f86c82989dc939311293cf634676d2550fcad0b27d721248f1176a56b0b853253cb12c1c201065123557426e739160fc5c985a69267c935

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

127.0.0.1:8848

127.0.0.1:54842

chromeclusterspectr.ddns.net:8848

chromeclusterspectr.ddns.net:54842

Mutex

clsprmtxspectr

Attributes

anti_vm
false
bsod
false
delay
1
install
true
install_file
Chrome.exe
install_folder
%AppData%
pastebin_config
null

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Chrome.exe	asyncrat
C:\Users\Admin\AppData\Roaming\Chrome.exe	asyncrat

Executes dropped EXE 1 IoCs

Processes:

Chrome.exe

pid process

1248 Chrome.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3756 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3188 timeout.exe

pid	process
1248	Chrome.exe

pid	process
3756	schtasks.exe

pid	process
3188	timeout.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

ecfaef9e7fc7c83be8beedfcbef268c3d5a91a904ed211fa553c9e9b6aaa9c42.exe

pid	process
804	ecfaef9e7fc7c83be8beedfcbef268c3d5a91a904ed211fa553c9e9b6aaa9c42.exe
804	ecfaef9e7fc7c83be8beedfcbef268c3d5a91a904ed211fa553c9e9b6aaa9c42.exe
804	ecfaef9e7fc7c83be8beedfcbef268c3d5a91a904ed211fa553c9e9b6aaa9c42.exe
804	ecfaef9e7fc7c83be8beedfcbef268c3d5a91a904ed211fa553c9e9b6aaa9c42.exe
804	ecfaef9e7fc7c83be8beedfcbef268c3d5a91a904ed211fa553c9e9b6aaa9c42.exe
804	ecfaef9e7fc7c83be8beedfcbef268c3d5a91a904ed211fa553c9e9b6aaa9c42.exe
804	ecfaef9e7fc7c83be8beedfcbef268c3d5a91a904ed211fa553c9e9b6aaa9c42.exe
804	ecfaef9e7fc7c83be8beedfcbef268c3d5a91a904ed211fa553c9e9b6aaa9c42.exe
804	ecfaef9e7fc7c83be8beedfcbef268c3d5a91a904ed211fa553c9e9b6aaa9c42.exe
804	ecfaef9e7fc7c83be8beedfcbef268c3d5a91a904ed211fa553c9e9b6aaa9c42.exe
804	ecfaef9e7fc7c83be8beedfcbef268c3d5a91a904ed211fa553c9e9b6aaa9c42.exe
804	ecfaef9e7fc7c83be8beedfcbef268c3d5a91a904ed211fa553c9e9b6aaa9c42.exe
804	ecfaef9e7fc7c83be8beedfcbef268c3d5a91a904ed211fa553c9e9b6aaa9c42.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ecfaef9e7fc7c83be8beedfcbef268c3d5a91a904ed211fa553c9e9b6aaa9c42.exeChrome.exe

description	pid	process
Token: SeDebugPrivilege	804	ecfaef9e7fc7c83be8beedfcbef268c3d5a91a904ed211fa553c9e9b6aaa9c42.exe
Token: SeDebugPrivilege	1248	Chrome.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

ecfaef9e7fc7c83be8beedfcbef268c3d5a91a904ed211fa553c9e9b6aaa9c42.execmd.execmd.exe

description	pid	process	target process
PID 804 wrote to memory of 3160	804	ecfaef9e7fc7c83be8beedfcbef268c3d5a91a904ed211fa553c9e9b6aaa9c42.exe	cmd.exe
PID 804 wrote to memory of 3160	804	ecfaef9e7fc7c83be8beedfcbef268c3d5a91a904ed211fa553c9e9b6aaa9c42.exe	cmd.exe
PID 804 wrote to memory of 4084	804	ecfaef9e7fc7c83be8beedfcbef268c3d5a91a904ed211fa553c9e9b6aaa9c42.exe	cmd.exe
PID 804 wrote to memory of 4084	804	ecfaef9e7fc7c83be8beedfcbef268c3d5a91a904ed211fa553c9e9b6aaa9c42.exe	cmd.exe
PID 4084 wrote to memory of 3188	4084	cmd.exe	timeout.exe
PID 4084 wrote to memory of 3188	4084	cmd.exe	timeout.exe
PID 3160 wrote to memory of 3756	3160	cmd.exe	schtasks.exe
PID 3160 wrote to memory of 3756	3160	cmd.exe	schtasks.exe
PID 4084 wrote to memory of 1248	4084	cmd.exe	Chrome.exe
PID 4084 wrote to memory of 1248	4084	cmd.exe	Chrome.exe

C:\Users\Admin\AppData\Local\Temp\ecfaef9e7fc7c83be8beedfcbef268c3d5a91a904ed211fa553c9e9b6aaa9c42.exe
"C:\Users\Admin\AppData\Local\Temp\ecfaef9e7fc7c83be8beedfcbef268c3d5a91a904ed211fa553c9e9b6aaa9c42.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:804
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Chrome" /tr '"C:\Users\Admin\AppData\Roaming\Chrome.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3160
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "Chrome" /tr '"C:\Users\Admin\AppData\Roaming\Chrome.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:3756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp986.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4084
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3188
- - C:\Users\Admin\AppData\Roaming\Chrome.exe
    "C:\Users\Admin\AppData\Roaming\Chrome.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp986.tmp.bat

MD5
8382adedfda80135a74b0cc623d61107

SHA1
441c1acb071bd8fbfe178bf0f4d1f20fc91e7988

SHA256
494baf4aadcdcff06635a17b48c479a938adb21d9b4482f82b8b9ed7424b1d45

SHA512
6d86d3ef55f3589c0815e544ce00494fad915b98d0b342949527df49d5968e6b19972ec50e6edd99c68557d268e1abb7fbc81ccfafa974205f0ecc6306093ee6

Download Submit
C:\Users\Admin\AppData\Roaming\Chrome.exe

MD5
eb847438f988c2a2d52bcf0f0b439980

SHA1
4290e8776f135b3f768f0ef219a41f40d58f96e6

SHA256
ecfaef9e7fc7c83be8beedfcbef268c3d5a91a904ed211fa553c9e9b6aaa9c42

SHA512
9375dda41cd1076e2f86c82989dc939311293cf634676d2550fcad0b27d721248f1176a56b0b853253cb12c1c201065123557426e739160fc5c985a69267c935

Download Submit
C:\Users\Admin\AppData\Roaming\Chrome.exe

MD5
eb847438f988c2a2d52bcf0f0b439980

SHA1
4290e8776f135b3f768f0ef219a41f40d58f96e6

SHA256
ecfaef9e7fc7c83be8beedfcbef268c3d5a91a904ed211fa553c9e9b6aaa9c42

SHA512
9375dda41cd1076e2f86c82989dc939311293cf634676d2550fcad0b27d721248f1176a56b0b853253cb12c1c201065123557426e739160fc5c985a69267c935

Download Submit
memory/804-114-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/804-116-0x000000001B6C0000-0x000000001B6C2000-memory.dmp

Filesize
8KB

Download
memory/1248-122-0x0000000000000000-mapping.dmp

Download
memory/1248-127-0x000000001B4B0000-0x000000001B4B2000-memory.dmp

Filesize
8KB

Download
memory/3160-117-0x0000000000000000-mapping.dmp

Download
memory/3188-120-0x0000000000000000-mapping.dmp

Download
memory/3756-121-0x0000000000000000-mapping.dmp

Download
memory/4084-118-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads