asyncrat | 3b599cc4dbedac85f9d2e5e4f1b96110f05835bbdfb0c01a84bdaaec79885a19

General

Target

3B599CC4DBEDAC85F9D2E5E4F1B96110F05835BBDFB0C.exe
Size

48KB
MD5

852b69a95f1ae83d9142fced3450977b
SHA1

a48b15998be1e979530994675da17566d1769769
SHA256

3b599cc4dbedac85f9d2e5e4f1b96110f05835bbdfb0c01a84bdaaec79885a19
SHA512

23b4602cbcd8abd3c78953e07301daaaaa5e7ff2ea1abba28cecfecd3e6522f0a31a97f7b537c98d2a3a00671b8c9b1d06d0b9e63f9e8359a9395081f1d2f8c9

Score

10^/10

asyncrat rat suricata

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Gruop.exe	asyncrat
C:\Users\Admin\AppData\Roaming\Gruop.exe	asyncrat
C:\Users\Admin\AppData\Roaming\Gruop.exe	asyncrat

Executes dropped EXE 1 IoCs

Processes:

Gruop.exe

pid process

1876 Gruop.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1592 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1700 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1608 timeout.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

3B599CC4DBEDAC85F9D2E5E4F1B96110F05835BBDFB0C.exe

pid process

848 3B599CC4DBEDAC85F9D2E5E4F1B96110F05835BBDFB0C.exe
848 3B599CC4DBEDAC85F9D2E5E4F1B96110F05835BBDFB0C.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

3B599CC4DBEDAC85F9D2E5E4F1B96110F05835BBDFB0C.exeGruop.exe

description pid process

Token: SeDebugPrivilege 848 3B599CC4DBEDAC85F9D2E5E4F1B96110F05835BBDFB0C.exe
Token: SeDebugPrivilege 1876 Gruop.exe

pid	process
1876	Gruop.exe

pid	process
1592	cmd.exe

pid	process
1700	schtasks.exe

pid	process
1608	timeout.exe

pid	process
848	3B599CC4DBEDAC85F9D2E5E4F1B96110F05835BBDFB0C.exe
848	3B599CC4DBEDAC85F9D2E5E4F1B96110F05835BBDFB0C.exe

description	pid	process
Token: SeDebugPrivilege	848	3B599CC4DBEDAC85F9D2E5E4F1B96110F05835BBDFB0C.exe
Token: SeDebugPrivilege	1876	Gruop.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

3B599CC4DBEDAC85F9D2E5E4F1B96110F05835BBDFB0C.execmd.execmd.exe

description	pid	process	target process
PID 848 wrote to memory of 1644	848	3B599CC4DBEDAC85F9D2E5E4F1B96110F05835BBDFB0C.exe	cmd.exe
PID 848 wrote to memory of 1644	848	3B599CC4DBEDAC85F9D2E5E4F1B96110F05835BBDFB0C.exe	cmd.exe
PID 848 wrote to memory of 1644	848	3B599CC4DBEDAC85F9D2E5E4F1B96110F05835BBDFB0C.exe	cmd.exe
PID 848 wrote to memory of 1644	848	3B599CC4DBEDAC85F9D2E5E4F1B96110F05835BBDFB0C.exe	cmd.exe
PID 848 wrote to memory of 1592	848	3B599CC4DBEDAC85F9D2E5E4F1B96110F05835BBDFB0C.exe	cmd.exe
PID 848 wrote to memory of 1592	848	3B599CC4DBEDAC85F9D2E5E4F1B96110F05835BBDFB0C.exe	cmd.exe
PID 848 wrote to memory of 1592	848	3B599CC4DBEDAC85F9D2E5E4F1B96110F05835BBDFB0C.exe	cmd.exe
PID 848 wrote to memory of 1592	848	3B599CC4DBEDAC85F9D2E5E4F1B96110F05835BBDFB0C.exe	cmd.exe
PID 1644 wrote to memory of 1700	1644	cmd.exe	schtasks.exe
PID 1644 wrote to memory of 1700	1644	cmd.exe	schtasks.exe
PID 1644 wrote to memory of 1700	1644	cmd.exe	schtasks.exe
PID 1644 wrote to memory of 1700	1644	cmd.exe	schtasks.exe
PID 1592 wrote to memory of 1608	1592	cmd.exe	timeout.exe
PID 1592 wrote to memory of 1608	1592	cmd.exe	timeout.exe
PID 1592 wrote to memory of 1608	1592	cmd.exe	timeout.exe
PID 1592 wrote to memory of 1608	1592	cmd.exe	timeout.exe
PID 1592 wrote to memory of 1876	1592	cmd.exe	Gruop.exe
PID 1592 wrote to memory of 1876	1592	cmd.exe	Gruop.exe
PID 1592 wrote to memory of 1876	1592	cmd.exe	Gruop.exe
PID 1592 wrote to memory of 1876	1592	cmd.exe	Gruop.exe

C:\Users\Admin\AppData\Local\Temp\3B599CC4DBEDAC85F9D2E5E4F1B96110F05835BBDFB0C.exe
"C:\Users\Admin\AppData\Local\Temp\3B599CC4DBEDAC85F9D2E5E4F1B96110F05835BBDFB0C.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:848
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Gruop" /tr '"C:\Users\Admin\AppData\Roaming\Gruop.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "Gruop" /tr '"C:\Users\Admin\AppData\Roaming\Gruop.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:1700
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpBB23.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1608
- - C:\Users\Admin\AppData\Roaming\Gruop.exe
    "C:\Users\Admin\AppData\Roaming\Gruop.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpBB23.tmp.bat

MD5
383528f156b9b1a25560a09fd0b5b96b

SHA1
fd9a2abb0c8fb57a0e805483a9f1cbfb28847279

SHA256
036cb1cea22844d4eb104697b1b1e100bc71f8a4e07a82dd8eb4eb84fa5a9fd5

SHA512
0c7b299f8a4ce966a73d531043f5bbfa9eac53eafc724aa604c4555fcabad461d5db123b94970417272ff0bc00fa00a9c921660ca6b8da82d78b48723aa6bb6d

Download Submit
C:\Users\Admin\AppData\Roaming\Gruop.exe

MD5
852b69a95f1ae83d9142fced3450977b

SHA1
a48b15998be1e979530994675da17566d1769769

SHA256
3b599cc4dbedac85f9d2e5e4f1b96110f05835bbdfb0c01a84bdaaec79885a19

SHA512
23b4602cbcd8abd3c78953e07301daaaaa5e7ff2ea1abba28cecfecd3e6522f0a31a97f7b537c98d2a3a00671b8c9b1d06d0b9e63f9e8359a9395081f1d2f8c9

Download Submit
C:\Users\Admin\AppData\Roaming\Gruop.exe

MD5
852b69a95f1ae83d9142fced3450977b

SHA1
a48b15998be1e979530994675da17566d1769769

SHA256
3b599cc4dbedac85f9d2e5e4f1b96110f05835bbdfb0c01a84bdaaec79885a19

SHA512
23b4602cbcd8abd3c78953e07301daaaaa5e7ff2ea1abba28cecfecd3e6522f0a31a97f7b537c98d2a3a00671b8c9b1d06d0b9e63f9e8359a9395081f1d2f8c9

Download Submit
\Users\Admin\AppData\Roaming\Gruop.exe

MD5
852b69a95f1ae83d9142fced3450977b

SHA1
a48b15998be1e979530994675da17566d1769769

SHA256
3b599cc4dbedac85f9d2e5e4f1b96110f05835bbdfb0c01a84bdaaec79885a19

SHA512
23b4602cbcd8abd3c78953e07301daaaaa5e7ff2ea1abba28cecfecd3e6522f0a31a97f7b537c98d2a3a00671b8c9b1d06d0b9e63f9e8359a9395081f1d2f8c9

Download Submit
memory/848-55-0x0000000074F81000-0x0000000074F83000-memory.dmp

Filesize
8KB

Download
memory/848-56-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download
memory/848-53-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/1592-58-0x0000000000000000-mapping.dmp

Download
memory/1608-61-0x0000000000000000-mapping.dmp

Download
memory/1644-57-0x0000000000000000-mapping.dmp

Download
memory/1700-60-0x0000000000000000-mapping.dmp

Download
memory/1876-64-0x0000000000000000-mapping.dmp

Download
memory/1876-66-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/1876-69-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads