asyncrat | de0cb500125d733becbdeb53cf7b3f1bace4dc91e54805007718970124ef6797

General

Target

133c10454108aa86301f79a03aa24046.exe
Size

650KB
MD5

133c10454108aa86301f79a03aa24046
SHA1

21439179cb8700406d57332079ab311d08b0c9bf
SHA256

de0cb500125d733becbdeb53cf7b3f1bace4dc91e54805007718970124ef6797
SHA512

8b2a492a5732c89c2e347270e9b1df4db26b79fefd6feae115b35a22b0851c7973fb0ecc9b6c6187791bf720d71a7b69374d81abf63f0ed73faed4efbee79fbe

Score

10^/10

asyncrat 18 persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

18

C2

185.157.160.136:1973

Mutex

df4Rtg34dFjwr

Attributes

anti_vm
false
bsod
false
delay
3
install
false
install_folder
%AppData%
pastebin_config
null

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2420-118-0x000000000040C68E-mapping.dmp	asyncrat
behavioral2/memory/2420-117-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/2420-126-0x0000000002820000-0x000000000283B000-memory.dmp	asyncrat

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

133c10454108aa86301f79a03aa24046.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run	133c10454108aa86301f79a03aa24046.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\cp = "C:\\Users\\Admin\\AppData\\Roaming\\cf\\ct.exe"	133c10454108aa86301f79a03aa24046.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

133c10454108aa86301f79a03aa24046.exe

description pid process target process

PID 2160 set thread context of 2420 2160 133c10454108aa86301f79a03aa24046.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

RegAsm.exe

pid process

2420 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegAsm.exe

description pid process

Token: SeDebugPrivilege 2420 RegAsm.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

133c10454108aa86301f79a03aa24046.exe

pid process

2160 133c10454108aa86301f79a03aa24046.exe

description	pid	process	target process
PID 2160 set thread context of 2420	2160	133c10454108aa86301f79a03aa24046.exe	RegAsm.exe

pid	process
2420	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	2420	RegAsm.exe

pid	process
2160	133c10454108aa86301f79a03aa24046.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

133c10454108aa86301f79a03aa24046.exeRegAsm.execmd.exe

description	pid	process	target process
PID 2160 wrote to memory of 2420	2160	133c10454108aa86301f79a03aa24046.exe	RegAsm.exe
PID 2160 wrote to memory of 2420	2160	133c10454108aa86301f79a03aa24046.exe	RegAsm.exe
PID 2160 wrote to memory of 2420	2160	133c10454108aa86301f79a03aa24046.exe	RegAsm.exe
PID 2160 wrote to memory of 2420	2160	133c10454108aa86301f79a03aa24046.exe	RegAsm.exe
PID 2160 wrote to memory of 2420	2160	133c10454108aa86301f79a03aa24046.exe	RegAsm.exe
PID 2160 wrote to memory of 2420	2160	133c10454108aa86301f79a03aa24046.exe	RegAsm.exe
PID 2160 wrote to memory of 2420	2160	133c10454108aa86301f79a03aa24046.exe	RegAsm.exe
PID 2160 wrote to memory of 2420	2160	133c10454108aa86301f79a03aa24046.exe	RegAsm.exe
PID 2420 wrote to memory of 2296	2420	RegAsm.exe	cmd.exe
PID 2420 wrote to memory of 2296	2420	RegAsm.exe	cmd.exe
PID 2420 wrote to memory of 2296	2420	RegAsm.exe	cmd.exe
PID 2296 wrote to memory of 1328	2296	cmd.exe	powershell.exe
PID 2296 wrote to memory of 1328	2296	cmd.exe	powershell.exe
PID 2296 wrote to memory of 1328	2296	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\133c10454108aa86301f79a03aa24046.exe
"C:\Users\Admin\AppData\Local\Temp\133c10454108aa86301f79a03aa24046.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\hrvlqn.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2296

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\hrvlqn.exe"'
4⤵
PID:1328

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1328-129-0x0000000000000000-mapping.dmp

Download
memory/2296-128-0x0000000000000000-mapping.dmp

Download
memory/2420-118-0x000000000040C68E-mapping.dmp

Download
memory/2420-117-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2420-121-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/2420-122-0x0000000005890000-0x0000000005891000-memory.dmp

Filesize
4KB

Download
memory/2420-123-0x0000000005E30000-0x0000000005E31000-memory.dmp

Filesize
4KB

Download
memory/2420-124-0x0000000005930000-0x0000000005931000-memory.dmp

Filesize
4KB

Download
memory/2420-125-0x00000000068B0000-0x00000000068B1000-memory.dmp

Filesize
4KB

Download
memory/2420-126-0x0000000002820000-0x000000000283B000-memory.dmp

Filesize
108KB

Download
memory/2420-127-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads