asyncrat | c2ec0a1d7984be0fb24004369eca5bed7882ce5fe9e3cad45511f3eb30d4fe24

General

Target

BL_3409876544LDZ.exe
Size

675KB
MD5

728701a50def94c4af432a8a1f1b44ea
SHA1

b7c4429595cb3c7a7490b7d8baafacf44be13120
SHA256

c2ec0a1d7984be0fb24004369eca5bed7882ce5fe9e3cad45511f3eb30d4fe24
SHA512

c097e9f8b87b97bc905051f2b36b418948696e904db66ecc67f8d850d52a55541e030b95d32b1b3cdd0c93db24eeb46cca223fce92aea984df2c023d513726a8

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

185.222.58.154:06275

Mutex

AsyncMutex_6SI8OkPnk

Attributes

anti_vm
false
bsod
false
delay
20
install
false
install_file
invoice.pdf.exe
install_folder
%AppData%
pastebin_config
null

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1548-71-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1548-70-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1548-72-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1548-73-0x000000000040C73E-mapping.dmp	asyncrat
behavioral1/memory/1548-74-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Suspicious use of SetThreadContext 1 IoCs

Processes:

BL_3409876544LDZ.exe

description pid process target process

PID 2000 set thread context of 1548 2000 BL_3409876544LDZ.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

832 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

BL_3409876544LDZ.exe

pid process

2000 BL_3409876544LDZ.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

BL_3409876544LDZ.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 2000 BL_3409876544LDZ.exe
Token: SeDebugPrivilege 1548 RegSvcs.exe

description	pid	process	target process
PID 2000 set thread context of 1548	2000	BL_3409876544LDZ.exe	RegSvcs.exe

pid	process
832	schtasks.exe

pid	process
2000	BL_3409876544LDZ.exe

description	pid	process
Token: SeDebugPrivilege	2000	BL_3409876544LDZ.exe
Token: SeDebugPrivilege	1548	RegSvcs.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

BL_3409876544LDZ.exe

description	pid	process	target process
PID 2000 wrote to memory of 832	2000	BL_3409876544LDZ.exe	schtasks.exe
PID 2000 wrote to memory of 832	2000	BL_3409876544LDZ.exe	schtasks.exe
PID 2000 wrote to memory of 832	2000	BL_3409876544LDZ.exe	schtasks.exe
PID 2000 wrote to memory of 832	2000	BL_3409876544LDZ.exe	schtasks.exe
PID 2000 wrote to memory of 1548	2000	BL_3409876544LDZ.exe	RegSvcs.exe
PID 2000 wrote to memory of 1548	2000	BL_3409876544LDZ.exe	RegSvcs.exe
PID 2000 wrote to memory of 1548	2000	BL_3409876544LDZ.exe	RegSvcs.exe
PID 2000 wrote to memory of 1548	2000	BL_3409876544LDZ.exe	RegSvcs.exe
PID 2000 wrote to memory of 1548	2000	BL_3409876544LDZ.exe	RegSvcs.exe
PID 2000 wrote to memory of 1548	2000	BL_3409876544LDZ.exe	RegSvcs.exe
PID 2000 wrote to memory of 1548	2000	BL_3409876544LDZ.exe	RegSvcs.exe
PID 2000 wrote to memory of 1548	2000	BL_3409876544LDZ.exe	RegSvcs.exe
PID 2000 wrote to memory of 1548	2000	BL_3409876544LDZ.exe	RegSvcs.exe
PID 2000 wrote to memory of 1548	2000	BL_3409876544LDZ.exe	RegSvcs.exe
PID 2000 wrote to memory of 1548	2000	BL_3409876544LDZ.exe	RegSvcs.exe
PID 2000 wrote to memory of 1548	2000	BL_3409876544LDZ.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\BL_3409876544LDZ.exe
"C:\Users\Admin\AppData\Local\Temp\BL_3409876544LDZ.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LXjAVgwIFQq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp62D8.tmp"
2⤵
- Creates scheduled task(s)
PID:832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1548

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp62D8.tmp
MD5
33e67661785d99a631faa0f3d7d4d237

SHA1
0d65b16954067e6eb68600ba5670a758bb54a310

SHA256
44748f7fbb7b0347f487eef8c971c0fdc923dfb48c9a1338aca1a667cd288cf8

SHA512
de6b8e91b13512add615815ad49c355da71ea6134eb25a928006e48e77580ccf877562347652cc17e00e001eb0d4eef78bab09ba9df368aafd9af1fa96058c0b

Download Submit
memory/832-66-0x0000000000000000-mapping.dmp

Download
memory/1548-73-0x000000000040C73E-mapping.dmp

Download
memory/1548-72-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1548-77-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/1548-76-0x00000000762C1000-0x00000000762C3000-memory.dmp

Filesize
8KB

Download
memory/1548-74-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1548-68-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1548-69-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1548-71-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1548-70-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2000-62-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/2000-60-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2000-64-0x0000000004CE0000-0x0000000004D40000-memory.dmp

Filesize
384KB

Download
memory/2000-63-0x00000000003F0000-0x00000000003FE000-memory.dmp

Filesize
56KB

Download
memory/2000-65-0x00000000005F0000-0x00000000005FD000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads