Behavioral Report

General

Target

BL. NO. ANSMUNDAR3621.exe
Size

343KB
MD5

6e313f49084c58fcd006489103bac31a
SHA1

cfb76b45950b867da23054c1df26ce8e7a3f8274
SHA256

408e8ea1cbe31a44e822f1673cbfbe79dbd2938a1e449e61a661c1cceda8f322
SHA512

e75348da00f0e5d3089a38f8400b18cee22a057f6dc7da3068e49875d024e8512e90b9bdeaad3f866b4dfd0388b72952a4fbdb0a78c845cebaf4f253de1be2a2

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

185.222.57.71:00783

Attributes

anti_vm
false
bsod
false
delay
3
install
false
install_folder
%AppData%
pastebin_config
null

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1372-63-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1372-64-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1372-65-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1372-66-0x000000000040C70E-mapping.dmp	asyncrat
behavioral1/memory/1372-67-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Suspicious use of SetThreadContext 1 IoCs

Processes:

BL. NO. ANSMUNDAR3621.exe

description pid process target process

PID 1636 set thread context of 1372 1636 BL. NO. ANSMUNDAR3621.exe RegSvcs.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

BL. NO. ANSMUNDAR3621.exe

pid process

1636 BL. NO. ANSMUNDAR3621.exe
1636 BL. NO. ANSMUNDAR3621.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

BL. NO. ANSMUNDAR3621.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 1636 BL. NO. ANSMUNDAR3621.exe
Token: SeDebugPrivilege 1372 RegSvcs.exe

description	pid	process	target process
PID 1636 set thread context of 1372	1636	BL. NO. ANSMUNDAR3621.exe	RegSvcs.exe

pid	process
1636	BL. NO. ANSMUNDAR3621.exe
1636	BL. NO. ANSMUNDAR3621.exe

description	pid	process
Token: SeDebugPrivilege	1636	BL. NO. ANSMUNDAR3621.exe
Token: SeDebugPrivilege	1372	RegSvcs.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

BL. NO. ANSMUNDAR3621.exe

description	pid	process	target process
PID 1636 wrote to memory of 1372	1636	BL. NO. ANSMUNDAR3621.exe	RegSvcs.exe
PID 1636 wrote to memory of 1372	1636	BL. NO. ANSMUNDAR3621.exe	RegSvcs.exe
PID 1636 wrote to memory of 1372	1636	BL. NO. ANSMUNDAR3621.exe	RegSvcs.exe
PID 1636 wrote to memory of 1372	1636	BL. NO. ANSMUNDAR3621.exe	RegSvcs.exe
PID 1636 wrote to memory of 1372	1636	BL. NO. ANSMUNDAR3621.exe	RegSvcs.exe
PID 1636 wrote to memory of 1372	1636	BL. NO. ANSMUNDAR3621.exe	RegSvcs.exe
PID 1636 wrote to memory of 1372	1636	BL. NO. ANSMUNDAR3621.exe	RegSvcs.exe
PID 1636 wrote to memory of 1372	1636	BL. NO. ANSMUNDAR3621.exe	RegSvcs.exe
PID 1636 wrote to memory of 1372	1636	BL. NO. ANSMUNDAR3621.exe	RegSvcs.exe
PID 1636 wrote to memory of 1372	1636	BL. NO. ANSMUNDAR3621.exe	RegSvcs.exe
PID 1636 wrote to memory of 1372	1636	BL. NO. ANSMUNDAR3621.exe	RegSvcs.exe
PID 1636 wrote to memory of 1372	1636	BL. NO. ANSMUNDAR3621.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\BL. NO. ANSMUNDAR3621.exe

"C:\Users\Admin\AppData\Local\Temp\BL. NO. ANSMUNDAR3621.exe"

Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:1636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Suspicious use of AdjustPrivilegeToken

PID:1372

Network

MITRE ATT&CK Matrix

Replay Monitor

00:00 00:00

Downloads

memory/1372-65-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1372-61-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1372-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1372-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1372-64-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1372-66-0x000000000040C70E-mapping.dmp

Download
memory/1372-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1372-70-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/1636-57-0x0000000076081000-0x0000000076083000-memory.dmp

Filesize
8KB

Download
memory/1636-58-0x0000000004C40000-0x0000000004C41000-memory.dmp

Filesize
4KB

Download
memory/1636-59-0x0000000000430000-0x0000000000437000-memory.dmp

Filesize
28KB

Download
memory/1636-60-0x0000000000B00000-0x0000000000B2D000-memory.dmp

Filesize
180KB

Download
memory/1636-55-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing