asyncrat | 0ca4b3b694d6b317ab8df7c8f63198c7d696b9c238af5b9d83074670f4ed384b

General

Target

15a5548e976f9a8ffad4c6eb397cf52d.exe
Size

253KB
MD5

15a5548e976f9a8ffad4c6eb397cf52d
SHA1

a2b8e4e54cdc9b4f4565674cce538734288f82e5
SHA256

0ca4b3b694d6b317ab8df7c8f63198c7d696b9c238af5b9d83074670f4ed384b
SHA512

0f62e13137cae54313fe7acfafa8ac3166ddd58589102847e5df3e55830992a355c5cda4a5c891580f6e513242fc89b4458e19d58262fb3fbac3d0f92fbdd9b0

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

dgrthdg.duckdns.org:1884

Mutex

AsyncMutex_6SI8OkPnk

Attributes

anti_vm
false
bsod
false
delay
3
install
false
install_file
chrome.exe
install_folder
%AppData%
pastebin_config
null

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/520-122-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/520-123-0x000000000040C74E-mapping.dmp	asyncrat

Executes dropped EXE 1 IoCs

Processes:

InstallUtil.exe

pid process

520 InstallUtil.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

15a5548e976f9a8ffad4c6eb397cf52d.exe

description pid process target process

PID 4060 set thread context of 520 4060 15a5548e976f9a8ffad4c6eb397cf52d.exe InstallUtil.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
520	InstallUtil.exe

description	pid	process	target process
PID 4060 set thread context of 520	4060	15a5548e976f9a8ffad4c6eb397cf52d.exe	InstallUtil.exe

Modifies registry class 1 IoCs

Processes:

15a5548e976f9a8ffad4c6eb397cf52d.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings	15a5548e976f9a8ffad4c6eb397cf52d.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

15a5548e976f9a8ffad4c6eb397cf52d.exepowershell.exe

pid process

4060 15a5548e976f9a8ffad4c6eb397cf52d.exe
4060 15a5548e976f9a8ffad4c6eb397cf52d.exe
1008 powershell.exe
1008 powershell.exe
1008 powershell.exe

pid	process
4060	15a5548e976f9a8ffad4c6eb397cf52d.exe
4060	15a5548e976f9a8ffad4c6eb397cf52d.exe
1008	powershell.exe
1008	powershell.exe
1008	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

15a5548e976f9a8ffad4c6eb397cf52d.exepowershell.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	4060	15a5548e976f9a8ffad4c6eb397cf52d.exe
Token: SeDebugPrivilege	1008	powershell.exe
Token: SeDebugPrivilege	520	InstallUtil.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

15a5548e976f9a8ffad4c6eb397cf52d.exeWScript.exe

description	pid	process	target process
PID 4060 wrote to memory of 4716	4060	15a5548e976f9a8ffad4c6eb397cf52d.exe	WScript.exe
PID 4060 wrote to memory of 4716	4060	15a5548e976f9a8ffad4c6eb397cf52d.exe	WScript.exe
PID 4060 wrote to memory of 4716	4060	15a5548e976f9a8ffad4c6eb397cf52d.exe	WScript.exe
PID 4060 wrote to memory of 520	4060	15a5548e976f9a8ffad4c6eb397cf52d.exe	InstallUtil.exe
PID 4060 wrote to memory of 520	4060	15a5548e976f9a8ffad4c6eb397cf52d.exe	InstallUtil.exe
PID 4060 wrote to memory of 520	4060	15a5548e976f9a8ffad4c6eb397cf52d.exe	InstallUtil.exe
PID 4060 wrote to memory of 520	4060	15a5548e976f9a8ffad4c6eb397cf52d.exe	InstallUtil.exe
PID 4060 wrote to memory of 520	4060	15a5548e976f9a8ffad4c6eb397cf52d.exe	InstallUtil.exe
PID 4060 wrote to memory of 520	4060	15a5548e976f9a8ffad4c6eb397cf52d.exe	InstallUtil.exe
PID 4060 wrote to memory of 520	4060	15a5548e976f9a8ffad4c6eb397cf52d.exe	InstallUtil.exe
PID 4060 wrote to memory of 520	4060	15a5548e976f9a8ffad4c6eb397cf52d.exe	InstallUtil.exe
PID 4716 wrote to memory of 1008	4716	WScript.exe	powershell.exe
PID 4716 wrote to memory of 1008	4716	WScript.exe	powershell.exe
PID 4716 wrote to memory of 1008	4716	WScript.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\15a5548e976f9a8ffad4c6eb397cf52d.exe
"C:\Users\Admin\AppData\Local\Temp\15a5548e976f9a8ffad4c6eb397cf52d.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4060

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Iotqmhyqaibqqffzysgbm.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:4716

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Downloads\iobituninstaller.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:520

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Iotqmhyqaibqqffzysgbm.vbs
MD5
5688b2eb801a351378401ff15237c20f

SHA1
5cbf0e609ac127d8d4bcdff972cdc61a310b702a

SHA256
fcd85a624694b7643dfa007fcff9d14c0fa18b311a9add2cabf6d8f81541b3ce

SHA512
d5a72caed29e8c362770d131a139d2c143d5b898f25b04d56b76f1ebec206faaebbd2343407e6d7204665f7e1986b7a3861b31d7859208b6979094e387775dba

Download Submit
memory/520-122-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/520-147-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/520-123-0x000000000040C74E-mapping.dmp

Download
memory/1008-134-0x00000000069B2000-0x00000000069B3000-memory.dmp

Filesize
4KB

Download
memory/1008-137-0x0000000006E90000-0x0000000006E91000-memory.dmp

Filesize
4KB

Download
memory/1008-174-0x00000000069B6000-0x00000000069B8000-memory.dmp

Filesize
8KB

Download
memory/1008-172-0x00000000069B3000-0x00000000069B4000-memory.dmp

Filesize
4KB

Download
memory/1008-128-0x0000000000000000-mapping.dmp

Download
memory/1008-130-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/1008-129-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/1008-131-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/1008-132-0x0000000006FF0000-0x0000000006FF1000-memory.dmp

Filesize
4KB

Download
memory/1008-133-0x00000000069B0000-0x00000000069B1000-memory.dmp

Filesize
4KB

Download
memory/1008-170-0x000000007F860000-0x000000007F861000-memory.dmp

Filesize
4KB

Download
memory/1008-135-0x0000000006BA0000-0x0000000006BA1000-memory.dmp

Filesize
4KB

Download
memory/1008-136-0x0000000006E20000-0x0000000006E21000-memory.dmp

Filesize
4KB

Download
memory/1008-163-0x0000000008F30000-0x0000000008F31000-memory.dmp

Filesize
4KB

Download
memory/1008-138-0x0000000007620000-0x0000000007621000-memory.dmp

Filesize
4KB

Download
memory/1008-139-0x0000000006DD0000-0x0000000006DD1000-memory.dmp

Filesize
4KB

Download
memory/1008-140-0x0000000007B60000-0x0000000007B61000-memory.dmp

Filesize
4KB

Download
memory/1008-141-0x0000000007C80000-0x0000000007C81000-memory.dmp

Filesize
4KB

Download
memory/1008-142-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/1008-162-0x0000000008D60000-0x0000000008D61000-memory.dmp

Filesize
4KB

Download
memory/1008-150-0x0000000008A10000-0x0000000008A43000-memory.dmp

Filesize
204KB

Download
memory/1008-157-0x00000000089F0000-0x00000000089F1000-memory.dmp

Filesize
4KB

Download
memory/4060-117-0x0000000004C00000-0x0000000004C3A000-memory.dmp

Filesize
232KB

Download
memory/4060-121-0x0000000004F20000-0x0000000004F32000-memory.dmp

Filesize
72KB

Download
memory/4060-115-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/4060-118-0x0000000004F10000-0x0000000004F11000-memory.dmp

Filesize
4KB

Download
memory/4716-119-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads