asyncrat | b1b14fd02510b79ea7f4a9a767d3738fc9761ce0b5d8b0ca969912d7942e8a94

General

Target

SKM20212210RFQ00100490100.exe
Size

714KB
MD5

937c3eeb4afc46f15972f8631f098fec
SHA1

b4f162eaca7ea8cca9f0e637ea81a4eb349fef1e
SHA256

b1b14fd02510b79ea7f4a9a767d3738fc9761ce0b5d8b0ca969912d7942e8a94
SHA512

07c0802c6a6e96b3a001ef5144f80260c1d17e8197fca77baadb52c1f3ec62e88d95ab72ba15a2edc70482c0df5c7f8985130ba64c3d98ec778f475da7bf3f63

Score

10^/10

asyncrat default rat suricata

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

cigdem5.duckdns.org:6606

cigdem5.duckdns.org:7707

cigdem5.duckdns.org:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

anti_vm
false
bsod
false
delay
3
install
false
install_folder
%AppData%
pastebin_config
null

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3068-125-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/3068-126-0x000000000040C73E-mapping.dmp	asyncrat
behavioral2/memory/3068-134-0x0000000006B20000-0x0000000006B3B000-memory.dmp	asyncrat

Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs

Processes:

SKM20212210RFQ00100490100.exe

pid	process
3044	SKM20212210RFQ00100490100.exe
3044	SKM20212210RFQ00100490100.exe
3044	SKM20212210RFQ00100490100.exe
3044	SKM20212210RFQ00100490100.exe
3044	SKM20212210RFQ00100490100.exe
3044	SKM20212210RFQ00100490100.exe
3044	SKM20212210RFQ00100490100.exe
3044	SKM20212210RFQ00100490100.exe
3044	SKM20212210RFQ00100490100.exe
3044	SKM20212210RFQ00100490100.exe
3044	SKM20212210RFQ00100490100.exe
3044	SKM20212210RFQ00100490100.exe
3044	SKM20212210RFQ00100490100.exe
3044	SKM20212210RFQ00100490100.exe
3044	SKM20212210RFQ00100490100.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

SKM20212210RFQ00100490100.exe

description pid process target process

PID 3044 set thread context of 3068 3044 SKM20212210RFQ00100490100.exe SKM20212210RFQ00100490100.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

8 3044 WerFault.exe SKM20212210RFQ00100490100.exe

description	pid	process	target process
PID 3044 set thread context of 3068	3044	SKM20212210RFQ00100490100.exe	SKM20212210RFQ00100490100.exe

pid	pid_target	process	target process
8	3044	WerFault.exe	SKM20212210RFQ00100490100.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

SKM20212210RFQ00100490100.exeWerFault.exeSKM20212210RFQ00100490100.exe

pid	process
3044	SKM20212210RFQ00100490100.exe
3044	SKM20212210RFQ00100490100.exe
3044	SKM20212210RFQ00100490100.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
8	WerFault.exe
3068	SKM20212210RFQ00100490100.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

SKM20212210RFQ00100490100.exeWerFault.exeSKM20212210RFQ00100490100.exe

description	pid	process
Token: SeDebugPrivilege	3044	SKM20212210RFQ00100490100.exe
Token: SeRestorePrivilege	8	WerFault.exe
Token: SeBackupPrivilege	8	WerFault.exe
Token: SeDebugPrivilege	8	WerFault.exe
Token: SeDebugPrivilege	3068	SKM20212210RFQ00100490100.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

SKM20212210RFQ00100490100.exeSKM20212210RFQ00100490100.execmd.exe

description	pid	process	target process
PID 3044 wrote to memory of 3068	3044	SKM20212210RFQ00100490100.exe	SKM20212210RFQ00100490100.exe
PID 3044 wrote to memory of 3068	3044	SKM20212210RFQ00100490100.exe	SKM20212210RFQ00100490100.exe
PID 3044 wrote to memory of 3068	3044	SKM20212210RFQ00100490100.exe	SKM20212210RFQ00100490100.exe
PID 3044 wrote to memory of 3068	3044	SKM20212210RFQ00100490100.exe	SKM20212210RFQ00100490100.exe
PID 3044 wrote to memory of 3068	3044	SKM20212210RFQ00100490100.exe	SKM20212210RFQ00100490100.exe
PID 3044 wrote to memory of 3068	3044	SKM20212210RFQ00100490100.exe	SKM20212210RFQ00100490100.exe
PID 3044 wrote to memory of 3068	3044	SKM20212210RFQ00100490100.exe	SKM20212210RFQ00100490100.exe
PID 3044 wrote to memory of 3068	3044	SKM20212210RFQ00100490100.exe	SKM20212210RFQ00100490100.exe
PID 3068 wrote to memory of 1360	3068	SKM20212210RFQ00100490100.exe	cmd.exe
PID 3068 wrote to memory of 1360	3068	SKM20212210RFQ00100490100.exe	cmd.exe
PID 3068 wrote to memory of 1360	3068	SKM20212210RFQ00100490100.exe	cmd.exe
PID 1360 wrote to memory of 2304	1360	cmd.exe	powershell.exe
PID 1360 wrote to memory of 2304	1360	cmd.exe	powershell.exe
PID 1360 wrote to memory of 2304	1360	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\SKM20212210RFQ00100490100.exe
"C:\Users\Admin\AppData\Local\Temp\SKM20212210RFQ00100490100.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044

C:\Users\Admin\AppData\Local\Temp\SKM20212210RFQ00100490100.exe
"C:\Users\Admin\AppData\Local\Temp\SKM20212210RFQ00100490100.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\latyqf.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\latyqf.exe"'
4⤵
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 1792
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:8

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1360-136-0x0000000000000000-mapping.dmp

Download
memory/2304-137-0x0000000000000000-mapping.dmp

Download
memory/3044-117-0x00000000015C0000-0x00000000015C1000-memory.dmp

Filesize
4KB

Download
memory/3044-118-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/3044-119-0x00000000015B0000-0x00000000015B3000-memory.dmp

Filesize
12KB

Download
memory/3044-123-0x0000000006060000-0x0000000006082000-memory.dmp

Filesize
136KB

Download
memory/3044-124-0x0000000006600000-0x0000000006601000-memory.dmp

Filesize
4KB

Download
memory/3044-115-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/3068-125-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3068-132-0x0000000005D60000-0x0000000005D61000-memory.dmp

Filesize
4KB

Download
memory/3068-133-0x0000000006BA0000-0x0000000006BA1000-memory.dmp

Filesize
4KB

Download
memory/3068-134-0x0000000006B20000-0x0000000006B3B000-memory.dmp

Filesize
108KB

Download
memory/3068-135-0x0000000006C20000-0x0000000006C21000-memory.dmp

Filesize
4KB

Download
memory/3068-129-0x0000000005310000-0x0000000005311000-memory.dmp

Filesize
4KB

Download
memory/3068-126-0x000000000040C73E-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads