asyncrat | 087d0d28b3c59e0ac0d169b4ece9c2a47e9bae93f93638d1ae6578adf2f3f858

General

Target

Confirmation Transfer Note MT103-Ref No#01018842234595434.exe
Size

316KB
MD5

1b07fe1263ba5f1b86b09c9b27c1f4de
SHA1

9d18786ec6506ff4f85e6c7a055828898fd59a27
SHA256

daf842129f0a574f2f5cf1147d40ab8e4596b88b9ef228a4516cef5326f8f1ad
SHA512

730875f1e6914ed2b2dbb585d75db63416c3acaaa02217ecbc4d73b2cd64b0865271492c1a04a483b1d521cd799949efa3a5e17c827b03a0c9ab58624d14e29f

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

fresh01.ddns.net:2245

fresh01.ddns.net:2256

fresh01.ddns.net:2257

Mutex

AsyncMutex_6SI8OkPnk

Attributes

anti_vm
false
bsod
false
delay
3
install
false
install_folder
%AppData%
pastebin_config
null

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1820-67-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1820-68-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1820-69-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1820-70-0x000000000040C74E-mapping.dmp	asyncrat
behavioral1/memory/1820-71-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Suspicious use of SetThreadContext 1 IoCs

Processes:

Confirmation Transfer Note MT103-Ref No#01018842234595434.exe

description	pid	process	target process
PID 376 set thread context of 1820	376	Confirmation Transfer Note MT103-Ref No#01018842234595434.exe	Confirmation Transfer Note MT103-Ref No#01018842234595434.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1108 schtasks.exe

pid	process
1108	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Confirmation Transfer Note MT103-Ref No#01018842234595434.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\99FFECFDF3082D3EBA0474CA04B3C21F659B85D9\Blob = 190000000100000010000000ce093238feda33ecec00de7cc6f487350f0000000100000020000000d2575d2f9b18d793a355862720ed072f3868a1097a02ca62e14f44697b0d231503000000010000001400000099ffecfdf3082d3eba0474ca04b3c21f659b85d9140000000100000014000000132735607e1c7112018342ca37a88124ac7f375a2000000001000000f9020000308202f5308201dda003020102021022b40c450622a1fbe8bc5fc171287fdf300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3231313032373133303030305a170d3236313032363133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100b950b75a5aaf2b3f636ef9de5e378ef10a095d0ba868824e30f918a2863489be523da024a22c04bc89d4b891adcdcc12600f7880a3df5526025fb01d8a8473bd0c7fa3aeedd151bd9b474f1f374ac0c6d2d4b829d60ba1341d657fcc0ee0325e598c62d1dc3f6119b76c891fe00750f11af999839a5c128e1c356118597ef5cd6e1c58adebfced52f1796afe3c89a509008337e60a2f77eb61be45099e0b8b45e297bf773394d06fa281f4498b0ef5b041d9ecad7ae4ff906685a046767a2ea41f1c43615a0e3879dae8ca9c9c7a703dd6a35fa670aae9169508aa4a677387803fd1460874bae89a581afd2eb6aba974050a581116216a054fdfed4aab4c6aad0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414132735607e1c7112018342ca37a88124ac7f375a300d06092a864886f70d01010b050003820101000d50cb320ffd73276b7635a568bd32be8644add949c18226856222675c4078174ae50160cb6d5824bfd5d7a3c4d16a933535c935dcb03a1b7bdae8a48e9063153bfa051ea2273222f9bd2c71e40743aa283c1c314e6d7987fe8d88a5da96bed10db7a78ec7627152cf74263d46222a1be3288fe5dfe26d0ac52bb23f7813e771ba247613d8093d82220f67b41a226b149ee96d989ac566383daaf38293ea29b694a2fae626e52a6ce02cc4ab363e9b560de62cd4875d76f2e2e34fda94095f2d73a8d5d170d827edcc6632c5881f7d2d511f102fa495d74cede362a70e20792770f2742eb0ae360b5a46706e2382414db95b57f607de3efcab4ecd9e259698af	Confirmation Transfer Note MT103-Ref No#01018842234595434.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\99FFECFDF3082D3EBA0474CA04B3C21F659B85D9	Confirmation Transfer Note MT103-Ref No#01018842234595434.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\99FFECFDF3082D3EBA0474CA04B3C21F659B85D9\Blob = 0f0000000100000020000000d2575d2f9b18d793a355862720ed072f3868a1097a02ca62e14f44697b0d231503000000010000001400000099ffecfdf3082d3eba0474ca04b3c21f659b85d92000000001000000f9020000308202f5308201dda003020102021022b40c450622a1fbe8bc5fc171287fdf300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3231313032373133303030305a170d3236313032363133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100b950b75a5aaf2b3f636ef9de5e378ef10a095d0ba868824e30f918a2863489be523da024a22c04bc89d4b891adcdcc12600f7880a3df5526025fb01d8a8473bd0c7fa3aeedd151bd9b474f1f374ac0c6d2d4b829d60ba1341d657fcc0ee0325e598c62d1dc3f6119b76c891fe00750f11af999839a5c128e1c356118597ef5cd6e1c58adebfced52f1796afe3c89a509008337e60a2f77eb61be45099e0b8b45e297bf773394d06fa281f4498b0ef5b041d9ecad7ae4ff906685a046767a2ea41f1c43615a0e3879dae8ca9c9c7a703dd6a35fa670aae9169508aa4a677387803fd1460874bae89a581afd2eb6aba974050a581116216a054fdfed4aab4c6aad0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414132735607e1c7112018342ca37a88124ac7f375a300d06092a864886f70d01010b050003820101000d50cb320ffd73276b7635a568bd32be8644add949c18226856222675c4078174ae50160cb6d5824bfd5d7a3c4d16a933535c935dcb03a1b7bdae8a48e9063153bfa051ea2273222f9bd2c71e40743aa283c1c314e6d7987fe8d88a5da96bed10db7a78ec7627152cf74263d46222a1be3288fe5dfe26d0ac52bb23f7813e771ba247613d8093d82220f67b41a226b149ee96d989ac566383daaf38293ea29b694a2fae626e52a6ce02cc4ab363e9b560de62cd4875d76f2e2e34fda94095f2d73a8d5d170d827edcc6632c5881f7d2d511f102fa495d74cede362a70e20792770f2742eb0ae360b5a46706e2382414db95b57f607de3efcab4ecd9e259698af	Confirmation Transfer Note MT103-Ref No#01018842234595434.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\99FFECFDF3082D3EBA0474CA04B3C21F659B85D9\Blob = 140000000100000014000000132735607e1c7112018342ca37a88124ac7f375a03000000010000001400000099ffecfdf3082d3eba0474ca04b3c21f659b85d90f0000000100000020000000d2575d2f9b18d793a355862720ed072f3868a1097a02ca62e14f44697b0d23152000000001000000f9020000308202f5308201dda003020102021022b40c450622a1fbe8bc5fc171287fdf300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3231313032373133303030305a170d3236313032363133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100b950b75a5aaf2b3f636ef9de5e378ef10a095d0ba868824e30f918a2863489be523da024a22c04bc89d4b891adcdcc12600f7880a3df5526025fb01d8a8473bd0c7fa3aeedd151bd9b474f1f374ac0c6d2d4b829d60ba1341d657fcc0ee0325e598c62d1dc3f6119b76c891fe00750f11af999839a5c128e1c356118597ef5cd6e1c58adebfced52f1796afe3c89a509008337e60a2f77eb61be45099e0b8b45e297bf773394d06fa281f4498b0ef5b041d9ecad7ae4ff906685a046767a2ea41f1c43615a0e3879dae8ca9c9c7a703dd6a35fa670aae9169508aa4a677387803fd1460874bae89a581afd2eb6aba974050a581116216a054fdfed4aab4c6aad0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414132735607e1c7112018342ca37a88124ac7f375a300d06092a864886f70d01010b050003820101000d50cb320ffd73276b7635a568bd32be8644add949c18226856222675c4078174ae50160cb6d5824bfd5d7a3c4d16a933535c935dcb03a1b7bdae8a48e9063153bfa051ea2273222f9bd2c71e40743aa283c1c314e6d7987fe8d88a5da96bed10db7a78ec7627152cf74263d46222a1be3288fe5dfe26d0ac52bb23f7813e771ba247613d8093d82220f67b41a226b149ee96d989ac566383daaf38293ea29b694a2fae626e52a6ce02cc4ab363e9b560de62cd4875d76f2e2e34fda94095f2d73a8d5d170d827edcc6632c5881f7d2d511f102fa495d74cede362a70e20792770f2742eb0ae360b5a46706e2382414db95b57f607de3efcab4ecd9e259698af	Confirmation Transfer Note MT103-Ref No#01018842234595434.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Confirmation Transfer Note MT103-Ref No#01018842234595434.exepowershell.exe

pid	process
376	Confirmation Transfer Note MT103-Ref No#01018842234595434.exe
376	Confirmation Transfer Note MT103-Ref No#01018842234595434.exe
412	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Confirmation Transfer Note MT103-Ref No#01018842234595434.exepowershell.exeConfirmation Transfer Note MT103-Ref No#01018842234595434.exe

description	pid	process
Token: SeDebugPrivilege	376	Confirmation Transfer Note MT103-Ref No#01018842234595434.exe
Token: SeDebugPrivilege	412	powershell.exe
Token: SeDebugPrivilege	1820	Confirmation Transfer Note MT103-Ref No#01018842234595434.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

Confirmation Transfer Note MT103-Ref No#01018842234595434.exe

description	pid	process	target process
PID 376 wrote to memory of 412	376	Confirmation Transfer Note MT103-Ref No#01018842234595434.exe	powershell.exe
PID 376 wrote to memory of 412	376	Confirmation Transfer Note MT103-Ref No#01018842234595434.exe	powershell.exe
PID 376 wrote to memory of 412	376	Confirmation Transfer Note MT103-Ref No#01018842234595434.exe	powershell.exe
PID 376 wrote to memory of 412	376	Confirmation Transfer Note MT103-Ref No#01018842234595434.exe	powershell.exe
PID 376 wrote to memory of 1108	376	Confirmation Transfer Note MT103-Ref No#01018842234595434.exe	schtasks.exe
PID 376 wrote to memory of 1108	376	Confirmation Transfer Note MT103-Ref No#01018842234595434.exe	schtasks.exe
PID 376 wrote to memory of 1108	376	Confirmation Transfer Note MT103-Ref No#01018842234595434.exe	schtasks.exe
PID 376 wrote to memory of 1108	376	Confirmation Transfer Note MT103-Ref No#01018842234595434.exe	schtasks.exe
PID 376 wrote to memory of 1820	376	Confirmation Transfer Note MT103-Ref No#01018842234595434.exe	Confirmation Transfer Note MT103-Ref No#01018842234595434.exe
PID 376 wrote to memory of 1820	376	Confirmation Transfer Note MT103-Ref No#01018842234595434.exe	Confirmation Transfer Note MT103-Ref No#01018842234595434.exe
PID 376 wrote to memory of 1820	376	Confirmation Transfer Note MT103-Ref No#01018842234595434.exe	Confirmation Transfer Note MT103-Ref No#01018842234595434.exe
PID 376 wrote to memory of 1820	376	Confirmation Transfer Note MT103-Ref No#01018842234595434.exe	Confirmation Transfer Note MT103-Ref No#01018842234595434.exe
PID 376 wrote to memory of 1820	376	Confirmation Transfer Note MT103-Ref No#01018842234595434.exe	Confirmation Transfer Note MT103-Ref No#01018842234595434.exe
PID 376 wrote to memory of 1820	376	Confirmation Transfer Note MT103-Ref No#01018842234595434.exe	Confirmation Transfer Note MT103-Ref No#01018842234595434.exe
PID 376 wrote to memory of 1820	376	Confirmation Transfer Note MT103-Ref No#01018842234595434.exe	Confirmation Transfer Note MT103-Ref No#01018842234595434.exe
PID 376 wrote to memory of 1820	376	Confirmation Transfer Note MT103-Ref No#01018842234595434.exe	Confirmation Transfer Note MT103-Ref No#01018842234595434.exe
PID 376 wrote to memory of 1820	376	Confirmation Transfer Note MT103-Ref No#01018842234595434.exe	Confirmation Transfer Note MT103-Ref No#01018842234595434.exe

C:\Users\Admin\AppData\Local\Temp\Confirmation Transfer Note MT103-Ref No#01018842234595434.exe
"C:\Users\Admin\AppData\Local\Temp\Confirmation Transfer Note MT103-Ref No#01018842234595434.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:376

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ohNwECOYU.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:412

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ohNwECOYU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAB1E.tmp"
2⤵
- Creates scheduled task(s)
PID:1108

C:\Users\Admin\AppData\Local\Temp\Confirmation Transfer Note MT103-Ref No#01018842234595434.exe
"C:\Users\Admin\AppData\Local\Temp\Confirmation Transfer Note MT103-Ref No#01018842234595434.exe"
2⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1820

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpAB1E.tmp
MD5
89206305ca410a57116d8f25969c3d22

SHA1
7f7550fc96fa7435844f0ed9cd3323ab218e1b4d

SHA256
68ffdd7fe60d9fb6edf8dee00b7b47b21079572d92432a2bc2ee4f3623cc5308

SHA512
9ee816f320c78bd6f53699e6a4cd102192b8e57b21e7804d5812af59173e486ee5c35629a0b2eed3e7de4f075b611093f0e16945c7aad76aec2d7245e2bb0191

Download Submit
memory/376-57-0x00000000764D1000-0x00000000764D3000-memory.dmp

Filesize
8KB

Download
memory/376-58-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/376-59-0x00000000004A0000-0x00000000004A7000-memory.dmp

Filesize
28KB

Download
memory/376-60-0x0000000004860000-0x0000000004889000-memory.dmp

Filesize
164KB

Download
memory/376-55-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/412-73-0x0000000002600000-0x000000000324A000-memory.dmp

Filesize
12.3MB

Download
memory/412-61-0x0000000000000000-mapping.dmp

Download
memory/1108-63-0x0000000000000000-mapping.dmp

Download
memory/1820-65-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1820-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1820-68-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1820-69-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1820-70-0x000000000040C74E-mapping.dmp

Download
memory/1820-71-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1820-66-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1820-75-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads