asyncrat | 636fb66ea9946bab1538b2434f335482a35d8fd8db7f671fff8506efb39ae20c

Analysis

max time kernel
123s
max time network
153s
platform
windows10_x64
resource
win10-en-20211208
submitted
20-12-2021 22:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp/2e9b56b5-1225-4f85-8bd4-e87bfd4a4592_builded.exe
Size

5.6MB
MD5

eb036a40e921da13094a1e5b467605de
SHA1

f201ea10d9bcced8b6316c6bb4b362f9e4482069
SHA256

636fb66ea9946bab1538b2434f335482a35d8fd8db7f671fff8506efb39ae20c
SHA512

d5196fbed1ace1442e3214318c515701a564f7c04c9da9f70166fc7053c035a92ebc86da46317c98a72afc098340c481fc7b4aaa57a7db82449fe918eb27675d

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

20.115.143.128:3152

Mutex

AsyncMutex_6SI8OkPnk

Attributes

anti_vm
false
bsod
false
delay
3
install
false
install_file
Microsoft Word.exe
install_folder
%AppData%
pastebin_config
null

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\tmp\explorer.exe	asyncrat
C:\Users\Admin\AppData\Local\Temp\tmp\explorer.exe	asyncrat

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

explorer.exe

pid process

652 explorer.exe

pid	process
652	explorer.exe

Loads dropped DLL 10 IoCs

Processes:

2e9b56b5-1225-4f85-8bd4-e87bfd4a4592_builded.exe

pid	process
588	2e9b56b5-1225-4f85-8bd4-e87bfd4a4592_builded.exe
588	2e9b56b5-1225-4f85-8bd4-e87bfd4a4592_builded.exe
588	2e9b56b5-1225-4f85-8bd4-e87bfd4a4592_builded.exe
588	2e9b56b5-1225-4f85-8bd4-e87bfd4a4592_builded.exe
588	2e9b56b5-1225-4f85-8bd4-e87bfd4a4592_builded.exe
588	2e9b56b5-1225-4f85-8bd4-e87bfd4a4592_builded.exe
588	2e9b56b5-1225-4f85-8bd4-e87bfd4a4592_builded.exe
588	2e9b56b5-1225-4f85-8bd4-e87bfd4a4592_builded.exe
588	2e9b56b5-1225-4f85-8bd4-e87bfd4a4592_builded.exe
588	2e9b56b5-1225-4f85-8bd4-e87bfd4a4592_builded.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2e9b56b5-1225-4f85-8bd4-e87bfd4a4592_builded.exeexplorer.exe

description pid process

Token: 35 588 2e9b56b5-1225-4f85-8bd4-e87bfd4a4592_builded.exe
Token: SeDebugPrivilege 652 explorer.exe

description	pid	process
Token: 35	588	2e9b56b5-1225-4f85-8bd4-e87bfd4a4592_builded.exe
Token: SeDebugPrivilege	652	explorer.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

2e9b56b5-1225-4f85-8bd4-e87bfd4a4592_builded.exe2e9b56b5-1225-4f85-8bd4-e87bfd4a4592_builded.execmd.exe

description	pid	process	target process
PID 2764 wrote to memory of 588	2764	2e9b56b5-1225-4f85-8bd4-e87bfd4a4592_builded.exe	2e9b56b5-1225-4f85-8bd4-e87bfd4a4592_builded.exe
PID 2764 wrote to memory of 588	2764	2e9b56b5-1225-4f85-8bd4-e87bfd4a4592_builded.exe	2e9b56b5-1225-4f85-8bd4-e87bfd4a4592_builded.exe
PID 588 wrote to memory of 540	588	2e9b56b5-1225-4f85-8bd4-e87bfd4a4592_builded.exe	cmd.exe
PID 588 wrote to memory of 540	588	2e9b56b5-1225-4f85-8bd4-e87bfd4a4592_builded.exe	cmd.exe
PID 540 wrote to memory of 652	540	cmd.exe	explorer.exe
PID 540 wrote to memory of 652	540	cmd.exe	explorer.exe
PID 540 wrote to memory of 652	540	cmd.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\tmp\2e9b56b5-1225-4f85-8bd4-e87bfd4a4592_builded.exe
"C:\Users\Admin\AppData\Local\Temp\tmp\2e9b56b5-1225-4f85-8bd4-e87bfd4a4592_builded.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2764

C:\Users\Admin\AppData\Local\Temp\tmp\2e9b56b5-1225-4f85-8bd4-e87bfd4a4592_builded.exe
"C:\Users\Admin\AppData\Local\Temp\tmp\2e9b56b5-1225-4f85-8bd4-e87bfd4a4592_builded.exe"
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start explorer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:540

C:\Users\Admin\AppData\Local\Temp\tmp\explorer.exe
explorer.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:652

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI27642\VCRUNTIME140.dll
MD5
edf9d5c18111d82cf10ec99f6afa6b47

SHA1
d247f5b9d4d3061e3d421e0e623595aa40d9493c

SHA256
d89c7b863fc1ac3a179d45d5fe1b9fd35fb6fbd45171ca68d0d68ab1c1ad04fb

SHA512
bf017aa8275c5b6d064984a606c5d40852aa70047759468395fe520f7f68b5452befc3145efaa7c51f8ec3bf71d9e32dbd5633637f040d58ff9a4b6953bf1cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27642\_bz2.pyd
MD5
c9bfb31afe7cce0b57e5bfbbfda5ae7a

SHA1
37a930d22a9651f7ae940f61a23467deaa1f59d0

SHA256
58563fb8798c878bbb19221d8c6c9a3cc243d6dbc9bf5d7f73ba62834c5e4614

SHA512
3775adb2750a8a7927f56b1bad853e405b21c678d2708ae1d0e7ddfb68e2228971636ccd88055a9d04e49f009d8ec1fb4e0f7cb6ad9b012b666e132d989668e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27642\_hashlib.pyd
MD5
86db282b25244f420a5d7abd44abb098

SHA1
992445028220ac07b39e939824a4c6b1fda811dc

SHA256
ab3d09c879b395631d8a4f89f6855d98d315675e9607248eed7bc07317260168

SHA512
62e2919c4ba74fa69f25209db89f0652c5f8624867b3221aa3865e4dc2bab07e70880c63e4853051f1cc7464ff6478106ac4d6c9fc096172d85e523d8cbd069a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27642\_lzma.pyd
MD5
857ba2d859502a76789b0cd090ef231a

SHA1
352378e0f9536154d698ecbb4c694aae8d416787

SHA256
42aafcd7e1050b3307c06874fa1e72eecfb5554bd631097e7af0506a3a200144

SHA512
ab70e4fde01bf0d1a2f4dbfe0b556ce3d83e57edf84c62262f0500b6b0295101a36e279f843cef6a08a4d4d3cde150ff76195ff417123eed64b661310fa759a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27642\_socket.pyd
MD5
7e080d04a56cd48cf24219774ab0abe2

SHA1
b3caf5603ce8da3da728577aa6b06daa32118b57

SHA256
77b3597eef6eb044fbec7b2229772495cd632033bec03badad4e4d268748b760

SHA512
8bb475b62cb025823ef3eb54db58017b9fc394fe4a8a6d84aee13a4aaf9dd426e59860d3f15abcc218bd7cf4aefeee37d8fdf24dc272b6196b089b65cb584aae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27642\_ssl.pyd
MD5
61fb40f4c868059e3378c735d1888c14

SHA1
73423b0e17eb9a0c231f4d6bffb2541a08975ed2

SHA256
ea7cf863090d7f61daae9c6cc679608239e622f4485514dc705d09c1311657c2

SHA512
e40a1fcf528b9a0a4bd2161b71d86dacff82647d6895f8a945c0960310397f8ebdc2d3191d04cd262940866ff0d7ddc7e4f2c17b9ebf86f527c08c8179ff2e91

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27642\base_library.zip
MD5
39c84fc001b12024b36bf1c783dcb555

SHA1
5f29b398251ff82fe886be40fa2ae8806d0e92d6

SHA256
4724105c9f75c3b2cdbff37e8c1323fc86f0f20f80727d24f18d0b1d067e31c4

SHA512
0428b35212ec550dcccdcdb365bfabdff01062fab7e61fb1991c7b01b51d3fa2c9a126208f59fd9fb525ebce046b86dce2bbbe193f05e06ebf819f5ef633da53

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27642\python36.dll
MD5
7e5ad98ee1fef48d50c2cb641f464181

SHA1
ba424106c46ab11be33f4954195d10382791677d

SHA256
dd4bba32bf57165371822f5966617f475198764a91f39dc6ef86552457ac795d

SHA512
7633730cc9672bc558f8f3391534f9a0f3627a98c5c9f5acefbfc2356eeb14cd10581dceceec2e2d20ed666bc121b28d2af63bd61ead48d34cbcec5861f8ef82

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27642\select.pyd
MD5
290242633745524a3fb673798faabbe1

SHA1
7a5df2949b75469242c9287ae529045d7a85fd4c

SHA256
df8acaf83e5c861f1d0ad694b087ff0a451f01191602617307a93c9dec893ecd

SHA512
a3aec08265e2ea4549df14f6c2683b7b53c553b45304e80ed27ca5b5df70f0e1a3b139608557230e2acbaad4f302b5e20631a9d82de75222a9cc4b2177ce2020

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27642\ucrtbase.dll
MD5
bd8b198c3210b885fe516500306a4fcf

SHA1
28762cb66003587be1a59c2668d2300fce300c2d

SHA256
ce2621719f1358508c2c33bcc1380d78a737ca20cd18c0ac89f38e1be788d9a2

SHA512
c32b6c083d3a7da01085718e5685e9a04034be91251c065794ceef1dfaaf6573fdd845cbc84e926ab3f510d295649cb6e497564fbe52cc79c053357c645c11a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27642\unicodedata.pyd
MD5
1c35e860d07c30617326d5a7030961b2

SHA1
44f727f11b2a19b078a987ad4f4bf7b6ccb393c2

SHA256
7c115398f9975004b436c70cfa5d5d08e9f3f1d0f1c8a9e07eeeac96affe6625

SHA512
863ffa0d09c7e7fc00b3a5ec8101ed31b6794f8b1dab96501c11725f247dfc5315f9b20602d424e384fdc20031e5d59ae65be1ecc5b72976ac3e2813b0cd2276

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp\explorer.exe
MD5
9eb31dfaca53b6d6b9579167ff3bb2d1

SHA1
584a2fb155acc22e2b8770578b61152492e7cb5c

SHA256
d389a6eb0a5c533865fa412e1fc0c8fde62462b27acb95499cf8fbf6bba4ee2f

SHA512
2acb0ae12d33702f41595f99ffb3eac67e4b76417bcf636bdb4396a388cacf2501f6668a1b593909b214a8c5083c594611174c0928bf7b3c1ea91dfc9bc9a9c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp\explorer.exe
MD5
9eb31dfaca53b6d6b9579167ff3bb2d1

SHA1
584a2fb155acc22e2b8770578b61152492e7cb5c

SHA256
d389a6eb0a5c533865fa412e1fc0c8fde62462b27acb95499cf8fbf6bba4ee2f

SHA512
2acb0ae12d33702f41595f99ffb3eac67e4b76417bcf636bdb4396a388cacf2501f6668a1b593909b214a8c5083c594611174c0928bf7b3c1ea91dfc9bc9a9c0

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27642\VCRUNTIME140.dll
MD5
edf9d5c18111d82cf10ec99f6afa6b47

SHA1
d247f5b9d4d3061e3d421e0e623595aa40d9493c

SHA256
d89c7b863fc1ac3a179d45d5fe1b9fd35fb6fbd45171ca68d0d68ab1c1ad04fb

SHA512
bf017aa8275c5b6d064984a606c5d40852aa70047759468395fe520f7f68b5452befc3145efaa7c51f8ec3bf71d9e32dbd5633637f040d58ff9a4b6953bf1cbf

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27642\_bz2.pyd
MD5
c9bfb31afe7cce0b57e5bfbbfda5ae7a

SHA1
37a930d22a9651f7ae940f61a23467deaa1f59d0

SHA256
58563fb8798c878bbb19221d8c6c9a3cc243d6dbc9bf5d7f73ba62834c5e4614

SHA512
3775adb2750a8a7927f56b1bad853e405b21c678d2708ae1d0e7ddfb68e2228971636ccd88055a9d04e49f009d8ec1fb4e0f7cb6ad9b012b666e132d989668e6

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27642\_hashlib.pyd
MD5
86db282b25244f420a5d7abd44abb098

SHA1
992445028220ac07b39e939824a4c6b1fda811dc

SHA256
ab3d09c879b395631d8a4f89f6855d98d315675e9607248eed7bc07317260168

SHA512
62e2919c4ba74fa69f25209db89f0652c5f8624867b3221aa3865e4dc2bab07e70880c63e4853051f1cc7464ff6478106ac4d6c9fc096172d85e523d8cbd069a

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27642\_lzma.pyd
MD5
857ba2d859502a76789b0cd090ef231a

SHA1
352378e0f9536154d698ecbb4c694aae8d416787

SHA256
42aafcd7e1050b3307c06874fa1e72eecfb5554bd631097e7af0506a3a200144

SHA512
ab70e4fde01bf0d1a2f4dbfe0b556ce3d83e57edf84c62262f0500b6b0295101a36e279f843cef6a08a4d4d3cde150ff76195ff417123eed64b661310fa759a4

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27642\_socket.pyd
MD5
7e080d04a56cd48cf24219774ab0abe2

SHA1
b3caf5603ce8da3da728577aa6b06daa32118b57

SHA256
77b3597eef6eb044fbec7b2229772495cd632033bec03badad4e4d268748b760

SHA512
8bb475b62cb025823ef3eb54db58017b9fc394fe4a8a6d84aee13a4aaf9dd426e59860d3f15abcc218bd7cf4aefeee37d8fdf24dc272b6196b089b65cb584aae

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27642\_ssl.pyd
MD5
61fb40f4c868059e3378c735d1888c14

SHA1
73423b0e17eb9a0c231f4d6bffb2541a08975ed2

SHA256
ea7cf863090d7f61daae9c6cc679608239e622f4485514dc705d09c1311657c2

SHA512
e40a1fcf528b9a0a4bd2161b71d86dacff82647d6895f8a945c0960310397f8ebdc2d3191d04cd262940866ff0d7ddc7e4f2c17b9ebf86f527c08c8179ff2e91

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27642\python36.dll
MD5
7e5ad98ee1fef48d50c2cb641f464181

SHA1
ba424106c46ab11be33f4954195d10382791677d

SHA256
dd4bba32bf57165371822f5966617f475198764a91f39dc6ef86552457ac795d

SHA512
7633730cc9672bc558f8f3391534f9a0f3627a98c5c9f5acefbfc2356eeb14cd10581dceceec2e2d20ed666bc121b28d2af63bd61ead48d34cbcec5861f8ef82

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27642\select.pyd
MD5
290242633745524a3fb673798faabbe1

SHA1
7a5df2949b75469242c9287ae529045d7a85fd4c

SHA256
df8acaf83e5c861f1d0ad694b087ff0a451f01191602617307a93c9dec893ecd

SHA512
a3aec08265e2ea4549df14f6c2683b7b53c553b45304e80ed27ca5b5df70f0e1a3b139608557230e2acbaad4f302b5e20631a9d82de75222a9cc4b2177ce2020

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27642\ucrtbase.dll
MD5
bd8b198c3210b885fe516500306a4fcf

SHA1
28762cb66003587be1a59c2668d2300fce300c2d

SHA256
ce2621719f1358508c2c33bcc1380d78a737ca20cd18c0ac89f38e1be788d9a2

SHA512
c32b6c083d3a7da01085718e5685e9a04034be91251c065794ceef1dfaaf6573fdd845cbc84e926ab3f510d295649cb6e497564fbe52cc79c053357c645c11a5

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI27642\unicodedata.pyd
MD5
1c35e860d07c30617326d5a7030961b2

SHA1
44f727f11b2a19b078a987ad4f4bf7b6ccb393c2

SHA256
7c115398f9975004b436c70cfa5d5d08e9f3f1d0f1c8a9e07eeeac96affe6625

SHA512
863ffa0d09c7e7fc00b3a5ec8101ed31b6794f8b1dab96501c11725f247dfc5315f9b20602d424e384fdc20031e5d59ae65be1ecc5b72976ac3e2813b0cd2276

Download Submit
memory/540-137-0x0000000000000000-mapping.dmp

Download
memory/588-115-0x0000000000000000-mapping.dmp

Download
memory/652-138-0x0000000000000000-mapping.dmp

Download
memory/652-141-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/652-143-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/652-144-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/652-145-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/652-146-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download