asyncrat | 2874ed24596c71b8a60ec07c834d203ec7daadfa430c05b54bc6a5bf2c5cb6a6

General

Target

xeroxscanner13012022.exe
Size

852KB
MD5

4672855d9562d4dfbf309d3676ff5df7
SHA1

648779f7d24a50830582d7c35515ed9a42cda7e5
SHA256

2874ed24596c71b8a60ec07c834d203ec7daadfa430c05b54bc6a5bf2c5cb6a6
SHA512

57224a6597cff15fa8b2e5282d89240ea1c692663e769c8b2448badfd2928b4b98bf8e198204fdddc1080924f7288fd45524113a88fa3509da636089eda346b1

Score

10^/10

asyncrat rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 12 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/268-61-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/268-62-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/268-63-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/268-64-0x000000000040D0AE-mapping.dmp	asyncrat
behavioral1/memory/268-65-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/268-66-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1536-85-0x000000000040D0AE-mapping.dmp	asyncrat
behavioral1/memory/1536-88-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1536-89-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1572-105-0x000000000040D0AE-mapping.dmp	asyncrat
behavioral1/memory/1572-108-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1572-109-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Executes dropped EXE 2 IoCs

Processes:

kkjghdir.exekkjghdir.exe

pid process

1856 kkjghdir.exe
784 kkjghdir.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1856	kkjghdir.exe
784	kkjghdir.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

xeroxscanner13012022.exekkjghdir.exekkjghdir.exe

description	pid	process	target process
PID 1712 set thread context of 268	1712	xeroxscanner13012022.exe	vbc.exe
PID 1856 set thread context of 1536	1856	kkjghdir.exe	vbc.exe
PID 784 set thread context of 1572	784	kkjghdir.exe	vbc.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1668 schtasks.exe
860 schtasks.exe
1976 schtasks.exe

pid	process
1668	schtasks.exe
860	schtasks.exe
1976	schtasks.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

xeroxscanner13012022.exekkjghdir.exevbc.exekkjghdir.exe

description	pid	process
Token: SeDebugPrivilege	1712	xeroxscanner13012022.exe
Token: 33	1712	xeroxscanner13012022.exe
Token: SeIncBasePriorityPrivilege	1712	xeroxscanner13012022.exe
Token: SeDebugPrivilege	1856	kkjghdir.exe
Token: 33	1856	kkjghdir.exe
Token: SeIncBasePriorityPrivilege	1856	kkjghdir.exe
Token: SeDebugPrivilege	268	vbc.exe
Token: SeDebugPrivilege	784	kkjghdir.exe
Token: 33	784	kkjghdir.exe
Token: SeIncBasePriorityPrivilege	784	kkjghdir.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

xeroxscanner13012022.execmd.exetaskeng.exekkjghdir.execmd.exekkjghdir.exe

description	pid	process	target process
PID 1712 wrote to memory of 268	1712	xeroxscanner13012022.exe	vbc.exe
PID 1712 wrote to memory of 268	1712	xeroxscanner13012022.exe	vbc.exe
PID 1712 wrote to memory of 268	1712	xeroxscanner13012022.exe	vbc.exe
PID 1712 wrote to memory of 268	1712	xeroxscanner13012022.exe	vbc.exe
PID 1712 wrote to memory of 268	1712	xeroxscanner13012022.exe	vbc.exe
PID 1712 wrote to memory of 268	1712	xeroxscanner13012022.exe	vbc.exe
PID 1712 wrote to memory of 268	1712	xeroxscanner13012022.exe	vbc.exe
PID 1712 wrote to memory of 268	1712	xeroxscanner13012022.exe	vbc.exe
PID 1712 wrote to memory of 268	1712	xeroxscanner13012022.exe	vbc.exe
PID 1712 wrote to memory of 1624	1712	xeroxscanner13012022.exe	cmd.exe
PID 1712 wrote to memory of 1624	1712	xeroxscanner13012022.exe	cmd.exe
PID 1712 wrote to memory of 1624	1712	xeroxscanner13012022.exe	cmd.exe
PID 1712 wrote to memory of 1624	1712	xeroxscanner13012022.exe	cmd.exe
PID 1624 wrote to memory of 1668	1624	cmd.exe	schtasks.exe
PID 1624 wrote to memory of 1668	1624	cmd.exe	schtasks.exe
PID 1624 wrote to memory of 1668	1624	cmd.exe	schtasks.exe
PID 1624 wrote to memory of 1668	1624	cmd.exe	schtasks.exe
PID 1712 wrote to memory of 568	1712	xeroxscanner13012022.exe	cmd.exe
PID 1712 wrote to memory of 568	1712	xeroxscanner13012022.exe	cmd.exe
PID 1712 wrote to memory of 568	1712	xeroxscanner13012022.exe	cmd.exe
PID 1712 wrote to memory of 568	1712	xeroxscanner13012022.exe	cmd.exe
PID 1940 wrote to memory of 1856	1940	taskeng.exe	kkjghdir.exe
PID 1940 wrote to memory of 1856	1940	taskeng.exe	kkjghdir.exe
PID 1940 wrote to memory of 1856	1940	taskeng.exe	kkjghdir.exe
PID 1940 wrote to memory of 1856	1940	taskeng.exe	kkjghdir.exe
PID 1856 wrote to memory of 1536	1856	kkjghdir.exe	vbc.exe
PID 1856 wrote to memory of 1536	1856	kkjghdir.exe	vbc.exe
PID 1856 wrote to memory of 1536	1856	kkjghdir.exe	vbc.exe
PID 1856 wrote to memory of 1536	1856	kkjghdir.exe	vbc.exe
PID 1856 wrote to memory of 1536	1856	kkjghdir.exe	vbc.exe
PID 1856 wrote to memory of 1536	1856	kkjghdir.exe	vbc.exe
PID 1856 wrote to memory of 1536	1856	kkjghdir.exe	vbc.exe
PID 1856 wrote to memory of 1536	1856	kkjghdir.exe	vbc.exe
PID 1856 wrote to memory of 1536	1856	kkjghdir.exe	vbc.exe
PID 1856 wrote to memory of 964	1856	kkjghdir.exe	cmd.exe
PID 1856 wrote to memory of 964	1856	kkjghdir.exe	cmd.exe
PID 1856 wrote to memory of 964	1856	kkjghdir.exe	cmd.exe
PID 1856 wrote to memory of 964	1856	kkjghdir.exe	cmd.exe
PID 1856 wrote to memory of 1848	1856	kkjghdir.exe	cmd.exe
PID 1856 wrote to memory of 1848	1856	kkjghdir.exe	cmd.exe
PID 1856 wrote to memory of 1848	1856	kkjghdir.exe	cmd.exe
PID 1856 wrote to memory of 1848	1856	kkjghdir.exe	cmd.exe
PID 964 wrote to memory of 860	964	cmd.exe	schtasks.exe
PID 964 wrote to memory of 860	964	cmd.exe	schtasks.exe
PID 964 wrote to memory of 860	964	cmd.exe	schtasks.exe
PID 964 wrote to memory of 860	964	cmd.exe	schtasks.exe
PID 1940 wrote to memory of 784	1940	taskeng.exe	kkjghdir.exe
PID 1940 wrote to memory of 784	1940	taskeng.exe	kkjghdir.exe
PID 1940 wrote to memory of 784	1940	taskeng.exe	kkjghdir.exe
PID 1940 wrote to memory of 784	1940	taskeng.exe	kkjghdir.exe
PID 784 wrote to memory of 1572	784	kkjghdir.exe	vbc.exe
PID 784 wrote to memory of 1572	784	kkjghdir.exe	vbc.exe
PID 784 wrote to memory of 1572	784	kkjghdir.exe	vbc.exe
PID 784 wrote to memory of 1572	784	kkjghdir.exe	vbc.exe
PID 784 wrote to memory of 1572	784	kkjghdir.exe	vbc.exe
PID 784 wrote to memory of 1572	784	kkjghdir.exe	vbc.exe
PID 784 wrote to memory of 1572	784	kkjghdir.exe	vbc.exe
PID 784 wrote to memory of 1572	784	kkjghdir.exe	vbc.exe
PID 784 wrote to memory of 1572	784	kkjghdir.exe	vbc.exe
PID 784 wrote to memory of 1668	784	kkjghdir.exe	cmd.exe
PID 784 wrote to memory of 1668	784	kkjghdir.exe	cmd.exe
PID 784 wrote to memory of 1668	784	kkjghdir.exe	cmd.exe
PID 784 wrote to memory of 1668	784	kkjghdir.exe	cmd.exe
PID 784 wrote to memory of 1624	784	kkjghdir.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\xeroxscanner13012022.exe
"C:\Users\Admin\AppData\Local\Temp\xeroxscanner13012022.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:268

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nania" /tr "'C:\Users\Admin\AppData\Roaming\kkjghdir.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nania" /tr "'C:\Users\Admin\AppData\Roaming\kkjghdir.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1668

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\xeroxscanner13012022.exe" "C:\Users\Admin\AppData\Roaming\kkjghdir.exe"
2⤵
PID:568

C:\Windows\system32\taskeng.exe
taskeng.exe {D2FBA15D-DE63-4326-BE5C-A0EDCD477B79} S-1-5-21-3846991908-3261386348-1409841751-1000:VQVVOAJK\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1940

C:\Users\Admin\AppData\Roaming\kkjghdir.exe
C:\Users\Admin\AppData\Roaming\kkjghdir.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1536

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\kkjghdir.exe" "C:\Users\Admin\AppData\Roaming\kkjghdir.exe"
3⤵
PID:1848

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nania" /tr "'C:\Users\Admin\AppData\Roaming\kkjghdir.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nania" /tr "'C:\Users\Admin\AppData\Roaming\kkjghdir.exe'" /f
4⤵
- Creates scheduled task(s)
PID:860

C:\Users\Admin\AppData\Roaming\kkjghdir.exe
C:\Users\Admin\AppData\Roaming\kkjghdir.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1572

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nania" /tr "'C:\Users\Admin\AppData\Roaming\kkjghdir.exe'" /f
3⤵
PID:1668

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nania" /tr "'C:\Users\Admin\AppData\Roaming\kkjghdir.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1976

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\kkjghdir.exe" "C:\Users\Admin\AppData\Roaming\kkjghdir.exe"
3⤵
PID:1624

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\kkjghdir.exe
MD5
4672855d9562d4dfbf309d3676ff5df7

SHA1
648779f7d24a50830582d7c35515ed9a42cda7e5

SHA256
2874ed24596c71b8a60ec07c834d203ec7daadfa430c05b54bc6a5bf2c5cb6a6

SHA512
57224a6597cff15fa8b2e5282d89240ea1c692663e769c8b2448badfd2928b4b98bf8e198204fdddc1080924f7288fd45524113a88fa3509da636089eda346b1

Download Submit
C:\Users\Admin\AppData\Roaming\kkjghdir.exe
MD5
4672855d9562d4dfbf309d3676ff5df7

SHA1
648779f7d24a50830582d7c35515ed9a42cda7e5

SHA256
2874ed24596c71b8a60ec07c834d203ec7daadfa430c05b54bc6a5bf2c5cb6a6

SHA512
57224a6597cff15fa8b2e5282d89240ea1c692663e769c8b2448badfd2928b4b98bf8e198204fdddc1080924f7288fd45524113a88fa3509da636089eda346b1

Download Submit
C:\Users\Admin\AppData\Roaming\kkjghdir.exe
MD5
4672855d9562d4dfbf309d3676ff5df7

SHA1
648779f7d24a50830582d7c35515ed9a42cda7e5

SHA256
2874ed24596c71b8a60ec07c834d203ec7daadfa430c05b54bc6a5bf2c5cb6a6

SHA512
57224a6597cff15fa8b2e5282d89240ea1c692663e769c8b2448badfd2928b4b98bf8e198204fdddc1080924f7288fd45524113a88fa3509da636089eda346b1

Download Submit
memory/268-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/268-71-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/268-59-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/268-61-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/268-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/268-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/268-64-0x000000000040D0AE-mapping.dmp

Download
memory/268-65-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/268-66-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/568-69-0x0000000000000000-mapping.dmp

Download
memory/784-96-0x0000000000E50000-0x0000000000F2A000-memory.dmp

Filesize
872KB

Download
memory/784-103-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/784-98-0x0000000000540000-0x0000000000552000-memory.dmp

Filesize
72KB

Download
memory/784-95-0x0000000000E50000-0x0000000000F2A000-memory.dmp

Filesize
872KB

Download
memory/784-93-0x0000000000000000-mapping.dmp

Download
memory/860-90-0x0000000000000000-mapping.dmp

Download
memory/964-86-0x0000000000000000-mapping.dmp

Download
memory/1536-89-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1536-85-0x000000000040D0AE-mapping.dmp

Download
memory/1536-88-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1536-92-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

Filesize
4KB

Download
memory/1572-112-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/1572-109-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1572-108-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1572-105-0x000000000040D0AE-mapping.dmp

Download
memory/1624-107-0x0000000000000000-mapping.dmp

Download
memory/1624-67-0x0000000000000000-mapping.dmp

Download
memory/1668-68-0x0000000000000000-mapping.dmp

Download
memory/1668-106-0x0000000000000000-mapping.dmp

Download
memory/1712-56-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download
memory/1712-54-0x00000000013E0000-0x00000000014BA000-memory.dmp

Filesize
872KB

Download
memory/1712-57-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/1712-58-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download
memory/1712-55-0x00000000013E0000-0x00000000014BA000-memory.dmp

Filesize
872KB

Download
memory/1848-87-0x0000000000000000-mapping.dmp

Download
memory/1856-73-0x0000000000000000-mapping.dmp

Download
memory/1856-76-0x0000000000D70000-0x0000000000E4A000-memory.dmp

Filesize
872KB

Download
memory/1856-78-0x0000000000260000-0x0000000000272000-memory.dmp

Filesize
72KB

Download
memory/1856-83-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/1856-75-0x0000000000D70000-0x0000000000E4A000-memory.dmp

Filesize
872KB

Download
memory/1976-110-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads