asyncrat | bcb3f5843cba83b163c793e06e5d583a021da1c5794fdd7e484e6ad0f9655e8f

General

Target

041e966e088ae931009805da96e4997d.exe
Size

624KB
MD5

041e966e088ae931009805da96e4997d
SHA1

09877b64628255c310a4dd310593a6c52b1db9dc
SHA256

bcb3f5843cba83b163c793e06e5d583a021da1c5794fdd7e484e6ad0f9655e8f
SHA512

c201f5b6c3a223e2064abcd7966edfd01f5df9f5e5d0c59a4d376141a86a60252e1c5cd6b1409d93dc6ee6ab886d271f5790ebae5d6721361f2f7a044dbf7290

Score

10^/10

asyncrat rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1048-127-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Suspicious use of SetThreadContext 1 IoCs

Processes:

041e966e088ae931009805da96e4997d.exe

description pid process target process

PID 2776 set thread context of 1048 2776 041e966e088ae931009805da96e4997d.exe 041e966e088ae931009805da96e4997d.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1236 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

041e966e088ae931009805da96e4997d.exepowershell.exe

pid process

2776 041e966e088ae931009805da96e4997d.exe
2776 041e966e088ae931009805da96e4997d.exe
956 powershell.exe
956 powershell.exe
956 powershell.exe

description	pid	process	target process
PID 2776 set thread context of 1048	2776	041e966e088ae931009805da96e4997d.exe	041e966e088ae931009805da96e4997d.exe

pid	process
1236	schtasks.exe

pid	process
2776	041e966e088ae931009805da96e4997d.exe
2776	041e966e088ae931009805da96e4997d.exe
956	powershell.exe
956	powershell.exe
956	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

041e966e088ae931009805da96e4997d.exepowershell.exe041e966e088ae931009805da96e4997d.exe

description	pid	process
Token: SeDebugPrivilege	2776	041e966e088ae931009805da96e4997d.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeDebugPrivilege	1048	041e966e088ae931009805da96e4997d.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

041e966e088ae931009805da96e4997d.exe

C:\Users\Admin\AppData\Local\Temp\041e966e088ae931009805da96e4997d.exe
"C:\Users\Admin\AppData\Local\Temp\041e966e088ae931009805da96e4997d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\btVAOWX.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\btVAOWX" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC753.tmp"
2⤵
- Creates scheduled task(s)
PID:1236

C:\Users\Admin\AppData\Local\Temp\041e966e088ae931009805da96e4997d.exe
"C:\Users\Admin\AppData\Local\Temp\041e966e088ae931009805da96e4997d.exe"
2⤵
PID:816

C:\Users\Admin\AppData\Local\Temp\041e966e088ae931009805da96e4997d.exe
"C:\Users\Admin\AppData\Local\Temp\041e966e088ae931009805da96e4997d.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1048

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\041e966e088ae931009805da96e4997d.exe.log
MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC753.tmp
MD5
5ba7c98dd1936f00d62a26e6dfca9aa5

SHA1
92cb80506a304a26e6a3ffc7be3a95cd09c33462

SHA256
1e6032b5d8e0d4a4c46bcc430e5bd542a64d59ddd5cf11a1af872fc51754b404

SHA512
1de37094ef2cb620222432b5f5ab357bf3180ed2fb659a2089dd006fcab5cea22ac54a964befa75f0803220f0e104b7a109bf99b04d0baa8692375ba6e298af7

Download Submit
memory/956-138-0x00000000085B0000-0x0000000008626000-memory.dmp

Filesize
472KB

Download
memory/956-155-0x0000000009760000-0x0000000009805000-memory.dmp

Filesize
660KB

Download
memory/956-133-0x0000000007540000-0x00000000075A6000-memory.dmp

Filesize
408KB

Download
memory/956-355-0x00000000070F0000-0x00000000070F8000-memory.dmp

Filesize
32KB

Download
memory/956-134-0x00000000075B0000-0x0000000007616000-memory.dmp

Filesize
408KB

Download
memory/956-350-0x0000000007100000-0x000000000711A000-memory.dmp

Filesize
104KB

Download
memory/956-211-0x0000000007073000-0x0000000007074000-memory.dmp

Filesize
4KB

Download
memory/956-126-0x0000000004A60000-0x0000000004A96000-memory.dmp

Filesize
216KB

Download
memory/956-156-0x0000000009960000-0x00000000099F4000-memory.dmp

Filesize
592KB

Download
memory/956-148-0x0000000009630000-0x0000000009663000-memory.dmp

Filesize
204KB

Download
memory/956-129-0x00000000076B0000-0x0000000007CD8000-memory.dmp

Filesize
6.2MB

Download
memory/956-135-0x0000000007EC0000-0x0000000008210000-memory.dmp

Filesize
3.3MB

Download
memory/956-131-0x0000000007072000-0x0000000007073000-memory.dmp

Filesize
4KB

Download
memory/956-132-0x00000000073A0000-0x00000000073C2000-memory.dmp

Filesize
136KB

Download
memory/956-154-0x000000007E380000-0x000000007E381000-memory.dmp

Filesize
4KB

Download
memory/956-149-0x00000000095F0000-0x000000000960E000-memory.dmp

Filesize
120KB

Download
memory/956-130-0x0000000007070000-0x0000000007071000-memory.dmp

Filesize
4KB

Download
memory/956-136-0x0000000007D20000-0x0000000007D3C000-memory.dmp

Filesize
112KB

Download
memory/956-137-0x0000000008560000-0x00000000085AB000-memory.dmp

Filesize
300KB

Download
memory/1048-127-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1048-143-0x00000000055E0000-0x00000000055E1000-memory.dmp

Filesize
4KB

Download
memory/2776-115-0x0000000000FD0000-0x0000000001072000-memory.dmp

Filesize
648KB

Download
memory/2776-121-0x00000000081F0000-0x000000000828C000-memory.dmp

Filesize
624KB

Download
memory/2776-119-0x00000000058C0000-0x00000000058CA000-memory.dmp

Filesize
40KB

Download
memory/2776-116-0x0000000005D80000-0x000000000627E000-memory.dmp

Filesize
5.0MB

Download
memory/2776-118-0x0000000005880000-0x0000000005D7E000-memory.dmp

Filesize
5.0MB

Download
memory/2776-117-0x0000000005920000-0x00000000059B2000-memory.dmp

Filesize
584KB

Download
memory/2776-122-0x00000000081A0000-0x00000000081DC000-memory.dmp

Filesize
240KB

Download
memory/2776-120-0x0000000007EB0000-0x0000000007EBC000-memory.dmp

Filesize
48KB

Download

description	pid	process	target process
PID 2776 wrote to memory of 956	2776	041e966e088ae931009805da96e4997d.exe	powershell.exe
PID 2776 wrote to memory of 956	2776	041e966e088ae931009805da96e4997d.exe	powershell.exe
PID 2776 wrote to memory of 956	2776	041e966e088ae931009805da96e4997d.exe	powershell.exe
PID 2776 wrote to memory of 1236	2776	041e966e088ae931009805da96e4997d.exe	schtasks.exe
PID 2776 wrote to memory of 1236	2776	041e966e088ae931009805da96e4997d.exe	schtasks.exe
PID 2776 wrote to memory of 1236	2776	041e966e088ae931009805da96e4997d.exe	schtasks.exe
PID 2776 wrote to memory of 816	2776	041e966e088ae931009805da96e4997d.exe	041e966e088ae931009805da96e4997d.exe
PID 2776 wrote to memory of 816	2776	041e966e088ae931009805da96e4997d.exe	041e966e088ae931009805da96e4997d.exe
PID 2776 wrote to memory of 816	2776	041e966e088ae931009805da96e4997d.exe	041e966e088ae931009805da96e4997d.exe
PID 2776 wrote to memory of 1048	2776	041e966e088ae931009805da96e4997d.exe	041e966e088ae931009805da96e4997d.exe
PID 2776 wrote to memory of 1048	2776	041e966e088ae931009805da96e4997d.exe	041e966e088ae931009805da96e4997d.exe
PID 2776 wrote to memory of 1048	2776	041e966e088ae931009805da96e4997d.exe	041e966e088ae931009805da96e4997d.exe
PID 2776 wrote to memory of 1048	2776	041e966e088ae931009805da96e4997d.exe	041e966e088ae931009805da96e4997d.exe
PID 2776 wrote to memory of 1048	2776	041e966e088ae931009805da96e4997d.exe	041e966e088ae931009805da96e4997d.exe
PID 2776 wrote to memory of 1048	2776	041e966e088ae931009805da96e4997d.exe	041e966e088ae931009805da96e4997d.exe
PID 2776 wrote to memory of 1048	2776	041e966e088ae931009805da96e4997d.exe	041e966e088ae931009805da96e4997d.exe
PID 2776 wrote to memory of 1048	2776	041e966e088ae931009805da96e4997d.exe	041e966e088ae931009805da96e4997d.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads