asyncrat | d775bef532e71e692eb0e66292da60db38864a4f3dba5d2382ace1992ddd55f3

General

Target

d775bef532e71e692eb0e66292da60db38864a4f3dba5d2382ace1992ddd55f3.exe
Size

63KB
MD5

22021cdbf9936f8a469ecb5e11636799
SHA1

9a3186aaa9fa202c1666d5b751db53b13b961002
SHA256

d775bef532e71e692eb0e66292da60db38864a4f3dba5d2382ace1992ddd55f3
SHA512

f3efc9a323bf144cdec2db10e33bdcae5512543cbddc349d21a9ecce9108bc376aa3777cc15f01c3954497091b7bac3c4b8afb9a1c18008c8dc92f4058a9e45b

Score

10^/10

asyncrat default rat suricata

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

bigrussianfloppa.duckdns.org:1001

Mutex

Mutex_qwqdanchun

Attributes

anti_vm
false
bsod
false
delay
1
install
true
install_file
Churkaebanaya.exe
install_folder
%AppData%
pastebin_config
null

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT)
suricata

Async RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2468-116-0x0000000000F40000-0x0000000000F56000-memory.dmp	asyncrat
behavioral1/memory/2468-117-0x0000000001740000-0x00000000017F7000-memory.dmp	asyncrat
C:\Users\Admin\AppData\Roaming\Churkaebanaya.exe	asyncrat
C:\Users\Admin\AppData\Roaming\Churkaebanaya.exe	asyncrat

Executes dropped EXE 1 IoCs

Processes:

Churkaebanaya.exe

pid process

1524 Churkaebanaya.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2396 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3516 timeout.exe

pid	process
1524	Churkaebanaya.exe

pid	process
2396	schtasks.exe

pid	process
3516	timeout.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

d775bef532e71e692eb0e66292da60db38864a4f3dba5d2382ace1992ddd55f3.exe

pid	process
2468	d775bef532e71e692eb0e66292da60db38864a4f3dba5d2382ace1992ddd55f3.exe
2468	d775bef532e71e692eb0e66292da60db38864a4f3dba5d2382ace1992ddd55f3.exe
2468	d775bef532e71e692eb0e66292da60db38864a4f3dba5d2382ace1992ddd55f3.exe
2468	d775bef532e71e692eb0e66292da60db38864a4f3dba5d2382ace1992ddd55f3.exe
2468	d775bef532e71e692eb0e66292da60db38864a4f3dba5d2382ace1992ddd55f3.exe
2468	d775bef532e71e692eb0e66292da60db38864a4f3dba5d2382ace1992ddd55f3.exe
2468	d775bef532e71e692eb0e66292da60db38864a4f3dba5d2382ace1992ddd55f3.exe
2468	d775bef532e71e692eb0e66292da60db38864a4f3dba5d2382ace1992ddd55f3.exe
2468	d775bef532e71e692eb0e66292da60db38864a4f3dba5d2382ace1992ddd55f3.exe
2468	d775bef532e71e692eb0e66292da60db38864a4f3dba5d2382ace1992ddd55f3.exe
2468	d775bef532e71e692eb0e66292da60db38864a4f3dba5d2382ace1992ddd55f3.exe
2468	d775bef532e71e692eb0e66292da60db38864a4f3dba5d2382ace1992ddd55f3.exe
2468	d775bef532e71e692eb0e66292da60db38864a4f3dba5d2382ace1992ddd55f3.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

d775bef532e71e692eb0e66292da60db38864a4f3dba5d2382ace1992ddd55f3.exeChurkaebanaya.exe

description	pid	process
Token: SeDebugPrivilege	2468	d775bef532e71e692eb0e66292da60db38864a4f3dba5d2382ace1992ddd55f3.exe
Token: SeDebugPrivilege	1524	Churkaebanaya.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

d775bef532e71e692eb0e66292da60db38864a4f3dba5d2382ace1992ddd55f3.execmd.execmd.exe

description	pid	process	target process
PID 2468 wrote to memory of 2752	2468	d775bef532e71e692eb0e66292da60db38864a4f3dba5d2382ace1992ddd55f3.exe	cmd.exe
PID 2468 wrote to memory of 2752	2468	d775bef532e71e692eb0e66292da60db38864a4f3dba5d2382ace1992ddd55f3.exe	cmd.exe
PID 2468 wrote to memory of 668	2468	d775bef532e71e692eb0e66292da60db38864a4f3dba5d2382ace1992ddd55f3.exe	cmd.exe
PID 2468 wrote to memory of 668	2468	d775bef532e71e692eb0e66292da60db38864a4f3dba5d2382ace1992ddd55f3.exe	cmd.exe
PID 2752 wrote to memory of 2396	2752	cmd.exe	schtasks.exe
PID 2752 wrote to memory of 2396	2752	cmd.exe	schtasks.exe
PID 668 wrote to memory of 3516	668	cmd.exe	timeout.exe
PID 668 wrote to memory of 3516	668	cmd.exe	timeout.exe
PID 668 wrote to memory of 1524	668	cmd.exe	Churkaebanaya.exe
PID 668 wrote to memory of 1524	668	cmd.exe	Churkaebanaya.exe

C:\Users\Admin\AppData\Local\Temp\d775bef532e71e692eb0e66292da60db38864a4f3dba5d2382ace1992ddd55f3.exe
"C:\Users\Admin\AppData\Local\Temp\d775bef532e71e692eb0e66292da60db38864a4f3dba5d2382ace1992ddd55f3.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Churkaebanaya" /tr '"C:\Users\Admin\AppData\Roaming\Churkaebanaya.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2752

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Churkaebanaya" /tr '"C:\Users\Admin\AppData\Roaming\Churkaebanaya.exe"'
3⤵
- Creates scheduled task(s)
PID:2396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBF2.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:3516

C:\Users\Admin\AppData\Roaming\Churkaebanaya.exe
"C:\Users\Admin\AppData\Roaming\Churkaebanaya.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpBF2.tmp.bat
MD5
c8e06c00af22a5c4f01fd4b3a17b93cb

SHA1
7eb4f52ff2f0cf238eb2f2068b8b530e067b0a42

SHA256
178f5a46ff429ceb41fd22cc2a8b3d71e478947fed2b91301015730199cd9eaa

SHA512
9d2f4f1f4d7126a905c15182d1f9d1ad12df9af9e007ade8ee8ab15c68158bd3c0a7c77456009294bd044a05d07302332faa973d4aa3ca0eeccd455d638056ad

Download Submit
C:\Users\Admin\AppData\Roaming\Churkaebanaya.exe
MD5
22021cdbf9936f8a469ecb5e11636799

SHA1
9a3186aaa9fa202c1666d5b751db53b13b961002

SHA256
d775bef532e71e692eb0e66292da60db38864a4f3dba5d2382ace1992ddd55f3

SHA512
f3efc9a323bf144cdec2db10e33bdcae5512543cbddc349d21a9ecce9108bc376aa3777cc15f01c3954497091b7bac3c4b8afb9a1c18008c8dc92f4058a9e45b

Download Submit
C:\Users\Admin\AppData\Roaming\Churkaebanaya.exe
MD5
22021cdbf9936f8a469ecb5e11636799

SHA1
9a3186aaa9fa202c1666d5b751db53b13b961002

SHA256
d775bef532e71e692eb0e66292da60db38864a4f3dba5d2382ace1992ddd55f3

SHA512
f3efc9a323bf144cdec2db10e33bdcae5512543cbddc349d21a9ecce9108bc376aa3777cc15f01c3954497091b7bac3c4b8afb9a1c18008c8dc92f4058a9e45b

Download Submit
memory/1524-121-0x00000000007D0000-0x00000000007D2000-memory.dmp

Filesize
8KB

Download
memory/2468-116-0x0000000000F40000-0x0000000000F56000-memory.dmp

Filesize
88KB

Download
memory/2468-117-0x0000000001740000-0x00000000017F7000-memory.dmp

Filesize
732KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads