asyncrat | a678300e6317d7a0354316b152e371f9c21f4afc39cc9c058a56f224fd4a90a7

General

Target

PaymentAdvice.pdf.exe
Size

466KB
MD5

936a2b0bca688de0ea619f967ba6e713
SHA1

135f50d2dc2387df84aaeb7a50610b0a47ccf65e
SHA256

a678300e6317d7a0354316b152e371f9c21f4afc39cc9c058a56f224fd4a90a7
SHA512

3f6b8bc68ec8d94386c8df4bd53b2c9f6b711c570115b6d200e5140bfd3599476a8b7de7067216238b4793cbaba835c6e11f552ab2777a08f8c8f888fa0e2437

Score

10^/10

asyncrat rat spyware stealer

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1344-130-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

PaymentAdvice.pdf.exe

description pid process target process

PID 2188 set thread context of 1344 2188 PaymentAdvice.pdf.exe PaymentAdvice.pdf.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3948 schtasks.exe

description	pid	process	target process
PID 2188 set thread context of 1344	2188	PaymentAdvice.pdf.exe	PaymentAdvice.pdf.exe

pid	process
3948	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

PaymentAdvice.pdf.exepowershell.exe

pid	process
2188	PaymentAdvice.pdf.exe
2188	PaymentAdvice.pdf.exe
2188	PaymentAdvice.pdf.exe
2188	PaymentAdvice.pdf.exe
4088	powershell.exe
4088	powershell.exe
4088	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

PaymentAdvice.pdf.exepowershell.exePaymentAdvice.pdf.exe

description	pid	process
Token: SeDebugPrivilege	2188	PaymentAdvice.pdf.exe
Token: SeDebugPrivilege	4088	powershell.exe
Token: SeDebugPrivilege	1344	PaymentAdvice.pdf.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

PaymentAdvice.pdf.exe

description	pid	process	target process
PID 2188 wrote to memory of 4088	2188	PaymentAdvice.pdf.exe	powershell.exe
PID 2188 wrote to memory of 4088	2188	PaymentAdvice.pdf.exe	powershell.exe
PID 2188 wrote to memory of 4088	2188	PaymentAdvice.pdf.exe	powershell.exe
PID 2188 wrote to memory of 3948	2188	PaymentAdvice.pdf.exe	schtasks.exe
PID 2188 wrote to memory of 3948	2188	PaymentAdvice.pdf.exe	schtasks.exe
PID 2188 wrote to memory of 3948	2188	PaymentAdvice.pdf.exe	schtasks.exe
PID 2188 wrote to memory of 1276	2188	PaymentAdvice.pdf.exe	PaymentAdvice.pdf.exe
PID 2188 wrote to memory of 1276	2188	PaymentAdvice.pdf.exe	PaymentAdvice.pdf.exe
PID 2188 wrote to memory of 1276	2188	PaymentAdvice.pdf.exe	PaymentAdvice.pdf.exe
PID 2188 wrote to memory of 1268	2188	PaymentAdvice.pdf.exe	PaymentAdvice.pdf.exe
PID 2188 wrote to memory of 1268	2188	PaymentAdvice.pdf.exe	PaymentAdvice.pdf.exe
PID 2188 wrote to memory of 1268	2188	PaymentAdvice.pdf.exe	PaymentAdvice.pdf.exe
PID 2188 wrote to memory of 1344	2188	PaymentAdvice.pdf.exe	PaymentAdvice.pdf.exe
PID 2188 wrote to memory of 1344	2188	PaymentAdvice.pdf.exe	PaymentAdvice.pdf.exe
PID 2188 wrote to memory of 1344	2188	PaymentAdvice.pdf.exe	PaymentAdvice.pdf.exe
PID 2188 wrote to memory of 1344	2188	PaymentAdvice.pdf.exe	PaymentAdvice.pdf.exe
PID 2188 wrote to memory of 1344	2188	PaymentAdvice.pdf.exe	PaymentAdvice.pdf.exe
PID 2188 wrote to memory of 1344	2188	PaymentAdvice.pdf.exe	PaymentAdvice.pdf.exe
PID 2188 wrote to memory of 1344	2188	PaymentAdvice.pdf.exe	PaymentAdvice.pdf.exe
PID 2188 wrote to memory of 1344	2188	PaymentAdvice.pdf.exe	PaymentAdvice.pdf.exe

C:\Users\Admin\AppData\Local\Temp\PaymentAdvice.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\PaymentAdvice.pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JmsefBvjC.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4088

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JmsefBvjC" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9FD6.tmp"
2⤵
- Creates scheduled task(s)
PID:3948

C:\Users\Admin\AppData\Local\Temp\PaymentAdvice.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\PaymentAdvice.pdf.exe"
2⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\PaymentAdvice.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\PaymentAdvice.pdf.exe"
2⤵
PID:1268

C:\Users\Admin\AppData\Local\Temp\PaymentAdvice.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\PaymentAdvice.pdf.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1344

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PaymentAdvice.pdf.exe.log
MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9FD6.tmp
MD5
8fe897d09254a8b2d399b97e8732ba1e

SHA1
d6b1ec228843089e35bea29ba149b374bcd93b7c

SHA256
aa523be45b46d0368eb495fa685c4e98e569dffff04bbbd7aca810d386504339

SHA512
7e9a02157bc4dc9aae8d33e3a654152ac92c1eb96b78875cede3cacc4ac3e982fca6b16211fd05ec606f218fe6bc58aa36b09071ca582efd68df78f766a8f32d

Download Submit
memory/1344-232-0x0000000007260000-0x00000000072C0000-memory.dmp

Filesize
384KB

Download
memory/1344-231-0x00000000070D0000-0x0000000007160000-memory.dmp

Filesize
576KB

Download
memory/1344-138-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/1344-226-0x0000000006A90000-0x0000000006B0E000-memory.dmp

Filesize
504KB

Download
memory/1344-130-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1344-227-0x0000000006C10000-0x0000000006C2E000-memory.dmp

Filesize
120KB

Download
memory/1344-230-0x0000000006C80000-0x0000000006C8A000-memory.dmp

Filesize
40KB

Download
memory/2188-121-0x000000000A370000-0x000000000A40C000-memory.dmp

Filesize
624KB

Download
memory/2188-115-0x0000000000DF0000-0x0000000000E6A000-memory.dmp

Filesize
488KB

Download
memory/2188-122-0x000000000A500000-0x000000000A538000-memory.dmp

Filesize
224KB

Download
memory/2188-117-0x0000000007CB0000-0x0000000007D42000-memory.dmp

Filesize
584KB

Download
memory/2188-118-0x0000000007BF0000-0x00000000080EE000-memory.dmp

Filesize
5.0MB

Download
memory/2188-116-0x00000000080F0000-0x00000000085EE000-memory.dmp

Filesize
5.0MB

Download
memory/2188-120-0x000000000A180000-0x000000000A194000-memory.dmp

Filesize
80KB

Download
memory/2188-119-0x0000000007D60000-0x0000000007D6A000-memory.dmp

Filesize
40KB

Download
memory/4088-135-0x00000000077F0000-0x0000000007B40000-memory.dmp

Filesize
3.3MB

Download
memory/4088-155-0x0000000009060000-0x0000000009105000-memory.dmp

Filesize
660KB

Download
memory/4088-136-0x0000000006E50000-0x0000000006E6C000-memory.dmp

Filesize
112KB

Download
memory/4088-137-0x0000000008000000-0x000000000804B000-memory.dmp

Filesize
300KB

Download
memory/4088-133-0x0000000006DD0000-0x0000000006E36000-memory.dmp

Filesize
408KB

Download
memory/4088-139-0x0000000007DB0000-0x0000000007E26000-memory.dmp

Filesize
472KB

Download
memory/4088-148-0x0000000008F20000-0x0000000008F53000-memory.dmp

Filesize
204KB

Download
memory/4088-149-0x0000000008F00000-0x0000000008F1E000-memory.dmp

Filesize
120KB

Download
memory/4088-154-0x000000007E680000-0x000000007E681000-memory.dmp

Filesize
4KB

Download
memory/4088-134-0x0000000006EB0000-0x0000000006F16000-memory.dmp

Filesize
408KB

Download
memory/4088-156-0x0000000000FD3000-0x0000000000FD4000-memory.dmp

Filesize
4KB

Download
memory/4088-157-0x0000000009240000-0x00000000092D4000-memory.dmp

Filesize
592KB

Download
memory/4088-132-0x0000000006D30000-0x0000000006D52000-memory.dmp

Filesize
136KB

Download
memory/4088-128-0x0000000000FD2000-0x0000000000FD3000-memory.dmp

Filesize
4KB

Download
memory/4088-127-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/4088-126-0x0000000006F90000-0x00000000075B8000-memory.dmp

Filesize
6.2MB

Download
memory/4088-125-0x0000000000E80000-0x0000000000EB6000-memory.dmp

Filesize
216KB

Download
memory/4088-355-0x0000000009140000-0x000000000915A000-memory.dmp

Filesize
104KB

Download
memory/4088-360-0x0000000009130000-0x0000000009138000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads