asyncrat | 880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9

General

Target

880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
Size

903KB
MD5

8e68370433ab06b8e88bdf181e8a3145
SHA1

c77534b6c2e810dfd3e04d483cf67aa130884df9
SHA256

880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9
SHA512

50da06632b350a59a5aa34e6870f954f320895f2202e4f0abfb0b6e9ffe347456fac173791f84f419608298798228ba35433a5e2883b13fff2f1055d86cc3bff

Score

10^/10

asyncrat agilenet rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.6A

C2

peacelist.ignorelist.com:7707

peacelist.ignorelist.com:8808

peacelist.ignorelist.com:5505

Mutex

FTPgbnffd

Attributes

anti_vm
false
bsod
false
delay
10
install
true
install_file
shost.exe
install_folder
%AppData%
pastebin_config
null

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1252-59-0x0000000000080000-0x00000000000D6000-memory.dmp	asyncrat
behavioral1/memory/1252-60-0x0000000000080000-0x00000000000D6000-memory.dmp	asyncrat
behavioral1/memory/1252-63-0x0000000000080000-0x00000000000D6000-memory.dmp	asyncrat
behavioral1/memory/1252-66-0x0000000000080000-0x00000000000D6000-memory.dmp	asyncrat
behavioral1/memory/1252-69-0x0000000000080000-0x00000000000D6000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

Processes:

shost.exe

pid process

1772 shost.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1776 cmd.exe

pid	process
1772	shost.exe

pid	process
1776	cmd.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/1212-55-0x0000000000560000-0x0000000000578000-memory.dmp	agile_net

Suspicious use of SetThreadContext 1 IoCs

Processes:

880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe

description	pid	process	target process
PID 1212 set thread context of 1252	1212	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

992 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1068 timeout.exe

pid	process
992	schtasks.exe

pid	process
1068	timeout.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exeshost.exe

pid	process
1212	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
1212	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
1212	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
1252	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
1252	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
1772	shost.exe
1772	shost.exe
1772	shost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exeshost.exe

description	pid	process
Token: SeDebugPrivilege	1212	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
Token: SeDebugPrivilege	1252	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
Token: SeDebugPrivilege	1772	shost.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.execmd.exeshost.exe

description	pid	process	target process
PID 1212 wrote to memory of 1252	1212	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
PID 1212 wrote to memory of 1252	1212	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
PID 1212 wrote to memory of 1252	1212	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
PID 1212 wrote to memory of 1252	1212	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
PID 1212 wrote to memory of 1252	1212	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
PID 1212 wrote to memory of 1252	1212	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
PID 1212 wrote to memory of 1252	1212	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
PID 1212 wrote to memory of 1252	1212	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
PID 1212 wrote to memory of 1252	1212	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
PID 1252 wrote to memory of 992	1252	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe	schtasks.exe
PID 1252 wrote to memory of 992	1252	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe	schtasks.exe
PID 1252 wrote to memory of 992	1252	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe	schtasks.exe
PID 1252 wrote to memory of 992	1252	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe	schtasks.exe
PID 1252 wrote to memory of 1776	1252	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe	cmd.exe
PID 1252 wrote to memory of 1776	1252	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe	cmd.exe
PID 1252 wrote to memory of 1776	1252	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe	cmd.exe
PID 1252 wrote to memory of 1776	1252	880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe	cmd.exe
PID 1776 wrote to memory of 1068	1776	cmd.exe	timeout.exe
PID 1776 wrote to memory of 1068	1776	cmd.exe	timeout.exe
PID 1776 wrote to memory of 1068	1776	cmd.exe	timeout.exe
PID 1776 wrote to memory of 1068	1776	cmd.exe	timeout.exe
PID 1776 wrote to memory of 1772	1776	cmd.exe	shost.exe
PID 1776 wrote to memory of 1772	1776	cmd.exe	shost.exe
PID 1776 wrote to memory of 1772	1776	cmd.exe	shost.exe
PID 1776 wrote to memory of 1772	1776	cmd.exe	shost.exe
PID 1772 wrote to memory of 2024	1772	shost.exe	shost.exe
PID 1772 wrote to memory of 2024	1772	shost.exe	shost.exe
PID 1772 wrote to memory of 2024	1772	shost.exe	shost.exe
PID 1772 wrote to memory of 2024	1772	shost.exe	shost.exe
PID 1772 wrote to memory of 2024	1772	shost.exe	shost.exe
PID 1772 wrote to memory of 2024	1772	shost.exe	shost.exe
PID 1772 wrote to memory of 2024	1772	shost.exe	shost.exe
PID 1772 wrote to memory of 2024	1772	shost.exe	shost.exe
PID 1772 wrote to memory of 2024	1772	shost.exe	shost.exe

C:\Users\Admin\AppData\Local\Temp\880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
"C:\Users\Admin\AppData\Local\Temp\880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212

C:\Users\Admin\AppData\Local\Temp\880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe
"C:\Users\Admin\AppData\Local\Temp\880b48dd4db9c59c37e8ba48f11b7aabc0990413f3808fa19df9c913e6831ec9.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'shost"' /tr "'C:\Users\Admin\AppData\Roaming\shost.exe"'
3⤵
- Creates scheduled task(s)
PID:992

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1A06.tmp.bat""
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:1068

C:\Users\Admin\AppData\Roaming\shost.exe
"C:\Users\Admin\AppData\Roaming\shost.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1772

C:\Users\Admin\AppData\Roaming\shost.exe
"C:\Users\Admin\AppData\Roaming\shost.exe"
5⤵
PID:2024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1A06.tmp.bat
MD5
1b6465bab5fbd1571e6bbb012ddecba8

SHA1
d71955b06c769995e603e9cbad004cff37b07ff5

SHA256
a04296ff38317bc7d8a05ecfce66e6d41ed76b3d8178356010af0e8bf80a4674

SHA512
92aa5efe188d6b53a9e718e33a7c006cbeb2c2602e378fd451a65918f36858481c063bdb56700d2f9bf3db9700fb7f9f3967df910dea65ca6881317c72a2fa3a

Download Submit
C:\Users\Admin\AppData\Roaming\shost.exe
MD5
e36babbbc563265be1bcf4fa0d835058

SHA1
5554b6eb0b1c36de413fcc9b83545b2cc3683c71

SHA256
19ca243641961fe69362f94143fc4acdd29ddf6e0b10e7375b9ab796e07e281b

SHA512
5564d622ff1964e2bd4f26563c151f434711250197c33fe2a7e86c515b9c301102c088681ee912ad5b761f16c4dd65220d747558a916a530a98b76e1072b9e2c

Download Submit
C:\Users\Admin\AppData\Roaming\shost.exe
MD5
e36babbbc563265be1bcf4fa0d835058

SHA1
5554b6eb0b1c36de413fcc9b83545b2cc3683c71

SHA256
19ca243641961fe69362f94143fc4acdd29ddf6e0b10e7375b9ab796e07e281b

SHA512
5564d622ff1964e2bd4f26563c151f434711250197c33fe2a7e86c515b9c301102c088681ee912ad5b761f16c4dd65220d747558a916a530a98b76e1072b9e2c

Download Submit
\Users\Admin\AppData\Roaming\shost.exe
MD5
e36babbbc563265be1bcf4fa0d835058

SHA1
5554b6eb0b1c36de413fcc9b83545b2cc3683c71

SHA256
19ca243641961fe69362f94143fc4acdd29ddf6e0b10e7375b9ab796e07e281b

SHA512
5564d622ff1964e2bd4f26563c151f434711250197c33fe2a7e86c515b9c301102c088681ee912ad5b761f16c4dd65220d747558a916a530a98b76e1072b9e2c

Download Submit
memory/1212-55-0x0000000000560000-0x0000000000578000-memory.dmp

Filesize
96KB

Download
memory/1212-56-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/1212-54-0x0000000000360000-0x0000000000448000-memory.dmp

Filesize
928KB

Download
memory/1252-58-0x0000000000080000-0x00000000000D6000-memory.dmp

Filesize
344KB

Download
memory/1252-66-0x0000000000080000-0x00000000000D6000-memory.dmp

Filesize
344KB

Download
memory/1252-69-0x0000000000080000-0x00000000000D6000-memory.dmp

Filesize
344KB

Download
memory/1252-70-0x0000000076C91000-0x0000000076C93000-memory.dmp

Filesize
8KB

Download
memory/1252-63-0x0000000000080000-0x00000000000D6000-memory.dmp

Filesize
344KB

Download
memory/1252-60-0x0000000000080000-0x00000000000D6000-memory.dmp

Filesize
344KB

Download
memory/1252-59-0x0000000000080000-0x00000000000D6000-memory.dmp

Filesize
344KB

Download
memory/1252-57-0x0000000000080000-0x00000000000D6000-memory.dmp

Filesize
344KB

Download
memory/1772-75-0x0000000000850000-0x0000000000938000-memory.dmp

Filesize
928KB

Download
memory/1772-76-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads