asyncrat | bc0c6f07b05e4c29bae36fedd9e58e1cd0148d777a68d50ec5104567d9e3ce43

General

Target

bc0c6f07b05e4c29bae36fedd9e58e1cd0148d777a68d50ec5104567d9e3ce43.exe
Size

309KB
MD5

5cdfcd6d591946dec15cec637f7826e6
SHA1

7959aeda9d64e19b9eeed15003c49a0c62eadf45
SHA256

bc0c6f07b05e4c29bae36fedd9e58e1cd0148d777a68d50ec5104567d9e3ce43
SHA512

e8a3363aaaecc5902aa93b4754d24e03c86cabe4132f6aa0111c8b575fcfa5b0e1ff7127279f0808f83c01547e043efffe628207272d1d61aa8697c926ac194b

Score

10^/10

asyncrat 1 persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

1

C2

212.193.30.54:8754

Mutex

gyQ12!.,=FDpsdf2_@

Attributes

anti_vm
false
bsod
false
delay
3
install
false
install_folder
%AppData%
pastebin_config
null

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/4036-137-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bc0c6f07b05e4c29bae36fedd9e58e1cd0148d777a68d50ec5104567d9e3ce43.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\gkn = "\"C:\\Users\\Admin\\AppData\\Roaming\\gkn.exe\""	bc0c6f07b05e4c29bae36fedd9e58e1cd0148d777a68d50ec5104567d9e3ce43.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

bc0c6f07b05e4c29bae36fedd9e58e1cd0148d777a68d50ec5104567d9e3ce43.exe

description	pid	process	target process
PID 4116 set thread context of 4036	4116	bc0c6f07b05e4c29bae36fedd9e58e1cd0148d777a68d50ec5104567d9e3ce43.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3992 timeout.exe

pid	process
3992	timeout.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exebc0c6f07b05e4c29bae36fedd9e58e1cd0148d777a68d50ec5104567d9e3ce43.exe

pid	process
3344	powershell.exe
3344	powershell.exe
3344	powershell.exe
4116	bc0c6f07b05e4c29bae36fedd9e58e1cd0148d777a68d50ec5104567d9e3ce43.exe
4116	bc0c6f07b05e4c29bae36fedd9e58e1cd0148d777a68d50ec5104567d9e3ce43.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exebc0c6f07b05e4c29bae36fedd9e58e1cd0148d777a68d50ec5104567d9e3ce43.exe

description	pid	process
Token: SeDebugPrivilege	3344	powershell.exe
Token: SeDebugPrivilege	4116	bc0c6f07b05e4c29bae36fedd9e58e1cd0148d777a68d50ec5104567d9e3ce43.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

bc0c6f07b05e4c29bae36fedd9e58e1cd0148d777a68d50ec5104567d9e3ce43.exepowershell.execmd.exe

description	pid	process	target process
PID 4116 wrote to memory of 3344	4116	bc0c6f07b05e4c29bae36fedd9e58e1cd0148d777a68d50ec5104567d9e3ce43.exe	powershell.exe
PID 4116 wrote to memory of 3344	4116	bc0c6f07b05e4c29bae36fedd9e58e1cd0148d777a68d50ec5104567d9e3ce43.exe	powershell.exe
PID 4116 wrote to memory of 3344	4116	bc0c6f07b05e4c29bae36fedd9e58e1cd0148d777a68d50ec5104567d9e3ce43.exe	powershell.exe
PID 3344 wrote to memory of 4156	3344	powershell.exe	cmd.exe
PID 3344 wrote to memory of 4156	3344	powershell.exe	cmd.exe
PID 3344 wrote to memory of 4156	3344	powershell.exe	cmd.exe
PID 4156 wrote to memory of 3992	4156	cmd.exe	timeout.exe
PID 4156 wrote to memory of 3992	4156	cmd.exe	timeout.exe
PID 4156 wrote to memory of 3992	4156	cmd.exe	timeout.exe
PID 4116 wrote to memory of 4036	4116	bc0c6f07b05e4c29bae36fedd9e58e1cd0148d777a68d50ec5104567d9e3ce43.exe	RegAsm.exe
PID 4116 wrote to memory of 4036	4116	bc0c6f07b05e4c29bae36fedd9e58e1cd0148d777a68d50ec5104567d9e3ce43.exe	RegAsm.exe
PID 4116 wrote to memory of 4036	4116	bc0c6f07b05e4c29bae36fedd9e58e1cd0148d777a68d50ec5104567d9e3ce43.exe	RegAsm.exe
PID 4116 wrote to memory of 4036	4116	bc0c6f07b05e4c29bae36fedd9e58e1cd0148d777a68d50ec5104567d9e3ce43.exe	RegAsm.exe
PID 4116 wrote to memory of 4036	4116	bc0c6f07b05e4c29bae36fedd9e58e1cd0148d777a68d50ec5104567d9e3ce43.exe	RegAsm.exe
PID 4116 wrote to memory of 4036	4116	bc0c6f07b05e4c29bae36fedd9e58e1cd0148d777a68d50ec5104567d9e3ce43.exe	RegAsm.exe
PID 4116 wrote to memory of 4036	4116	bc0c6f07b05e4c29bae36fedd9e58e1cd0148d777a68d50ec5104567d9e3ce43.exe	RegAsm.exe
PID 4116 wrote to memory of 4036	4116	bc0c6f07b05e4c29bae36fedd9e58e1cd0148d777a68d50ec5104567d9e3ce43.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\bc0c6f07b05e4c29bae36fedd9e58e1cd0148d777a68d50ec5104567d9e3ce43.exe
"C:\Users\Admin\AppData\Local\Temp\bc0c6f07b05e4c29bae36fedd9e58e1cd0148d777a68d50ec5104567d9e3ce43.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4116

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc YwBtAGQAIAAvAGMAIAB0AGkAbQBlAG8AdQB0ACAAMgAzAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3344

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout 23
3⤵
- Suspicious use of WriteProcessMemory
PID:4156

C:\Windows\SysWOW64\timeout.exe
timeout 23
4⤵
- Delays execution with timeout.exe
PID:3992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
2⤵
PID:4036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3344-126-0x0000000007670000-0x00000000079C0000-memory.dmp

Filesize
3.3MB

Download
memory/3344-120-0x0000000004500000-0x0000000004536000-memory.dmp

Filesize
216KB

Download
memory/3344-129-0x0000000007CF0000-0x0000000007D66000-memory.dmp

Filesize
472KB

Download
memory/3344-128-0x0000000007A00000-0x0000000007A4B000-memory.dmp

Filesize
300KB

Download
memory/3344-127-0x0000000006E30000-0x0000000006E4C000-memory.dmp

Filesize
112KB

Download
memory/3344-121-0x0000000006822000-0x0000000006823000-memory.dmp

Filesize
4KB

Download
memory/3344-122-0x0000000006E60000-0x0000000007488000-memory.dmp

Filesize
6.2MB

Download
memory/3344-123-0x0000000006B20000-0x0000000006B42000-memory.dmp

Filesize
136KB

Download
memory/3344-124-0x0000000006CC0000-0x0000000006D26000-memory.dmp

Filesize
408KB

Download
memory/3344-125-0x0000000006D30000-0x0000000006D96000-memory.dmp

Filesize
408KB

Download
memory/3344-118-0x0000000073E0E000-0x0000000073E0F000-memory.dmp

Filesize
4KB

Download
memory/3344-119-0x0000000006820000-0x0000000006821000-memory.dmp

Filesize
4KB

Download
memory/4036-137-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4036-138-0x0000000073E0E000-0x0000000073E0F000-memory.dmp

Filesize
4KB

Download
memory/4036-139-0x0000000005680000-0x0000000005681000-memory.dmp

Filesize
4KB

Download
memory/4116-115-0x0000000000BD0000-0x0000000000C24000-memory.dmp

Filesize
336KB

Download
memory/4116-114-0x0000000073E0E000-0x0000000073E0F000-memory.dmp

Filesize
4KB

Download
memory/4116-133-0x0000000005400000-0x0000000005440000-memory.dmp

Filesize
256KB

Download
memory/4116-134-0x0000000005450000-0x0000000005480000-memory.dmp

Filesize
192KB

Download
memory/4116-135-0x0000000005EB0000-0x0000000005EFC000-memory.dmp

Filesize
304KB

Download
memory/4116-136-0x00000000053F0000-0x00000000053F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads