asyncrat | f927fc3dee7de6daefed3b155907078344fbfec8bd3d63ed96013c2c9ae1e78e

General

Target

Erodo.exe
Size

342KB
MD5

0d0d64eecf0771dfc73ea6674802c256
SHA1

a9eb93937399030d52ce1641794b0fab1c398724
SHA256

f927fc3dee7de6daefed3b155907078344fbfec8bd3d63ed96013c2c9ae1e78e
SHA512

d424f4ad1298e483d7707d8e8feb5a9bd836830923b487c574b0d1e8cccf3840182e35765220c464e3310caed7c409594af1c2a604302f90d631664ff0765cd1

Score

10^/10

asyncrat 2 persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

2

C2

212.193.30.54:9524

Mutex

wyQ92!.,=FT72few

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/4568-144-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Erodo.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vmixtnq = "\"C:\\Users\\Admin\\AppData\\Roaming\\Bdwbnqqn\\Vmixtnq.exe\""	Erodo.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 944 set thread context of 4568	944	Erodo.exe	94

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3068	timeout.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1424	powershell.exe
1424	powershell.exe
944	Erodo.exe
944	Erodo.exe
944	Erodo.exe
944	Erodo.exe
944	Erodo.exe
944	Erodo.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	944	Erodo.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 944 wrote to memory of 1424	944	Erodo.exe	79
PID 944 wrote to memory of 1424	944	Erodo.exe	79
PID 944 wrote to memory of 1424	944	Erodo.exe	79
PID 1424 wrote to memory of 2676	1424	powershell.exe	81
PID 1424 wrote to memory of 2676	1424	powershell.exe	81
PID 1424 wrote to memory of 2676	1424	powershell.exe	81
PID 2676 wrote to memory of 3068	2676	cmd.exe	82
PID 2676 wrote to memory of 3068	2676	cmd.exe	82
PID 2676 wrote to memory of 3068	2676	cmd.exe	82
PID 944 wrote to memory of 644	944	Erodo.exe	93
PID 944 wrote to memory of 644	944	Erodo.exe	93
PID 944 wrote to memory of 644	944	Erodo.exe	93
PID 944 wrote to memory of 4568	944	Erodo.exe	94
PID 944 wrote to memory of 4568	944	Erodo.exe	94
PID 944 wrote to memory of 4568	944	Erodo.exe	94
PID 944 wrote to memory of 4568	944	Erodo.exe	94
PID 944 wrote to memory of 4568	944	Erodo.exe	94
PID 944 wrote to memory of 4568	944	Erodo.exe	94
PID 944 wrote to memory of 4568	944	Erodo.exe	94
PID 944 wrote to memory of 4568	944	Erodo.exe	94

C:\Users\Admin\AppData\Local\Temp\Erodo.exe
"C:\Users\Admin\AppData\Local\Temp\Erodo.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:944
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc YwBtAGQAIAAvAGMAIAB0AGkAbQBlAG8AdQB0ACAAMgAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout 20
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 20
      4⤵
      Delays execution with timeout.exe
      PID:3068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  2⤵
  PID:644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  2⤵
  PID:4568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/944-130-0x0000000000630000-0x000000000068C000-memory.dmp

Filesize
368KB

Download
memory/944-141-0x0000000005A30000-0x0000000005AC2000-memory.dmp

Filesize
584KB

Download
memory/944-140-0x0000000005F30000-0x00000000064D4000-memory.dmp

Filesize
5.6MB

Download
memory/1424-136-0x0000000006270000-0x00000000062D6000-memory.dmp

Filesize
408KB

Download
memory/1424-135-0x0000000006200000-0x0000000006266000-memory.dmp

Filesize
408KB

Download
memory/1424-134-0x0000000005900000-0x0000000005922000-memory.dmp

Filesize
136KB

Download
memory/1424-137-0x00000000068B0000-0x00000000068CE000-memory.dmp

Filesize
120KB

Download
memory/1424-133-0x00000000059A0000-0x0000000005FC8000-memory.dmp

Filesize
6.2MB

Download
memory/1424-132-0x0000000005330000-0x0000000005366000-memory.dmp

Filesize
216KB

Download
memory/4568-144-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing