asyncrat | 51e4092cc2b507c07cc5b5dd34ac507ef02302fd2b3ad60912d9719a46ec7228

Analysis

max time kernel
125s
max time network
46s
platform
windows7_x64
resource
win7-20220331-en
submitted
14-04-2022 06:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51e4092cc2b507c07cc5b5dd34ac507ef02302fd2b3ad60912d9719a46ec7228.exe
Size

411KB
MD5

d879fac9c6581b1c2760b883402cc494
SHA1

0769ec09dad81a27a50589563eba1b0c3b236335
SHA256

51e4092cc2b507c07cc5b5dd34ac507ef02302fd2b3ad60912d9719a46ec7228
SHA512

3407f8f23ff8afd486a218284bfa4cb84edc2109aead0c6cce424df7cae36c6012b1f96088dc044065451d1f2926b0fea3bec39e5a04cbebd8e55fdb9bacc615

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

213.226.119.28:6606

213.226.119.28:7707

213.226.119.28:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
svchost.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 6 IoCs

rat

resource	yara_rule
behavioral1/memory/1924-62-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1924-63-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1924-64-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1924-65-0x000000000040C72E-mapping.dmp	asyncrat
behavioral1/memory/1924-67-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1924-69-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

pid	Process
1160	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
1512	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 328 set thread context of 1924	328	51e4092cc2b507c07cc5b5dd34ac507ef02302fd2b3ad60912d9719a46ec7228.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1820	schtasks.exe
2044	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1708	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
328	51e4092cc2b507c07cc5b5dd34ac507ef02302fd2b3ad60912d9719a46ec7228.exe
1924	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	328	51e4092cc2b507c07cc5b5dd34ac507ef02302fd2b3ad60912d9719a46ec7228.exe
Token: SeDebugPrivilege	1924	MSBuild.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 328 wrote to memory of 2044	328	51e4092cc2b507c07cc5b5dd34ac507ef02302fd2b3ad60912d9719a46ec7228.exe	28
PID 328 wrote to memory of 2044	328	51e4092cc2b507c07cc5b5dd34ac507ef02302fd2b3ad60912d9719a46ec7228.exe	28
PID 328 wrote to memory of 2044	328	51e4092cc2b507c07cc5b5dd34ac507ef02302fd2b3ad60912d9719a46ec7228.exe	28
PID 328 wrote to memory of 2044	328	51e4092cc2b507c07cc5b5dd34ac507ef02302fd2b3ad60912d9719a46ec7228.exe	28
PID 328 wrote to memory of 1924	328	51e4092cc2b507c07cc5b5dd34ac507ef02302fd2b3ad60912d9719a46ec7228.exe	30
PID 328 wrote to memory of 1924	328	51e4092cc2b507c07cc5b5dd34ac507ef02302fd2b3ad60912d9719a46ec7228.exe	30
PID 328 wrote to memory of 1924	328	51e4092cc2b507c07cc5b5dd34ac507ef02302fd2b3ad60912d9719a46ec7228.exe	30
PID 328 wrote to memory of 1924	328	51e4092cc2b507c07cc5b5dd34ac507ef02302fd2b3ad60912d9719a46ec7228.exe	30
PID 328 wrote to memory of 1924	328	51e4092cc2b507c07cc5b5dd34ac507ef02302fd2b3ad60912d9719a46ec7228.exe	30
PID 328 wrote to memory of 1924	328	51e4092cc2b507c07cc5b5dd34ac507ef02302fd2b3ad60912d9719a46ec7228.exe	30
PID 328 wrote to memory of 1924	328	51e4092cc2b507c07cc5b5dd34ac507ef02302fd2b3ad60912d9719a46ec7228.exe	30
PID 328 wrote to memory of 1924	328	51e4092cc2b507c07cc5b5dd34ac507ef02302fd2b3ad60912d9719a46ec7228.exe	30
PID 328 wrote to memory of 1924	328	51e4092cc2b507c07cc5b5dd34ac507ef02302fd2b3ad60912d9719a46ec7228.exe	30
PID 1924 wrote to memory of 1080	1924	MSBuild.exe	31
PID 1924 wrote to memory of 1080	1924	MSBuild.exe	31
PID 1924 wrote to memory of 1080	1924	MSBuild.exe	31
PID 1924 wrote to memory of 1080	1924	MSBuild.exe	31
PID 1924 wrote to memory of 1512	1924	MSBuild.exe	34
PID 1924 wrote to memory of 1512	1924	MSBuild.exe	34
PID 1924 wrote to memory of 1512	1924	MSBuild.exe	34
PID 1924 wrote to memory of 1512	1924	MSBuild.exe	34
PID 1080 wrote to memory of 1820	1080	cmd.exe	35
PID 1080 wrote to memory of 1820	1080	cmd.exe	35
PID 1080 wrote to memory of 1820	1080	cmd.exe	35
PID 1080 wrote to memory of 1820	1080	cmd.exe	35
PID 1512 wrote to memory of 1708	1512	cmd.exe	36
PID 1512 wrote to memory of 1708	1512	cmd.exe	36
PID 1512 wrote to memory of 1708	1512	cmd.exe	36
PID 1512 wrote to memory of 1708	1512	cmd.exe	36
PID 1512 wrote to memory of 1160	1512	cmd.exe	37
PID 1512 wrote to memory of 1160	1512	cmd.exe	37
PID 1512 wrote to memory of 1160	1512	cmd.exe	37
PID 1512 wrote to memory of 1160	1512	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\51e4092cc2b507c07cc5b5dd34ac507ef02302fd2b3ad60912d9719a46ec7228.exe
"C:\Users\Admin\AppData\Local\Temp\51e4092cc2b507c07cc5b5dd34ac507ef02302fd2b3ad60912d9719a46ec7228.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:328
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jLkXBYtNmvdDpa" /XML "C:\Users\Admin\AppData\Local\Temp\tmp42BC.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "{path}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1080
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
      4⤵
      Creates scheduled task(s)
      PID:1820
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpB359.tmp.bat""
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1512
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1708
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Executes dropped EXE
      PID:1160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp42BC.tmp

Filesize
1KB

MD5
2298d77ae955acea2baef665eb8c634b

SHA1
37858578de2cf7529dc0c22a4c77819cbb714462

SHA256
ef7062a815ac03ead899f61f49da6834aadff6b5d0e2ac486c05f7d90c79235c

SHA512
7efd963859738679fc4b4b0046bd02ed99ae0165eb7884f4af13b2983bcadb841bf3a64c3531d0b9841abef9865023f1c454bf6aec7635c0e81629cf64f9f74f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB359.tmp.bat

Filesize
151B

MD5
6233153f1213fcaa768c83138e3b2aa8

SHA1
836ef055f6bb45f43f102b27cccf6ef18969c6d9

SHA256
f2e942e6ee9f956a2404e0323050b54b094c56e694d5777e30eae58da9a09be1

SHA512
4909a260ad421fc361cb74e93711b590e05a35cb96c8182160c6d1577e3be15987539c376b7ff00e3890ef1d41c545753ccb818c74c9a2d6cb992d4879e27e1e

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
255KB

MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
255KB

MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe

Filesize
255KB

MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
memory/328-54-0x0000000000E60000-0x0000000000ECC000-memory.dmp

Filesize
432KB

Download
memory/328-56-0x00000000009A0000-0x00000000009DC000-memory.dmp

Filesize
240KB

Download
memory/328-55-0x0000000000580000-0x000000000059C000-memory.dmp

Filesize
112KB

Download
memory/1160-80-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1924-59-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1924-70-0x0000000075B01000-0x0000000075B03000-memory.dmp

Filesize
8KB

Download
memory/1924-69-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1924-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1924-64-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1924-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1924-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1924-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download