asyncrat | 1660e0ec19de33e8fc633f7f8538b0b19f05765ecdacc63f2e43bdc4c716096e

General

Target

more.exe
Size

299KB
MD5

8594d64e02a9dd1fb5ab412e246fe599
SHA1

d63784f4e964151b3b4e41bb5ed0c6597b56762f
SHA256

1660e0ec19de33e8fc633f7f8538b0b19f05765ecdacc63f2e43bdc4c716096e
SHA512

852f91245dce8ac5115feae6fc0a963b72810468f35d483497076e5a811c89eebd754673d7c48be78b77f6ac7bed3cfe6dba00666894dc3b5f3b15bf5ef2c36e

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

91.193.75.132:9191

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
images.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 9 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1156-66-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1156-67-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1156-69-0x000000000040D06E-mapping.dmp	asyncrat
behavioral1/memory/1156-68-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1156-71-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1156-73-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1628-97-0x000000000040D06E-mapping.dmp	asyncrat
behavioral1/memory/1628-100-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1628-102-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Executes dropped EXE 2 IoCs

Processes:

images.exeimages.exe

pid process

1180 images.exe
1628 images.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1944 cmd.exe

pid	process
1180	images.exe
1628	images.exe

pid	process
1944	cmd.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

more.exeimages.exe

description	pid	process	target process
PID 1528 set thread context of 1156	1528	more.exe	more.exe
PID 1180 set thread context of 1628	1180	images.exe	images.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

468 schtasks.exe
1756 schtasks.exe
1748 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1072 timeout.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exemore.exepowershell.exe

pid process

1112 powershell.exe
1156 more.exe
1336 powershell.exe

pid	process
468	schtasks.exe
1756	schtasks.exe
1748	schtasks.exe

pid	process
1072	timeout.exe

pid	process
1112	powershell.exe
1156	more.exe
1336	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exemore.exepowershell.exeimages.exe

description	pid	process
Token: SeDebugPrivilege	1112	powershell.exe
Token: SeDebugPrivilege	1156	more.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	1628	images.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

more.exemore.execmd.execmd.exeimages.exe

description	pid	process	target process
PID 1528 wrote to memory of 1112	1528	more.exe	powershell.exe
PID 1528 wrote to memory of 1112	1528	more.exe	powershell.exe
PID 1528 wrote to memory of 1112	1528	more.exe	powershell.exe
PID 1528 wrote to memory of 1112	1528	more.exe	powershell.exe
PID 1528 wrote to memory of 1756	1528	more.exe	schtasks.exe
PID 1528 wrote to memory of 1756	1528	more.exe	schtasks.exe
PID 1528 wrote to memory of 1756	1528	more.exe	schtasks.exe
PID 1528 wrote to memory of 1756	1528	more.exe	schtasks.exe
PID 1528 wrote to memory of 1156	1528	more.exe	more.exe
PID 1528 wrote to memory of 1156	1528	more.exe	more.exe
PID 1528 wrote to memory of 1156	1528	more.exe	more.exe
PID 1528 wrote to memory of 1156	1528	more.exe	more.exe
PID 1528 wrote to memory of 1156	1528	more.exe	more.exe
PID 1528 wrote to memory of 1156	1528	more.exe	more.exe
PID 1528 wrote to memory of 1156	1528	more.exe	more.exe
PID 1528 wrote to memory of 1156	1528	more.exe	more.exe
PID 1528 wrote to memory of 1156	1528	more.exe	more.exe
PID 1156 wrote to memory of 568	1156	more.exe	cmd.exe
PID 1156 wrote to memory of 568	1156	more.exe	cmd.exe
PID 1156 wrote to memory of 568	1156	more.exe	cmd.exe
PID 1156 wrote to memory of 568	1156	more.exe	cmd.exe
PID 1156 wrote to memory of 1944	1156	more.exe	cmd.exe
PID 1156 wrote to memory of 1944	1156	more.exe	cmd.exe
PID 1156 wrote to memory of 1944	1156	more.exe	cmd.exe
PID 1156 wrote to memory of 1944	1156	more.exe	cmd.exe
PID 568 wrote to memory of 1748	568	cmd.exe	schtasks.exe
PID 568 wrote to memory of 1748	568	cmd.exe	schtasks.exe
PID 568 wrote to memory of 1748	568	cmd.exe	schtasks.exe
PID 568 wrote to memory of 1748	568	cmd.exe	schtasks.exe
PID 1944 wrote to memory of 1072	1944	cmd.exe	timeout.exe
PID 1944 wrote to memory of 1072	1944	cmd.exe	timeout.exe
PID 1944 wrote to memory of 1072	1944	cmd.exe	timeout.exe
PID 1944 wrote to memory of 1072	1944	cmd.exe	timeout.exe
PID 1944 wrote to memory of 1180	1944	cmd.exe	images.exe
PID 1944 wrote to memory of 1180	1944	cmd.exe	images.exe
PID 1944 wrote to memory of 1180	1944	cmd.exe	images.exe
PID 1944 wrote to memory of 1180	1944	cmd.exe	images.exe
PID 1180 wrote to memory of 1336	1180	images.exe	powershell.exe
PID 1180 wrote to memory of 1336	1180	images.exe	powershell.exe
PID 1180 wrote to memory of 1336	1180	images.exe	powershell.exe
PID 1180 wrote to memory of 1336	1180	images.exe	powershell.exe
PID 1180 wrote to memory of 468	1180	images.exe	schtasks.exe
PID 1180 wrote to memory of 468	1180	images.exe	schtasks.exe
PID 1180 wrote to memory of 468	1180	images.exe	schtasks.exe
PID 1180 wrote to memory of 468	1180	images.exe	schtasks.exe
PID 1180 wrote to memory of 1628	1180	images.exe	images.exe
PID 1180 wrote to memory of 1628	1180	images.exe	images.exe
PID 1180 wrote to memory of 1628	1180	images.exe	images.exe
PID 1180 wrote to memory of 1628	1180	images.exe	images.exe
PID 1180 wrote to memory of 1628	1180	images.exe	images.exe
PID 1180 wrote to memory of 1628	1180	images.exe	images.exe
PID 1180 wrote to memory of 1628	1180	images.exe	images.exe
PID 1180 wrote to memory of 1628	1180	images.exe	images.exe
PID 1180 wrote to memory of 1628	1180	images.exe	images.exe

C:\Users\Admin\AppData\Local\Temp\more.exe
"C:\Users\Admin\AppData\Local\Temp\more.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UiKVWpFsayx.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1112
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UiKVWpFsayx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7D8A.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1756
- C:\Users\Admin\AppData\Local\Temp\more.exe
  "C:\Users\Admin\AppData\Local\Temp\more.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "images" /tr '"C:\Users\Admin\AppData\Roaming\images.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:568
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "images" /tr '"C:\Users\Admin\AppData\Roaming\images.exe"'
      4⤵
      Creates scheduled task(s)
      PID:1748
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp5BC.tmp.bat""
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1944
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1072
  - - C:\Users\Admin\AppData\Roaming\images.exe
      "C:\Users\Admin\AppData\Roaming\images.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1180
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UiKVWpFsayx.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1336
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UiKVWpFsayx" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB3C6.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:468
    - - C:\Users\Admin\AppData\Roaming\images.exe
        
        "C:\Users\Admin\AppData\Roaming\images.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5BC.tmp.bat

Filesize
149B

MD5
c80587abd13d4ad1453418ec21c23f67

SHA1
08e35c12babc33569962b6ec548738dfd92b8462

SHA256
b2e5a51b5e510e036671c0ac8a4cf3e147bc1f30eea69bdb09a7aa896c539516

SHA512
30ecf2c04a1655eff0f2c7a0cc6559118e85035f9b7b4f3ad7d869c74d6a21a3648dcba7c2a56cafedc6266d3e8298569f82c882ff80e48be03dad16f8da73d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7D8A.tmp

Filesize
1KB

MD5
2669be7e607f820e90735ae20be9262d

SHA1
ed801f9a76cea8a89f6299a151ea7046035137fc

SHA256
f64f3b74f2a60ab40f4d1040a99fd305f8006fc38ee5841357f0565536974b4e

SHA512
2ed471e910ebf36581ee874bfebc3ee51d61fb56d82557fb32828724df3f2510b622ede6fe0644203488c25f662d88d4a1993f8af2fe48ed76a3aacf3e266015

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB3C6.tmp

Filesize
1KB

MD5
2669be7e607f820e90735ae20be9262d

SHA1
ed801f9a76cea8a89f6299a151ea7046035137fc

SHA256
f64f3b74f2a60ab40f4d1040a99fd305f8006fc38ee5841357f0565536974b4e

SHA512
2ed471e910ebf36581ee874bfebc3ee51d61fb56d82557fb32828724df3f2510b622ede6fe0644203488c25f662d88d4a1993f8af2fe48ed76a3aacf3e266015

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
b6bc9e61a819845caba3c4ef6964b6b8

SHA1
d1c0fc00dda0a03e95c5b15f37d95e24fa919e7f

SHA256
34a1af51d6a3cb5cf26da90485a091e6dc18ead76c621dc2d0b8219818ec6f66

SHA512
d4ec9465fa8a3663e7f3577d083df6df078053b6fba7d251d3699d1acfe02f922cfa19e6376499ec24f789d66c52db99de95bc99fecd03eb0a06ca76972a61a8

Download Submit
C:\Users\Admin\AppData\Roaming\images.exe

Filesize
299KB

MD5
8594d64e02a9dd1fb5ab412e246fe599

SHA1
d63784f4e964151b3b4e41bb5ed0c6597b56762f

SHA256
1660e0ec19de33e8fc633f7f8538b0b19f05765ecdacc63f2e43bdc4c716096e

SHA512
852f91245dce8ac5115feae6fc0a963b72810468f35d483497076e5a811c89eebd754673d7c48be78b77f6ac7bed3cfe6dba00666894dc3b5f3b15bf5ef2c36e

Download Submit
C:\Users\Admin\AppData\Roaming\images.exe

Filesize
299KB

MD5
8594d64e02a9dd1fb5ab412e246fe599

SHA1
d63784f4e964151b3b4e41bb5ed0c6597b56762f

SHA256
1660e0ec19de33e8fc633f7f8538b0b19f05765ecdacc63f2e43bdc4c716096e

SHA512
852f91245dce8ac5115feae6fc0a963b72810468f35d483497076e5a811c89eebd754673d7c48be78b77f6ac7bed3cfe6dba00666894dc3b5f3b15bf5ef2c36e

Download Submit
C:\Users\Admin\AppData\Roaming\images.exe

Filesize
299KB

MD5
8594d64e02a9dd1fb5ab412e246fe599

SHA1
d63784f4e964151b3b4e41bb5ed0c6597b56762f

SHA256
1660e0ec19de33e8fc633f7f8538b0b19f05765ecdacc63f2e43bdc4c716096e

SHA512
852f91245dce8ac5115feae6fc0a963b72810468f35d483497076e5a811c89eebd754673d7c48be78b77f6ac7bed3cfe6dba00666894dc3b5f3b15bf5ef2c36e

Download Submit
\Users\Admin\AppData\Roaming\images.exe

Filesize
299KB

MD5
8594d64e02a9dd1fb5ab412e246fe599

SHA1
d63784f4e964151b3b4e41bb5ed0c6597b56762f

SHA256
1660e0ec19de33e8fc633f7f8538b0b19f05765ecdacc63f2e43bdc4c716096e

SHA512
852f91245dce8ac5115feae6fc0a963b72810468f35d483497076e5a811c89eebd754673d7c48be78b77f6ac7bed3cfe6dba00666894dc3b5f3b15bf5ef2c36e

Download Submit
memory/468-87-0x0000000000000000-mapping.dmp

Download
memory/568-75-0x0000000000000000-mapping.dmp

Download
memory/1072-79-0x0000000000000000-mapping.dmp

Download
memory/1112-58-0x0000000000000000-mapping.dmp

Download
memory/1112-62-0x000000006EBB0000-0x000000006F15B000-memory.dmp

Filesize
5.7MB

Download
memory/1156-68-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1156-71-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1156-73-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1156-66-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1156-64-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1156-69-0x000000000040D06E-mapping.dmp

Download
memory/1156-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1156-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1180-84-0x0000000000FC0000-0x0000000001012000-memory.dmp

Filesize
328KB

Download
memory/1180-82-0x0000000000000000-mapping.dmp

Download
memory/1336-103-0x000000006F460000-0x000000006FA0B000-memory.dmp

Filesize
5.7MB

Download
memory/1336-86-0x0000000000000000-mapping.dmp

Download
memory/1528-54-0x0000000000D30000-0x0000000000D82000-memory.dmp

Filesize
328KB

Download
memory/1528-57-0x0000000000C50000-0x0000000000C88000-memory.dmp

Filesize
224KB

Download
memory/1528-56-0x0000000000480000-0x0000000000494000-memory.dmp

Filesize
80KB

Download
memory/1528-55-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/1628-97-0x000000000040D06E-mapping.dmp

Download
memory/1628-100-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1628-102-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1748-78-0x0000000000000000-mapping.dmp

Download
memory/1756-60-0x0000000000000000-mapping.dmp

Download
memory/1944-76-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads