asyncrat | 7867c54c88c7ff0ae6687c0f6ab6c903e1b42ac9aaa17744c85da6f9a824d5f9

General

Target

Summer_richiesta_di_preventivo_070820.exe
Size

248KB
MD5

5cc4ae3ea66ca80fa701b8e1ff5b8793
SHA1

148d80f999f069a5fd027eabfc9eae7d08f8e39b
SHA256

427254247932e569d3f40be5ce149266b0a87ed13756ab558818dae5dcabb44a
SHA512

18416940b4983137e22cc52a473cd73217307981b0ce7705180e5cd5c3e60ba8b17d2fddf1f0547668c6b1c385e6e01ad6bfc1fd4836dd41e2941b21bd2a7706

Score

10^/10

asyncrat god's mercy rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

GOD'S MERCY

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/reQxa5Ah

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/5100-141-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Summer_richiesta_di_preventivo_070820.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	Summer_richiesta_di_preventivo_070820.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

Summer_richiesta_di_preventivo_070820.exe

description pid process target process

PID 4164 set thread context of 5100 4164 Summer_richiesta_di_preventivo_070820.exe MSBuild.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4136 schtasks.exe

description	pid	process	target process
PID 4164 set thread context of 5100	4164	Summer_richiesta_di_preventivo_070820.exe	MSBuild.exe

pid	process
4136	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

Summer_richiesta_di_preventivo_070820.exe

pid	process
4164	Summer_richiesta_di_preventivo_070820.exe
4164	Summer_richiesta_di_preventivo_070820.exe
4164	Summer_richiesta_di_preventivo_070820.exe
4164	Summer_richiesta_di_preventivo_070820.exe
4164	Summer_richiesta_di_preventivo_070820.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Summer_richiesta_di_preventivo_070820.exeMSBuild.exe

description pid process

Token: SeDebugPrivilege 4164 Summer_richiesta_di_preventivo_070820.exe
Token: SeDebugPrivilege 5100 MSBuild.exe

description	pid	process
Token: SeDebugPrivilege	4164	Summer_richiesta_di_preventivo_070820.exe
Token: SeDebugPrivilege	5100	MSBuild.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

Summer_richiesta_di_preventivo_070820.exe

description	pid	process	target process
PID 4164 wrote to memory of 4136	4164	Summer_richiesta_di_preventivo_070820.exe	schtasks.exe
PID 4164 wrote to memory of 4136	4164	Summer_richiesta_di_preventivo_070820.exe	schtasks.exe
PID 4164 wrote to memory of 4136	4164	Summer_richiesta_di_preventivo_070820.exe	schtasks.exe
PID 4164 wrote to memory of 4060	4164	Summer_richiesta_di_preventivo_070820.exe	MSBuild.exe
PID 4164 wrote to memory of 4060	4164	Summer_richiesta_di_preventivo_070820.exe	MSBuild.exe
PID 4164 wrote to memory of 4060	4164	Summer_richiesta_di_preventivo_070820.exe	MSBuild.exe
PID 4164 wrote to memory of 2136	4164	Summer_richiesta_di_preventivo_070820.exe	MSBuild.exe
PID 4164 wrote to memory of 2136	4164	Summer_richiesta_di_preventivo_070820.exe	MSBuild.exe
PID 4164 wrote to memory of 2136	4164	Summer_richiesta_di_preventivo_070820.exe	MSBuild.exe
PID 4164 wrote to memory of 5100	4164	Summer_richiesta_di_preventivo_070820.exe	MSBuild.exe
PID 4164 wrote to memory of 5100	4164	Summer_richiesta_di_preventivo_070820.exe	MSBuild.exe
PID 4164 wrote to memory of 5100	4164	Summer_richiesta_di_preventivo_070820.exe	MSBuild.exe
PID 4164 wrote to memory of 5100	4164	Summer_richiesta_di_preventivo_070820.exe	MSBuild.exe
PID 4164 wrote to memory of 5100	4164	Summer_richiesta_di_preventivo_070820.exe	MSBuild.exe
PID 4164 wrote to memory of 5100	4164	Summer_richiesta_di_preventivo_070820.exe	MSBuild.exe
PID 4164 wrote to memory of 5100	4164	Summer_richiesta_di_preventivo_070820.exe	MSBuild.exe
PID 4164 wrote to memory of 5100	4164	Summer_richiesta_di_preventivo_070820.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\Summer_richiesta_di_preventivo_070820.exe
"C:\Users\Admin\AppData\Local\Temp\Summer_richiesta_di_preventivo_070820.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4164

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TJDZgUtGKUBaeo" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE0DA.tmp"
2⤵
- Creates scheduled task(s)
PID:4136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:4060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:2136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5100

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE0DA.tmp
Filesize
1KB

MD5
341bc9f8e065dfaebafe50e02e5a0ad3

SHA1
e911d97d66d84bd2b079a4b3ceb9e02d5381dca2

SHA256
7f08efa7ee5f0e419f5d64b67850a7827f2a5d0e484d5395e74394f3fa1d33d7

SHA512
81956489ab421edb2311c363d2b857d4c33913490c395ae113c4b37d2e3a80f102113175f72b7c24fa6454d8535879d8d601c33b7eeca643e1bb40b325fe1882

Download Submit
memory/2136-139-0x0000000000000000-mapping.dmp

Download
memory/4060-138-0x0000000000000000-mapping.dmp

Download
memory/4136-136-0x0000000000000000-mapping.dmp

Download
memory/4164-130-0x00000000006D0000-0x0000000000712000-memory.dmp

Filesize
264KB

Download
memory/4164-131-0x00000000050E0000-0x000000000517C000-memory.dmp

Filesize
624KB

Download
memory/4164-132-0x0000000005730000-0x0000000005CD4000-memory.dmp

Filesize
5.6MB

Download
memory/4164-133-0x0000000005180000-0x0000000005212000-memory.dmp

Filesize
584KB

Download
memory/4164-134-0x00000000050C0000-0x00000000050CA000-memory.dmp

Filesize
40KB

Download
memory/4164-135-0x0000000005370000-0x00000000053C6000-memory.dmp

Filesize
344KB

Download
memory/5100-140-0x0000000000000000-mapping.dmp

Download
memory/5100-141-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads