asyncrat | 58f504cc1df08a7184980c8b795e0fb96994d9c396e6e5f957f627ab044b4c16

General

Target

swift message.exe
Size

324KB
MD5

93859a46557699b2689840de0df68318
SHA1

2f8c20dfc3fa635c5a4c88b4edee85c18b08a94d
SHA256

d2795ed096e7331d84947a9ba6a1c3fae5203b50f5a3563bda0382ab84e1c8bb
SHA512

bf1b3bcc1564e1c22095926f8eb9848ad740685d4744af56e1fe0487f52a20ff64a9732ff1933cafddf86959db56f34034b6e1d0bc85088b3a259be64ed79ec5

Score

10^/10

asyncrat forwork coreentity evasion rat rezer0

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Forwork

C2

sack517.ddns.net:6565

sack517.duckdns.org:6565

Mutex

AsyncMutex_dgh6775Pxz

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

CoreEntity .NET Packer 1 IoCs

A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

coreentity

Processes:

resource	yara_rule
behavioral1/memory/736-57-0x0000000000480000-0x0000000000488000-memory.dmp	coreentity

Async RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1256-64-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1256-65-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1256-66-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1256-67-0x000000000040C75E-mapping.dmp	asyncrat
behavioral1/memory/1256-69-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1256-71-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

CoreCCC Packer 1 IoCs

Detects CoreCCC packer used to load .NET malware.

Processes:

resource	yara_rule
behavioral1/memory/736-54-0x0000000000980000-0x00000000009D6000-memory.dmp	coreccc

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/736-58-0x0000000000510000-0x0000000000528000-memory.dmp	rezer0

Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

swift message.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	swift message.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	swift message.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

swift message.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	swift message.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	swift message.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

swift message.exe

description pid process target process

PID 736 set thread context of 1256 736 swift message.exe MSBuild.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1992 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description pid process

Token: SeDebugPrivilege 1256 MSBuild.exe

description	pid	process	target process
PID 736 set thread context of 1256	736	swift message.exe	MSBuild.exe

pid	process
1992	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	1256	MSBuild.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

swift message.exe

description	pid	process	target process
PID 736 wrote to memory of 1992	736	swift message.exe	schtasks.exe
PID 736 wrote to memory of 1992	736	swift message.exe	schtasks.exe
PID 736 wrote to memory of 1992	736	swift message.exe	schtasks.exe
PID 736 wrote to memory of 1992	736	swift message.exe	schtasks.exe
PID 736 wrote to memory of 1256	736	swift message.exe	MSBuild.exe
PID 736 wrote to memory of 1256	736	swift message.exe	MSBuild.exe
PID 736 wrote to memory of 1256	736	swift message.exe	MSBuild.exe
PID 736 wrote to memory of 1256	736	swift message.exe	MSBuild.exe
PID 736 wrote to memory of 1256	736	swift message.exe	MSBuild.exe
PID 736 wrote to memory of 1256	736	swift message.exe	MSBuild.exe
PID 736 wrote to memory of 1256	736	swift message.exe	MSBuild.exe
PID 736 wrote to memory of 1256	736	swift message.exe	MSBuild.exe
PID 736 wrote to memory of 1256	736	swift message.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\swift message.exe
"C:\Users\Admin\AppData\Local\Temp\swift message.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:736

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jpvofbpTWi" /XML "C:\Users\Admin\AppData\Local\Temp\tmpED0.tmp"
2⤵
- Creates scheduled task(s)
PID:1992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"{path}"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1256

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpED0.tmp
Filesize
1KB

MD5
40152de67c67eeeb9ec539b1bda41c70

SHA1
45d9d0635358644f212060e020363054acaf4a45

SHA256
f8232a024f88d14013fe408e8f91cc5afe7ffdb9ffcd230b296de3cf11c3abc0

SHA512
d4bbcbc5ab0c66d8c030ba968d3aa9ee9072a84a5803dc056069d1b51f37978d291e78ea40f772590c8725f0680685e4cad6649627d8febdc7f7ce0668fe5c07

Download Submit
memory/736-57-0x0000000000480000-0x0000000000488000-memory.dmp

Filesize
32KB

Download
memory/736-55-0x0000000000280000-0x000000000029C000-memory.dmp

Filesize
112KB

Download
memory/736-54-0x0000000000980000-0x00000000009D6000-memory.dmp

Filesize
344KB

Download
memory/736-58-0x0000000000510000-0x0000000000528000-memory.dmp

Filesize
96KB

Download
memory/736-56-0x0000000076851000-0x0000000076853000-memory.dmp

Filesize
8KB

Download
memory/1256-66-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1256-61-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1256-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1256-64-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1256-65-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1256-67-0x000000000040C75E-mapping.dmp

Download
memory/1256-69-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1256-71-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1992-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads