asyncrat | 1bf55c75f582331db0b200e69ea81ec708abdc47ebcd1e7308fcff046dec46fd

General

Target

AWB#5305323204641,pdf.exe
Size

233KB
MD5

88e05a7f3b27e3aed5d577949c867917
SHA1

180a4cabbb5ea319ff1210f5686c7779d0dd58c7
SHA256

f3b33a885af940210f10df7e1c96dc388161961dcb52b6d84c3b7458d20ce116
SHA512

3d42bc7888584efea5d8a0a48b6293c54405d0186f3d8a45741f4e371ee143a5d1411be8f69dbe5aa5957b8dbad921100872206408a431849de4c826db875bbe

Score

10^/10

asyncrat may11thup coreentity rat rezer0

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

MAY11thUP

Mutex

chizzy25@!7^UP

Attributes

delay
3
install
false
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/HKYwiN9V

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

CoreEntity .NET Packer 1 IoCs

A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

coreentity

Processes:

resource	yara_rule
behavioral1/memory/316-56-0x0000000000280000-0x0000000000288000-memory.dmp	coreentity

Async RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/612-63-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/612-64-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/612-65-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/612-66-0x000000000040C73E-mapping.dmp	asyncrat
behavioral1/memory/612-68-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/612-70-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/316-57-0x0000000000650000-0x0000000000668000-memory.dmp	rezer0

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

AWB#5305323204641,pdf.exe

description pid process target process

PID 316 set thread context of 612 316 AWB#5305323204641,pdf.exe MSBuild.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

892 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description pid process

Token: SeDebugPrivilege 612 MSBuild.exe

description	pid	process	target process
PID 316 set thread context of 612	316	AWB#5305323204641,pdf.exe	MSBuild.exe

pid	process
892	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	612	MSBuild.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

AWB#5305323204641,pdf.exe

description	pid	process	target process
PID 316 wrote to memory of 892	316	AWB#5305323204641,pdf.exe	schtasks.exe
PID 316 wrote to memory of 892	316	AWB#5305323204641,pdf.exe	schtasks.exe
PID 316 wrote to memory of 892	316	AWB#5305323204641,pdf.exe	schtasks.exe
PID 316 wrote to memory of 892	316	AWB#5305323204641,pdf.exe	schtasks.exe
PID 316 wrote to memory of 612	316	AWB#5305323204641,pdf.exe	MSBuild.exe
PID 316 wrote to memory of 612	316	AWB#5305323204641,pdf.exe	MSBuild.exe
PID 316 wrote to memory of 612	316	AWB#5305323204641,pdf.exe	MSBuild.exe
PID 316 wrote to memory of 612	316	AWB#5305323204641,pdf.exe	MSBuild.exe
PID 316 wrote to memory of 612	316	AWB#5305323204641,pdf.exe	MSBuild.exe
PID 316 wrote to memory of 612	316	AWB#5305323204641,pdf.exe	MSBuild.exe
PID 316 wrote to memory of 612	316	AWB#5305323204641,pdf.exe	MSBuild.exe
PID 316 wrote to memory of 612	316	AWB#5305323204641,pdf.exe	MSBuild.exe
PID 316 wrote to memory of 612	316	AWB#5305323204641,pdf.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\AWB#5305323204641,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\AWB#5305323204641,pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aDOhVHp" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFEF8.tmp"
2⤵
- Creates scheduled task(s)
PID:892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"{path}"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:612

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpFEF8.tmp
Filesize
1KB

MD5
63b28dfbb68dc02379d03880b379daf0

SHA1
6ad3b824907ed37546e731523a0b753a4c896cd5

SHA256
7b88e8b0e0f14c75055e97bc3691c74507077b93530f676f5770cc5a3f5a93a0

SHA512
a0a8604aad025b48ccae5aeffb4cf0d64410853a8d3b574c8eb42cb2f60e183f9fee6d1af5391f790f026f39ffe5bc948828e6f0b17cbad8fa52a8aecdcff216

Download Submit
memory/316-55-0x00000000769D1000-0x00000000769D3000-memory.dmp

Filesize
8KB

Download
memory/316-56-0x0000000000280000-0x0000000000288000-memory.dmp

Filesize
32KB

Download
memory/316-57-0x0000000000650000-0x0000000000668000-memory.dmp

Filesize
96KB

Download
memory/316-54-0x00000000001E0000-0x0000000000220000-memory.dmp

Filesize
256KB

Download
memory/612-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/612-61-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/612-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/612-64-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/612-65-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/612-66-0x000000000040C73E-mapping.dmp

Download
memory/612-68-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/612-70-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/892-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads