asyncrat | 1bf55c75f582331db0b200e69ea81ec708abdc47ebcd1e7308fcff046dec46fd

General

Target

AWB#5305323204641,pdf.exe
Size

233KB
MD5

88e05a7f3b27e3aed5d577949c867917
SHA1

180a4cabbb5ea319ff1210f5686c7779d0dd58c7
SHA256

f3b33a885af940210f10df7e1c96dc388161961dcb52b6d84c3b7458d20ce116
SHA512

3d42bc7888584efea5d8a0a48b6293c54405d0186f3d8a45741f4e371ee143a5d1411be8f69dbe5aa5957b8dbad921100872206408a431849de4c826db875bbe

Score

10^/10

asyncrat may11thup rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

MAY11thUP

Mutex

chizzy25@!7^UP

Attributes

delay
3
install
false
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/HKYwiN9V

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4828-141-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AWB#5305323204641,pdf.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	AWB#5305323204641,pdf.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

AWB#5305323204641,pdf.exe

description pid process target process

PID 4016 set thread context of 4828 4016 AWB#5305323204641,pdf.exe MSBuild.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

516 schtasks.exe

description	pid	process	target process
PID 4016 set thread context of 4828	4016	AWB#5305323204641,pdf.exe	MSBuild.exe

pid	process
516	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

AWB#5305323204641,pdf.exe

pid	process
4016	AWB#5305323204641,pdf.exe
4016	AWB#5305323204641,pdf.exe
4016	AWB#5305323204641,pdf.exe
4016	AWB#5305323204641,pdf.exe
4016	AWB#5305323204641,pdf.exe
4016	AWB#5305323204641,pdf.exe
4016	AWB#5305323204641,pdf.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AWB#5305323204641,pdf.exeMSBuild.exe

description pid process

Token: SeDebugPrivilege 4016 AWB#5305323204641,pdf.exe
Token: SeDebugPrivilege 4828 MSBuild.exe

description	pid	process
Token: SeDebugPrivilege	4016	AWB#5305323204641,pdf.exe
Token: SeDebugPrivilege	4828	MSBuild.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

AWB#5305323204641,pdf.exe

description	pid	process	target process
PID 4016 wrote to memory of 516	4016	AWB#5305323204641,pdf.exe	schtasks.exe
PID 4016 wrote to memory of 516	4016	AWB#5305323204641,pdf.exe	schtasks.exe
PID 4016 wrote to memory of 516	4016	AWB#5305323204641,pdf.exe	schtasks.exe
PID 4016 wrote to memory of 4844	4016	AWB#5305323204641,pdf.exe	MSBuild.exe
PID 4016 wrote to memory of 4844	4016	AWB#5305323204641,pdf.exe	MSBuild.exe
PID 4016 wrote to memory of 4844	4016	AWB#5305323204641,pdf.exe	MSBuild.exe
PID 4016 wrote to memory of 4932	4016	AWB#5305323204641,pdf.exe	MSBuild.exe
PID 4016 wrote to memory of 4932	4016	AWB#5305323204641,pdf.exe	MSBuild.exe
PID 4016 wrote to memory of 4932	4016	AWB#5305323204641,pdf.exe	MSBuild.exe
PID 4016 wrote to memory of 4856	4016	AWB#5305323204641,pdf.exe	MSBuild.exe
PID 4016 wrote to memory of 4856	4016	AWB#5305323204641,pdf.exe	MSBuild.exe
PID 4016 wrote to memory of 4856	4016	AWB#5305323204641,pdf.exe	MSBuild.exe
PID 4016 wrote to memory of 4828	4016	AWB#5305323204641,pdf.exe	MSBuild.exe
PID 4016 wrote to memory of 4828	4016	AWB#5305323204641,pdf.exe	MSBuild.exe
PID 4016 wrote to memory of 4828	4016	AWB#5305323204641,pdf.exe	MSBuild.exe
PID 4016 wrote to memory of 4828	4016	AWB#5305323204641,pdf.exe	MSBuild.exe
PID 4016 wrote to memory of 4828	4016	AWB#5305323204641,pdf.exe	MSBuild.exe
PID 4016 wrote to memory of 4828	4016	AWB#5305323204641,pdf.exe	MSBuild.exe
PID 4016 wrote to memory of 4828	4016	AWB#5305323204641,pdf.exe	MSBuild.exe
PID 4016 wrote to memory of 4828	4016	AWB#5305323204641,pdf.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\AWB#5305323204641,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\AWB#5305323204641,pdf.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4016
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aDOhVHp" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF6E8.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "{path}"
  2⤵
  PID:4844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "{path}"
  2⤵
  PID:4932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "{path}"
  2⤵
  PID:4856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "{path}"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Web Service

1

T1102

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF6E8.tmp

Filesize
1KB

MD5
815ea23b9b9a703ac97eef1111712d41

SHA1
8113bc95a951d8ac8fe99897e6cb3b5ff349db27

SHA256
8a488e8b1d6ee296f40941a6f0872e8fb3c520fa8c082be5264672219876e974

SHA512
365ee0f5a3d5f2b9617400d214b554612670899a397b189885446902abbd9040303d1a4cf80116e707614cf835685a086d2a34f105c4d3c20c9fe147e62fbacb

Download Submit
memory/516-135-0x0000000000000000-mapping.dmp

Download
memory/4016-130-0x0000000000FE0000-0x0000000001020000-memory.dmp

Filesize
256KB

Download
memory/4016-131-0x0000000005E90000-0x0000000006434000-memory.dmp

Filesize
5.6MB

Download
memory/4016-132-0x00000000059C0000-0x0000000005A52000-memory.dmp

Filesize
584KB

Download
memory/4016-133-0x0000000005B50000-0x0000000005B5A000-memory.dmp

Filesize
40KB

Download
memory/4016-134-0x0000000009370000-0x000000000940C000-memory.dmp

Filesize
624KB

Download
memory/4828-140-0x0000000000000000-mapping.dmp

Download
memory/4828-141-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4844-137-0x0000000000000000-mapping.dmp

Download
memory/4856-139-0x0000000000000000-mapping.dmp

Download
memory/4932-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads