asyncrat | 8d81288e14060608e6376a3cfbd597c9b046d48352cb831e0a6cce03fee9a2b3

General

Target

PDF 0324.exe
Size

483KB
MD5

fe0d59b23aacdad709f375bdfdf9f14c
SHA1

6427f34f2a272415f9dc741392011898fbe38e72
SHA256

e163a54c8c3664887553b9a5e335a4dbb58b350634e6b204676bc63e454ba868
SHA512

d643e0cb9ed8a0c474d657c6c54f77058fb0dc1ae4268d34e7d69db74e1a6046c63f905bf42b5ca9c1a4a3297325cea8a3d09de5d8c7a11ea35c28a56d4c9d4d

Score

10^/10

asyncrat newjob1 persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

newjob1

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/eeJq8Ku6

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1804-130-0x00000000009F0000-0x0000000000A6E000-memory.dmp	asyncrat
C:\Users\Admin\AppData\Roaming\ttyu.exe	asyncrat
C:\Users\Admin\AppData\Roaming\ttyu.exe	asyncrat
behavioral2/memory/4884-140-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Executes dropped EXE 2 IoCs

Processes:

ttyu.exeAddInProcess32.exe

pid process

1568 ttyu.exe
4884 AddInProcess32.exe

pid	process
1568	ttyu.exe
4884	AddInProcess32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PDF 0324.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	PDF 0324.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ttyt = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\AppData\\Roaming\\ttyu.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

ttyu.exe

description pid process target process

PID 1568 set thread context of 4884 1568 ttyu.exe AddInProcess32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1568 set thread context of 4884	1568	ttyu.exe	AddInProcess32.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

PDF 0324.exettyu.exe

pid	process
1804	PDF 0324.exe
1804	PDF 0324.exe
1804	PDF 0324.exe
1804	PDF 0324.exe
1804	PDF 0324.exe
1804	PDF 0324.exe
1804	PDF 0324.exe
1804	PDF 0324.exe
1804	PDF 0324.exe
1804	PDF 0324.exe
1804	PDF 0324.exe
1804	PDF 0324.exe
1804	PDF 0324.exe
1804	PDF 0324.exe
1804	PDF 0324.exe
1804	PDF 0324.exe
1804	PDF 0324.exe
1804	PDF 0324.exe
1804	PDF 0324.exe
1804	PDF 0324.exe
1804	PDF 0324.exe
1804	PDF 0324.exe
1568	ttyu.exe
1568	ttyu.exe
1568	ttyu.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

PDF 0324.exettyu.exeAddInProcess32.exe

description pid process

Token: SeDebugPrivilege 1804 PDF 0324.exe
Token: SeDebugPrivilege 1568 ttyu.exe
Token: SeDebugPrivilege 4884 AddInProcess32.exe

description	pid	process
Token: SeDebugPrivilege	1804	PDF 0324.exe
Token: SeDebugPrivilege	1568	ttyu.exe
Token: SeDebugPrivilege	4884	AddInProcess32.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

PDF 0324.execmd.exettyu.exe

description	pid	process	target process
PID 1804 wrote to memory of 2336	1804	PDF 0324.exe	cmd.exe
PID 1804 wrote to memory of 2336	1804	PDF 0324.exe	cmd.exe
PID 1804 wrote to memory of 2336	1804	PDF 0324.exe	cmd.exe
PID 2336 wrote to memory of 320	2336	cmd.exe	reg.exe
PID 2336 wrote to memory of 320	2336	cmd.exe	reg.exe
PID 2336 wrote to memory of 320	2336	cmd.exe	reg.exe
PID 1804 wrote to memory of 1568	1804	PDF 0324.exe	ttyu.exe
PID 1804 wrote to memory of 1568	1804	PDF 0324.exe	ttyu.exe
PID 1804 wrote to memory of 1568	1804	PDF 0324.exe	ttyu.exe
PID 1568 wrote to memory of 4884	1568	ttyu.exe	AddInProcess32.exe
PID 1568 wrote to memory of 4884	1568	ttyu.exe	AddInProcess32.exe
PID 1568 wrote to memory of 4884	1568	ttyu.exe	AddInProcess32.exe
PID 1568 wrote to memory of 4884	1568	ttyu.exe	AddInProcess32.exe
PID 1568 wrote to memory of 4884	1568	ttyu.exe	AddInProcess32.exe
PID 1568 wrote to memory of 4884	1568	ttyu.exe	AddInProcess32.exe
PID 1568 wrote to memory of 4884	1568	ttyu.exe	AddInProcess32.exe
PID 1568 wrote to memory of 4884	1568	ttyu.exe	AddInProcess32.exe

C:\Users\Admin\AppData\Local\Temp\PDF 0324.exe
"C:\Users\Admin\AppData\Local\Temp\PDF 0324.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v ttyt /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\ttyu.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2336

C:\Windows\SysWOW64\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v ttyt /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\ttyu.exe"
3⤵
- Adds Run key to start application
PID:320

C:\Users\Admin\AppData\Roaming\ttyu.exe
"C:\Users\Admin\AppData\Roaming\ttyu.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1568

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4884

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
Filesize
42KB

MD5
9827ff3cdf4b83f9c86354606736ca9c

SHA1
e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723

SHA256
c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a

SHA512
8261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579

Download Submit
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
Filesize
42KB

MD5
9827ff3cdf4b83f9c86354606736ca9c

SHA1
e73d73f42bb2a310f03eb1bcbb22be2b8eb7c723

SHA256
c1cf3dc8fa1c7fc00f88e07ad539979b3706ca8d69223cffd1d58bc8f521f63a

SHA512
8261828d55f3b5134c0aeb98311c04e20c5395d4347251746f3be0fb854f36cc7e118713cd00c9867537e6e47d5e71f2b2384fc00c67f0ae1b285b8310321579

Download Submit
C:\Users\Admin\AppData\Roaming\ttyu.exe
Filesize
483KB

MD5
fe0d59b23aacdad709f375bdfdf9f14c

SHA1
6427f34f2a272415f9dc741392011898fbe38e72

SHA256
e163a54c8c3664887553b9a5e335a4dbb58b350634e6b204676bc63e454ba868

SHA512
d643e0cb9ed8a0c474d657c6c54f77058fb0dc1ae4268d34e7d69db74e1a6046c63f905bf42b5ca9c1a4a3297325cea8a3d09de5d8c7a11ea35c28a56d4c9d4d

Download Submit
C:\Users\Admin\AppData\Roaming\ttyu.exe
Filesize
483KB

MD5
fe0d59b23aacdad709f375bdfdf9f14c

SHA1
6427f34f2a272415f9dc741392011898fbe38e72

SHA256
e163a54c8c3664887553b9a5e335a4dbb58b350634e6b204676bc63e454ba868

SHA512
d643e0cb9ed8a0c474d657c6c54f77058fb0dc1ae4268d34e7d69db74e1a6046c63f905bf42b5ca9c1a4a3297325cea8a3d09de5d8c7a11ea35c28a56d4c9d4d

Download Submit
memory/320-135-0x0000000000000000-mapping.dmp

Download
memory/1568-136-0x0000000000000000-mapping.dmp

Download
memory/1804-133-0x00000000089E0000-0x0000000008A24000-memory.dmp

Filesize
272KB

Download
memory/1804-130-0x00000000009F0000-0x0000000000A6E000-memory.dmp

Filesize
504KB

Download
memory/1804-132-0x00000000079C0000-0x0000000007A52000-memory.dmp

Filesize
584KB

Download
memory/1804-131-0x0000000007F70000-0x0000000008514000-memory.dmp

Filesize
5.6MB

Download
memory/2336-134-0x0000000000000000-mapping.dmp

Download
memory/4884-139-0x0000000000000000-mapping.dmp

Download
memory/4884-140-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads