asyncrat | 96ed613ad847a5a835426e8d4da7aa674f504435c953c0414af100a870b2773a

General

Target

PO1807200020_XLS.scr
Size

271KB
MD5

981ee0bdf8ccd8ecaba13eefa6c58fb9
SHA1

a70e9310bf6bd033710321e1dfe77d3377237c36
SHA256

b05af3b65673a21e658075117c050ce9ebdf47634b64e354a6abf241fc8e8a9e
SHA512

ec52f6bd62bbf21de8be391cd2a16ffee274ed5462d5bf23c15d7eea0f535f5741389a15fed9e0ac1feb3c317120a02afd8527ce5493591c54edd4340654686d

Score

10^/10

asyncrat 5 persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.6A

Botnet

5

C2

62.102.148.158:62727

82.102.28.107:62727

Mutex

xfndfpqfqzwft

Attributes

delay
0
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/940-62-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/940-63-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/940-64-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/940-65-0x000000000040C39E-mapping.dmp	asyncrat
behavioral1/memory/940-67-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/940-69-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

PO1807200020_XLS.scr

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\hl4q5gkwOzkP = "\"C:\\Users\\Admin\\AppData\\Roaming\\hl4q5gkwOzkP.exe\""	PO1807200020_XLS.scr

Suspicious use of SetThreadContext 1 IoCs

Processes:

PO1807200020_XLS.scr

description pid process target process

PID 912 set thread context of 940 912 PO1807200020_XLS.scr PO1807200020_XLS.scr

description	pid	process	target process
PID 912 set thread context of 940	912	PO1807200020_XLS.scr	PO1807200020_XLS.scr

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

PO1807200020_XLS.scrPO1807200020_XLS.scr

pid	process
912	PO1807200020_XLS.scr
912	PO1807200020_XLS.scr
912	PO1807200020_XLS.scr
912	PO1807200020_XLS.scr
912	PO1807200020_XLS.scr
912	PO1807200020_XLS.scr
912	PO1807200020_XLS.scr
912	PO1807200020_XLS.scr
912	PO1807200020_XLS.scr
912	PO1807200020_XLS.scr
912	PO1807200020_XLS.scr
912	PO1807200020_XLS.scr
912	PO1807200020_XLS.scr
912	PO1807200020_XLS.scr
912	PO1807200020_XLS.scr
912	PO1807200020_XLS.scr
912	PO1807200020_XLS.scr
912	PO1807200020_XLS.scr
912	PO1807200020_XLS.scr
912	PO1807200020_XLS.scr
912	PO1807200020_XLS.scr
912	PO1807200020_XLS.scr
912	PO1807200020_XLS.scr
912	PO1807200020_XLS.scr
912	PO1807200020_XLS.scr
912	PO1807200020_XLS.scr
912	PO1807200020_XLS.scr
912	PO1807200020_XLS.scr
912	PO1807200020_XLS.scr
912	PO1807200020_XLS.scr
912	PO1807200020_XLS.scr
912	PO1807200020_XLS.scr
912	PO1807200020_XLS.scr
912	PO1807200020_XLS.scr
940	PO1807200020_XLS.scr

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PO1807200020_XLS.scrPO1807200020_XLS.scr

description pid process

Token: SeDebugPrivilege 912 PO1807200020_XLS.scr
Token: SeDebugPrivilege 940 PO1807200020_XLS.scr

description	pid	process
Token: SeDebugPrivilege	912	PO1807200020_XLS.scr
Token: SeDebugPrivilege	940	PO1807200020_XLS.scr

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

PO1807200020_XLS.scr

description	pid	process	target process
PID 912 wrote to memory of 940	912	PO1807200020_XLS.scr	PO1807200020_XLS.scr
PID 912 wrote to memory of 940	912	PO1807200020_XLS.scr	PO1807200020_XLS.scr
PID 912 wrote to memory of 940	912	PO1807200020_XLS.scr	PO1807200020_XLS.scr
PID 912 wrote to memory of 940	912	PO1807200020_XLS.scr	PO1807200020_XLS.scr
PID 912 wrote to memory of 940	912	PO1807200020_XLS.scr	PO1807200020_XLS.scr
PID 912 wrote to memory of 940	912	PO1807200020_XLS.scr	PO1807200020_XLS.scr
PID 912 wrote to memory of 940	912	PO1807200020_XLS.scr	PO1807200020_XLS.scr
PID 912 wrote to memory of 940	912	PO1807200020_XLS.scr	PO1807200020_XLS.scr
PID 912 wrote to memory of 940	912	PO1807200020_XLS.scr	PO1807200020_XLS.scr

C:\Users\Admin\AppData\Local\Temp\PO1807200020_XLS.scr
"C:\Users\Admin\AppData\Local\Temp\PO1807200020_XLS.scr" /S
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:912

C:\Users\Admin\AppData\Local\Temp\PO1807200020_XLS.scr
"C:\Users\Admin\AppData\Local\Temp\PO1807200020_XLS.scr"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:940

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/912-54-0x0000000000AE0000-0x0000000000B2A000-memory.dmp

Filesize
296KB

Download
memory/912-55-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download
memory/912-56-0x0000000000480000-0x00000000004B4000-memory.dmp

Filesize
208KB

Download
memory/912-57-0x0000000000260000-0x000000000026E000-memory.dmp

Filesize
56KB

Download
memory/912-58-0x00000000003E0000-0x00000000003EA000-memory.dmp

Filesize
40KB

Download
memory/940-59-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/940-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/940-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/940-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/940-64-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/940-65-0x000000000040C39E-mapping.dmp

Download
memory/940-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/940-69-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads