asyncrat | 5af88b2d9a192241b2b0e52aed733bdeb190a4af07eacc6940520f7441c04953

General

Target

MAJDALANI INOX S.A Pedido 050820.exe
Size

211KB
MD5

d5fde7482c0a5271e68c211f9e75e7b6
SHA1

c0f734e5c0dcf8fc8527dc4c96bd7bdeb96a245b
SHA256

af9b543c27aeb1cb25c7ced83b727b29ab7dc4a91e28b5693d52f810aedab2f6
SHA512

ab65a13b031632be848f1676dc6459223c8be4caa34b39343fe1f1eb37c65612359b3bd2ca174df5dae519a68b75463be95b2ea8f27bb340b943c13042872d38

Score

10^/10

asyncrat god's mercy persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

GOD'S MERCY

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/reQxa5Ah

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

MAJDALANI INOX S.A Pedido 050820.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\MAJDALANI INOX S.A Pedido 050820.exe\""	MAJDALANI INOX S.A Pedido 050820.exe

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4264-134-0x0000000000400000-0x000000000042A000-memory.dmp	asyncrat

Drops startup file 2 IoCs

Processes:

MAJDALANI INOX S.A Pedido 050820.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MAJDALANI INOX S.A Pedido 050820.exe	MAJDALANI INOX S.A Pedido 050820.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MAJDALANI INOX S.A Pedido 050820.exe	MAJDALANI INOX S.A Pedido 050820.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MAJDALANI INOX S.A Pedido 050820.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MAJDALANI INOX S.A Pedido 050820.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MAJDALANI INOX S.A Pedido 050820.exe"	MAJDALANI INOX S.A Pedido 050820.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

MAJDALANI INOX S.A Pedido 050820.exe

description pid process target process

PID 3384 set thread context of 4264 3384 MAJDALANI INOX S.A Pedido 050820.exe installutil.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

installutil.exe

description pid process

Token: SeDebugPrivilege 4264 installutil.exe

description	pid	process	target process
PID 3384 set thread context of 4264	3384	MAJDALANI INOX S.A Pedido 050820.exe	installutil.exe

description	pid	process
Token: SeDebugPrivilege	4264	installutil.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

MAJDALANI INOX S.A Pedido 050820.exe

description	pid	process	target process
PID 3384 wrote to memory of 4264	3384	MAJDALANI INOX S.A Pedido 050820.exe	installutil.exe
PID 3384 wrote to memory of 4264	3384	MAJDALANI INOX S.A Pedido 050820.exe	installutil.exe
PID 3384 wrote to memory of 4264	3384	MAJDALANI INOX S.A Pedido 050820.exe	installutil.exe
PID 3384 wrote to memory of 4264	3384	MAJDALANI INOX S.A Pedido 050820.exe	installutil.exe
PID 3384 wrote to memory of 4264	3384	MAJDALANI INOX S.A Pedido 050820.exe	installutil.exe
PID 3384 wrote to memory of 4264	3384	MAJDALANI INOX S.A Pedido 050820.exe	installutil.exe
PID 3384 wrote to memory of 4264	3384	MAJDALANI INOX S.A Pedido 050820.exe	installutil.exe
PID 3384 wrote to memory of 4264	3384	MAJDALANI INOX S.A Pedido 050820.exe	installutil.exe

C:\Users\Admin\AppData\Local\Temp\MAJDALANI INOX S.A Pedido 050820.exe
"C:\Users\Admin\AppData\Local\Temp\MAJDALANI INOX S.A Pedido 050820.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4264

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3384-130-0x00000000009A0000-0x00000000009DA000-memory.dmp

Filesize
232KB

Download
memory/3384-131-0x0000000005310000-0x00000000053AC000-memory.dmp

Filesize
624KB

Download
memory/3384-132-0x0000000005B00000-0x00000000060A4000-memory.dmp

Filesize
5.6MB

Download
memory/4264-133-0x0000000000000000-mapping.dmp

Download
memory/4264-134-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads