asyncrat | 74a3205e3a8f881af4b7b48d71854b2484eb9d3ea631e24b45c2c36278c187b8

General

Target

Doc#66202009475352576530141.pdf.exe
Size

414KB
MD5

b54eea6b86a4ea7a743e1db549ea54f9
SHA1

2291b8a0e39ca979d0373f98fd2ba8e86105da65
SHA256

9ff9a09c4e1ff0b737d630660b25335cded1fbe365628b5d6e59211e7d8ff53c
SHA512

d5a477a98e5d8939fbcd97d05585fcc6a8f6f8d5e9eb95bf1d220d2ff7fb89d34c8aa83b2708d54ce1b861feab79b39d7ad6ce25557a4e5c50df5173cac33e64

Score

10^/10

asyncrat together rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

TOGETHER

Mutex

chizzy25@/@!7^UPCAZ

Attributes

delay
3
install
false
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/HKYwiN9V

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/556-139-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Doc#66202009475352576530141.pdf.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	Doc#66202009475352576530141.pdf.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

Doc#66202009475352576530141.pdf.exe

description pid process target process

PID 948 set thread context of 556 948 Doc#66202009475352576530141.pdf.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2368 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Doc#66202009475352576530141.pdf.exe

pid process

948 Doc#66202009475352576530141.pdf.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Doc#66202009475352576530141.pdf.exeRegSvcs.exe

description pid process

Token: SeDebugPrivilege 948 Doc#66202009475352576530141.pdf.exe
Token: SeDebugPrivilege 556 RegSvcs.exe

description	pid	process	target process
PID 948 set thread context of 556	948	Doc#66202009475352576530141.pdf.exe	RegSvcs.exe

pid	process
2368	schtasks.exe

pid	process
948	Doc#66202009475352576530141.pdf.exe

description	pid	process
Token: SeDebugPrivilege	948	Doc#66202009475352576530141.pdf.exe
Token: SeDebugPrivilege	556	RegSvcs.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Doc#66202009475352576530141.pdf.exe

description	pid	process	target process
PID 948 wrote to memory of 2368	948	Doc#66202009475352576530141.pdf.exe	schtasks.exe
PID 948 wrote to memory of 2368	948	Doc#66202009475352576530141.pdf.exe	schtasks.exe
PID 948 wrote to memory of 2368	948	Doc#66202009475352576530141.pdf.exe	schtasks.exe
PID 948 wrote to memory of 556	948	Doc#66202009475352576530141.pdf.exe	RegSvcs.exe
PID 948 wrote to memory of 556	948	Doc#66202009475352576530141.pdf.exe	RegSvcs.exe
PID 948 wrote to memory of 556	948	Doc#66202009475352576530141.pdf.exe	RegSvcs.exe
PID 948 wrote to memory of 556	948	Doc#66202009475352576530141.pdf.exe	RegSvcs.exe
PID 948 wrote to memory of 556	948	Doc#66202009475352576530141.pdf.exe	RegSvcs.exe
PID 948 wrote to memory of 556	948	Doc#66202009475352576530141.pdf.exe	RegSvcs.exe
PID 948 wrote to memory of 556	948	Doc#66202009475352576530141.pdf.exe	RegSvcs.exe
PID 948 wrote to memory of 556	948	Doc#66202009475352576530141.pdf.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\Doc#66202009475352576530141.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Doc#66202009475352576530141.pdf.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HfqSIphGzk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7530.tmp"
2⤵
- Creates scheduled task(s)
PID:2368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:556

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7530.tmp
Filesize
1KB

MD5
70d54135ef2179978b7cdff447ca65a3

SHA1
c51c14da39daf6464430e4127aea8fbd9eb4cc98

SHA256
3595f7f9dd9a57e1559a190c5b7aad3f04c22c64f31e8c782f4a77c255aa8401

SHA512
35f6d309bf5ae224b560b91188af9daaa30230b5e9f1bbabf7bd02b4655c13d448dc6b7d2df8d5b63252360e75ed67ba69202e98b0ec3763ec56eaa9af5eaa81

Download Submit
memory/556-138-0x0000000000000000-mapping.dmp

Download
memory/556-139-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/948-130-0x00000000005D0000-0x000000000063E000-memory.dmp

Filesize
440KB

Download
memory/948-131-0x0000000005000000-0x000000000509C000-memory.dmp

Filesize
624KB

Download
memory/948-132-0x0000000005650000-0x0000000005BF4000-memory.dmp

Filesize
5.6MB

Download
memory/948-133-0x00000000050A0000-0x0000000005132000-memory.dmp

Filesize
584KB

Download
memory/948-134-0x0000000004FD0000-0x0000000004FDA000-memory.dmp

Filesize
40KB

Download
memory/948-135-0x00000000052E0000-0x0000000005336000-memory.dmp

Filesize
344KB

Download
memory/2368-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads