asyncrat | 35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c

General

Target

35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe
Size

196KB
MD5

1911850718a8685581d389d426d2606c
SHA1

4dfc240924a6285290b8d42ede112f6a9ed07e6e
SHA256

35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c
SHA512

a528fadd059b3b4f7d3ab56d02ce91c145bb94911193bd38ed8a229c49f5b6ecf41bfc2ecf71ebdd8e7938d5fd43d925a8d89b7a221795a723c4909a690f8960

Score

10^/10

asyncrat rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Suspicious use of SetThreadContext 1 IoCs

Processes:

35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe

description	pid	process	target process
PID 1932 set thread context of 1992	1932	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exePowershell.exe

pid	process
1932	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe
1932	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe
1984	Powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exePowershell.exe

description	pid	process
Token: SeDebugPrivilege	1932	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe
Token: SeDebugPrivilege	1984	Powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe

description	pid	process	target process
PID 1932 wrote to memory of 1992	1932	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe
PID 1932 wrote to memory of 1992	1932	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe
PID 1932 wrote to memory of 1992	1932	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe
PID 1932 wrote to memory of 1992	1932	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe
PID 1932 wrote to memory of 1992	1932	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe
PID 1932 wrote to memory of 1992	1932	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe
PID 1932 wrote to memory of 1992	1932	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe
PID 1932 wrote to memory of 1992	1932	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe
PID 1932 wrote to memory of 1992	1932	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe
PID 1932 wrote to memory of 1984	1932	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe	Powershell.exe
PID 1932 wrote to memory of 1984	1932	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe	Powershell.exe
PID 1932 wrote to memory of 1984	1932	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe	Powershell.exe
PID 1932 wrote to memory of 1984	1932	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe	Powershell.exe

C:\Users\Admin\AppData\Local\Temp\35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe
"C:\Users\Admin\AppData\Local\Temp\35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932

C:\Users\Admin\AppData\Local\Temp\35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe
"C:\Users\Admin\AppData\Local\Temp\35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe"
2⤵
PID:1992

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell" Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe"'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1984

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1932-54-0x0000000001200000-0x0000000001236000-memory.dmp

Filesize
216KB

Download
memory/1932-55-0x00000000757C1000-0x00000000757C3000-memory.dmp

Filesize
8KB

Download
memory/1932-56-0x0000000000960000-0x000000000099E000-memory.dmp

Filesize
248KB

Download
memory/1984-70-0x00000000719E0000-0x0000000071F8B000-memory.dmp

Filesize
5.7MB

Download
memory/1984-68-0x0000000000000000-mapping.dmp

Download
memory/1992-61-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1992-60-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1992-62-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1992-63-0x00000000004250EE-mapping.dmp

Download
memory/1992-65-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1992-67-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1992-58-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1992-57-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads