asyncrat | 35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c

General

Target

35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe
Size

196KB
MD5

1911850718a8685581d389d426d2606c
SHA1

4dfc240924a6285290b8d42ede112f6a9ed07e6e
SHA256

35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c
SHA512

a528fadd059b3b4f7d3ab56d02ce91c145bb94911193bd38ed8a229c49f5b6ecf41bfc2ecf71ebdd8e7938d5fd43d925a8d89b7a221795a723c4909a690f8960

Score

10^/10

asyncrat rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Suspicious use of SetThreadContext 1 IoCs

Processes:

35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe

description	pid	process	target process
PID 1604 set thread context of 1104	1604	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exePowershell.exe

pid	process
1604	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe
1604	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe
1592	Powershell.exe
1592	Powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exePowershell.exe

description	pid	process
Token: SeDebugPrivilege	1604	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe
Token: SeDebugPrivilege	1592	Powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe

description	pid	process	target process
PID 1604 wrote to memory of 1104	1604	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe
PID 1604 wrote to memory of 1104	1604	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe
PID 1604 wrote to memory of 1104	1604	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe
PID 1604 wrote to memory of 1104	1604	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe
PID 1604 wrote to memory of 1104	1604	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe
PID 1604 wrote to memory of 1104	1604	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe
PID 1604 wrote to memory of 1104	1604	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe
PID 1604 wrote to memory of 1104	1604	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe
PID 1604 wrote to memory of 1592	1604	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe	Powershell.exe
PID 1604 wrote to memory of 1592	1604	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe	Powershell.exe
PID 1604 wrote to memory of 1592	1604	35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe	Powershell.exe

C:\Users\Admin\AppData\Local\Temp\35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe
"C:\Users\Admin\AppData\Local\Temp\35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1604

C:\Users\Admin\AppData\Local\Temp\35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe
"C:\Users\Admin\AppData\Local\Temp\35f773db7425ff423789692d850f714a8ae1429186985339619ab4526e03206c.exe"
2⤵
PID:1104

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell" Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe"'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1104-134-0x0000000000000000-mapping.dmp

Download
memory/1104-150-0x0000000004FB0000-0x000000000504C000-memory.dmp

Filesize
624KB

Download
memory/1104-135-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1592-142-0x0000000006310000-0x000000000632E000-memory.dmp

Filesize
120KB

Download
memory/1592-144-0x0000000070460000-0x00000000704AC000-memory.dmp

Filesize
304KB

Download
memory/1592-153-0x0000000007930000-0x0000000007938000-memory.dmp

Filesize
32KB

Download
memory/1592-136-0x0000000000000000-mapping.dmp

Download
memory/1592-137-0x00000000029D0000-0x0000000002A06000-memory.dmp

Filesize
216KB

Download
memory/1592-138-0x0000000005650000-0x0000000005C78000-memory.dmp

Filesize
6.2MB

Download
memory/1592-139-0x0000000005540000-0x0000000005562000-memory.dmp

Filesize
136KB

Download
memory/1592-140-0x00000000055E0000-0x0000000005646000-memory.dmp

Filesize
408KB

Download
memory/1592-141-0x0000000005CF0000-0x0000000005D56000-memory.dmp

Filesize
408KB

Download
memory/1592-152-0x0000000007950000-0x000000000796A000-memory.dmp

Filesize
104KB

Download
memory/1592-143-0x00000000068D0000-0x0000000006902000-memory.dmp

Filesize
200KB

Download
memory/1592-151-0x0000000007840000-0x000000000784E000-memory.dmp

Filesize
56KB

Download
memory/1592-145-0x00000000068B0000-0x00000000068CE000-memory.dmp

Filesize
120KB

Download
memory/1592-146-0x0000000007C50000-0x00000000082CA000-memory.dmp

Filesize
6.5MB

Download
memory/1592-147-0x0000000007610000-0x000000000762A000-memory.dmp

Filesize
104KB

Download
memory/1592-148-0x0000000007680000-0x000000000768A000-memory.dmp

Filesize
40KB

Download
memory/1592-149-0x0000000007890000-0x0000000007926000-memory.dmp

Filesize
600KB

Download
memory/1604-131-0x0000000005660000-0x0000000005C04000-memory.dmp

Filesize
5.6MB

Download
memory/1604-133-0x00000000050D0000-0x00000000050DA000-memory.dmp

Filesize
40KB

Download
memory/1604-130-0x00000000006E0000-0x0000000000716000-memory.dmp

Filesize
216KB

Download
memory/1604-132-0x0000000005150000-0x00000000051E2000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads