asyncrat | 1b0a551577b66e5829eabfbdd99459b779d713a127812788ab96f90e08340e64

General

Target

ea38cfcc0258377c4feedfc30ed0bbc1.exe
Size

180KB
MD5

ea38cfcc0258377c4feedfc30ed0bbc1
SHA1

7b3bbfdffbfdaf8209d30f33c545b54abfd2816f
SHA256

1b0a551577b66e5829eabfbdd99459b779d713a127812788ab96f90e08340e64
SHA512

3920ac4956040655c0afac75d4030689ae367f324647c70e43a174938bed8a0ae993b417bb21d96a3ca31f631201b7fbfbbf6b89b37814815f51618d0e3928cc

Score

10^/10

asyncrat default persistence rat suricata

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

62.197.136.195:3333

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
true
install_file
testversion.exe
install_folder
%Temp%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

ea38cfcc0258377c4feedfc30ed0bbc1.exetestversion.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\9Db52or07ibYr5kr\\f7y26IaKPORv.exe\",explorer.exe"	ea38cfcc0258377c4feedfc30ed0bbc1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\9Db52or07ibYr5kr\\MAHDLATBYih7.exe\",explorer.exe"	testversion.exe

suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT)
suricata

Async RAT payload 9 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1956-60-0x0000000003F90000-0x0000000003FA2000-memory.dmp	asyncrat
behavioral1/memory/276-64-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/276-65-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/276-66-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/276-67-0x000000000040CBBE-mapping.dmp	asyncrat
behavioral1/memory/276-69-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/276-71-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1160-86-0x0000000000470000-0x0000000000482000-memory.dmp	asyncrat
behavioral1/memory/1016-94-0x000000000040CBBE-mapping.dmp	asyncrat

Executes dropped EXE 2 IoCs

Processes:

testversion.exetestversion.exe

pid process

1160 testversion.exe
1016 testversion.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exetestversion.exe

pid process

1884 cmd.exe
1160 testversion.exe

pid	process
1160	testversion.exe
1016	testversion.exe

pid	process
1884	cmd.exe
1160	testversion.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

ea38cfcc0258377c4feedfc30ed0bbc1.exetestversion.exe

description	pid	process	target process
PID 1956 set thread context of 276	1956	ea38cfcc0258377c4feedfc30ed0bbc1.exe	ea38cfcc0258377c4feedfc30ed0bbc1.exe
PID 1160 set thread context of 1016	1160	testversion.exe	testversion.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

780 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

908 timeout.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

ea38cfcc0258377c4feedfc30ed0bbc1.exeea38cfcc0258377c4feedfc30ed0bbc1.exetestversion.exe

pid process

1956 ea38cfcc0258377c4feedfc30ed0bbc1.exe
276 ea38cfcc0258377c4feedfc30ed0bbc1.exe
1160 testversion.exe

pid	process
780	schtasks.exe

pid	process
908	timeout.exe

pid	process
1956	ea38cfcc0258377c4feedfc30ed0bbc1.exe
276	ea38cfcc0258377c4feedfc30ed0bbc1.exe
1160	testversion.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

ea38cfcc0258377c4feedfc30ed0bbc1.exeea38cfcc0258377c4feedfc30ed0bbc1.exetestversion.exetestversion.exe

description	pid	process
Token: SeDebugPrivilege	1956	ea38cfcc0258377c4feedfc30ed0bbc1.exe
Token: SeDebugPrivilege	1956	ea38cfcc0258377c4feedfc30ed0bbc1.exe
Token: SeDebugPrivilege	276	ea38cfcc0258377c4feedfc30ed0bbc1.exe
Token: SeDebugPrivilege	1160	testversion.exe
Token: SeDebugPrivilege	1160	testversion.exe
Token: SeDebugPrivilege	1016	testversion.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

ea38cfcc0258377c4feedfc30ed0bbc1.exeea38cfcc0258377c4feedfc30ed0bbc1.execmd.execmd.exetestversion.exe

description	pid	process	target process
PID 1956 wrote to memory of 276	1956	ea38cfcc0258377c4feedfc30ed0bbc1.exe	ea38cfcc0258377c4feedfc30ed0bbc1.exe
PID 1956 wrote to memory of 276	1956	ea38cfcc0258377c4feedfc30ed0bbc1.exe	ea38cfcc0258377c4feedfc30ed0bbc1.exe
PID 1956 wrote to memory of 276	1956	ea38cfcc0258377c4feedfc30ed0bbc1.exe	ea38cfcc0258377c4feedfc30ed0bbc1.exe
PID 1956 wrote to memory of 276	1956	ea38cfcc0258377c4feedfc30ed0bbc1.exe	ea38cfcc0258377c4feedfc30ed0bbc1.exe
PID 1956 wrote to memory of 276	1956	ea38cfcc0258377c4feedfc30ed0bbc1.exe	ea38cfcc0258377c4feedfc30ed0bbc1.exe
PID 1956 wrote to memory of 276	1956	ea38cfcc0258377c4feedfc30ed0bbc1.exe	ea38cfcc0258377c4feedfc30ed0bbc1.exe
PID 1956 wrote to memory of 276	1956	ea38cfcc0258377c4feedfc30ed0bbc1.exe	ea38cfcc0258377c4feedfc30ed0bbc1.exe
PID 1956 wrote to memory of 276	1956	ea38cfcc0258377c4feedfc30ed0bbc1.exe	ea38cfcc0258377c4feedfc30ed0bbc1.exe
PID 1956 wrote to memory of 276	1956	ea38cfcc0258377c4feedfc30ed0bbc1.exe	ea38cfcc0258377c4feedfc30ed0bbc1.exe
PID 276 wrote to memory of 576	276	ea38cfcc0258377c4feedfc30ed0bbc1.exe	cmd.exe
PID 276 wrote to memory of 576	276	ea38cfcc0258377c4feedfc30ed0bbc1.exe	cmd.exe
PID 276 wrote to memory of 576	276	ea38cfcc0258377c4feedfc30ed0bbc1.exe	cmd.exe
PID 276 wrote to memory of 576	276	ea38cfcc0258377c4feedfc30ed0bbc1.exe	cmd.exe
PID 276 wrote to memory of 1884	276	ea38cfcc0258377c4feedfc30ed0bbc1.exe	cmd.exe
PID 276 wrote to memory of 1884	276	ea38cfcc0258377c4feedfc30ed0bbc1.exe	cmd.exe
PID 276 wrote to memory of 1884	276	ea38cfcc0258377c4feedfc30ed0bbc1.exe	cmd.exe
PID 276 wrote to memory of 1884	276	ea38cfcc0258377c4feedfc30ed0bbc1.exe	cmd.exe
PID 576 wrote to memory of 780	576	cmd.exe	schtasks.exe
PID 576 wrote to memory of 780	576	cmd.exe	schtasks.exe
PID 576 wrote to memory of 780	576	cmd.exe	schtasks.exe
PID 576 wrote to memory of 780	576	cmd.exe	schtasks.exe
PID 1884 wrote to memory of 908	1884	cmd.exe	timeout.exe
PID 1884 wrote to memory of 908	1884	cmd.exe	timeout.exe
PID 1884 wrote to memory of 908	1884	cmd.exe	timeout.exe
PID 1884 wrote to memory of 908	1884	cmd.exe	timeout.exe
PID 1884 wrote to memory of 1160	1884	cmd.exe	testversion.exe
PID 1884 wrote to memory of 1160	1884	cmd.exe	testversion.exe
PID 1884 wrote to memory of 1160	1884	cmd.exe	testversion.exe
PID 1884 wrote to memory of 1160	1884	cmd.exe	testversion.exe
PID 1160 wrote to memory of 1016	1160	testversion.exe	testversion.exe
PID 1160 wrote to memory of 1016	1160	testversion.exe	testversion.exe
PID 1160 wrote to memory of 1016	1160	testversion.exe	testversion.exe
PID 1160 wrote to memory of 1016	1160	testversion.exe	testversion.exe
PID 1160 wrote to memory of 1016	1160	testversion.exe	testversion.exe
PID 1160 wrote to memory of 1016	1160	testversion.exe	testversion.exe
PID 1160 wrote to memory of 1016	1160	testversion.exe	testversion.exe
PID 1160 wrote to memory of 1016	1160	testversion.exe	testversion.exe
PID 1160 wrote to memory of 1016	1160	testversion.exe	testversion.exe

C:\Users\Admin\AppData\Local\Temp\ea38cfcc0258377c4feedfc30ed0bbc1.exe
"C:\Users\Admin\AppData\Local\Temp\ea38cfcc0258377c4feedfc30ed0bbc1.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956

C:\Users\Admin\AppData\Local\Temp\ea38cfcc0258377c4feedfc30ed0bbc1.exe
"C:\Users\Admin\AppData\Local\Temp\ea38cfcc0258377c4feedfc30ed0bbc1.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:276

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "testversion" /tr '"C:\Users\Admin\AppData\Local\Temp\testversion.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "testversion" /tr '"C:\Users\Admin\AppData\Local\Temp\testversion.exe"'
4⤵
- Creates scheduled task(s)
PID:780

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp283A.tmp.bat""
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:908

C:\Users\Admin\AppData\Local\Temp\testversion.exe
"C:\Users\Admin\AppData\Local\Temp\testversion.exe"
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1160

C:\Users\Admin\AppData\Local\Temp\testversion.exe
"C:\Users\Admin\AppData\Local\Temp\testversion.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1016

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Winlogon Helper DLL

1

T1004

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\testversion.exe
Filesize
180KB

MD5
ea38cfcc0258377c4feedfc30ed0bbc1

SHA1
7b3bbfdffbfdaf8209d30f33c545b54abfd2816f

SHA256
1b0a551577b66e5829eabfbdd99459b779d713a127812788ab96f90e08340e64

SHA512
3920ac4956040655c0afac75d4030689ae367f324647c70e43a174938bed8a0ae993b417bb21d96a3ca31f631201b7fbfbbf6b89b37814815f51618d0e3928cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\testversion.exe
Filesize
180KB

MD5
ea38cfcc0258377c4feedfc30ed0bbc1

SHA1
7b3bbfdffbfdaf8209d30f33c545b54abfd2816f

SHA256
1b0a551577b66e5829eabfbdd99459b779d713a127812788ab96f90e08340e64

SHA512
3920ac4956040655c0afac75d4030689ae367f324647c70e43a174938bed8a0ae993b417bb21d96a3ca31f631201b7fbfbbf6b89b37814815f51618d0e3928cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\testversion.exe
Filesize
180KB

MD5
ea38cfcc0258377c4feedfc30ed0bbc1

SHA1
7b3bbfdffbfdaf8209d30f33c545b54abfd2816f

SHA256
1b0a551577b66e5829eabfbdd99459b779d713a127812788ab96f90e08340e64

SHA512
3920ac4956040655c0afac75d4030689ae367f324647c70e43a174938bed8a0ae993b417bb21d96a3ca31f631201b7fbfbbf6b89b37814815f51618d0e3928cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp283A.tmp.bat
Filesize
158B

MD5
89afaf1d1182699d26d3993bf01bcaad

SHA1
fb0c8a41c5325d60de6f0fa5bb2b2d8a46eb4c76

SHA256
fb67563f35d34bbef5db6288d1773110d36654dd56c9aa74cfea24466f239129

SHA512
b6f31463bbf82264341b3fc0f30af9a7edbf81a9608753719d3cb21b988fdae9651ac8c83512827e804b3881371951821e956e5fa8cc6fb352dad16f3071b050

Download Submit
\Users\Admin\AppData\Local\Temp\testversion.exe
Filesize
180KB

MD5
ea38cfcc0258377c4feedfc30ed0bbc1

SHA1
7b3bbfdffbfdaf8209d30f33c545b54abfd2816f

SHA256
1b0a551577b66e5829eabfbdd99459b779d713a127812788ab96f90e08340e64

SHA512
3920ac4956040655c0afac75d4030689ae367f324647c70e43a174938bed8a0ae993b417bb21d96a3ca31f631201b7fbfbbf6b89b37814815f51618d0e3928cc

Download Submit
\Users\Admin\AppData\Local\Temp\testversion.exe
Filesize
180KB

MD5
ea38cfcc0258377c4feedfc30ed0bbc1

SHA1
7b3bbfdffbfdaf8209d30f33c545b54abfd2816f

SHA256
1b0a551577b66e5829eabfbdd99459b779d713a127812788ab96f90e08340e64

SHA512
3920ac4956040655c0afac75d4030689ae367f324647c70e43a174938bed8a0ae993b417bb21d96a3ca31f631201b7fbfbbf6b89b37814815f51618d0e3928cc

Download Submit
memory/276-61-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/276-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/276-64-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/276-65-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/276-66-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/276-67-0x000000000040CBBE-mapping.dmp

Download
memory/276-69-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/276-71-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/576-73-0x0000000000000000-mapping.dmp

Download
memory/780-76-0x0000000000000000-mapping.dmp

Download
memory/908-77-0x0000000000000000-mapping.dmp

Download
memory/1016-94-0x000000000040CBBE-mapping.dmp

Download
memory/1160-82-0x0000000000B80000-0x0000000000BB4000-memory.dmp

Filesize
208KB

Download
memory/1160-86-0x0000000000470000-0x0000000000482000-memory.dmp

Filesize
72KB

Download
memory/1160-85-0x0000000004BD5000-0x0000000004BE6000-memory.dmp

Filesize
68KB

Download
memory/1160-80-0x0000000000000000-mapping.dmp

Download
memory/1160-84-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1884-74-0x0000000000000000-mapping.dmp

Download
memory/1956-59-0x0000000001EA0000-0x0000000001EC2000-memory.dmp

Filesize
136KB

Download
memory/1956-57-0x00000000004D0000-0x00000000004F2000-memory.dmp

Filesize
136KB

Download
memory/1956-58-0x0000000004CA5000-0x0000000004CB6000-memory.dmp

Filesize
68KB

Download
memory/1956-60-0x0000000003F90000-0x0000000003FA2000-memory.dmp

Filesize
72KB

Download
memory/1956-56-0x00000000004A0000-0x00000000004C2000-memory.dmp

Filesize
136KB

Download
memory/1956-54-0x0000000000960000-0x0000000000994000-memory.dmp

Filesize
208KB

Download
memory/1956-55-0x0000000075DB1000-0x0000000075DB3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads