asyncrat | 1b0a551577b66e5829eabfbdd99459b779d713a127812788ab96f90e08340e64

General

Target

ea38cfcc0258377c4feedfc30ed0bbc1.exe
Size

180KB
MD5

ea38cfcc0258377c4feedfc30ed0bbc1
SHA1

7b3bbfdffbfdaf8209d30f33c545b54abfd2816f
SHA256

1b0a551577b66e5829eabfbdd99459b779d713a127812788ab96f90e08340e64
SHA512

3920ac4956040655c0afac75d4030689ae367f324647c70e43a174938bed8a0ae993b417bb21d96a3ca31f631201b7fbfbbf6b89b37814815f51618d0e3928cc

Score

10^/10

asyncrat default persistence rat suricata

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

62.197.136.195:3333

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
true
install_file
testversion.exe
install_folder
%Temp%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

ea38cfcc0258377c4feedfc30ed0bbc1.exetestversion.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\9Db52or07ibYr5kr\\qruRhMqS1xrs.exe\",explorer.exe"	ea38cfcc0258377c4feedfc30ed0bbc1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\9Db52or07ibYr5kr\\QxjL420iMmRR.exe\",explorer.exe"	testversion.exe

suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT)
suricata

Async RAT payload 9 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1092-58-0x00000000004B0000-0x00000000004C2000-memory.dmp	asyncrat
behavioral1/memory/1220-62-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1220-63-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1220-65-0x000000000040CBBE-mapping.dmp	asyncrat
behavioral1/memory/1220-64-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1220-67-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1220-69-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1728-83-0x00000000005A0000-0x00000000005B2000-memory.dmp	asyncrat
behavioral1/memory/1992-93-0x000000000040CBBE-mapping.dmp	asyncrat

Executes dropped EXE 3 IoCs

Processes:

testversion.exetestversion.exetestversion.exe

pid process

1728 testversion.exe
2028 testversion.exe
1992 testversion.exe
Loads dropped DLL 3 IoCs

Processes:

cmd.exetestversion.exe

pid process

2016 cmd.exe
1728 testversion.exe
1728 testversion.exe

pid	process
1728	testversion.exe
2028	testversion.exe
1992	testversion.exe

pid	process
2016	cmd.exe
1728	testversion.exe
1728	testversion.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

ea38cfcc0258377c4feedfc30ed0bbc1.exetestversion.exe

description	pid	process	target process
PID 1092 set thread context of 1220	1092	ea38cfcc0258377c4feedfc30ed0bbc1.exe	ea38cfcc0258377c4feedfc30ed0bbc1.exe
PID 1728 set thread context of 1992	1728	testversion.exe	testversion.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2032 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

896 timeout.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

ea38cfcc0258377c4feedfc30ed0bbc1.exeea38cfcc0258377c4feedfc30ed0bbc1.exetestversion.exe

pid process

1092 ea38cfcc0258377c4feedfc30ed0bbc1.exe
1220 ea38cfcc0258377c4feedfc30ed0bbc1.exe
1728 testversion.exe
1728 testversion.exe
1728 testversion.exe

pid	process
2032	schtasks.exe

pid	process
896	timeout.exe

pid	process
1092	ea38cfcc0258377c4feedfc30ed0bbc1.exe
1220	ea38cfcc0258377c4feedfc30ed0bbc1.exe
1728	testversion.exe
1728	testversion.exe
1728	testversion.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

ea38cfcc0258377c4feedfc30ed0bbc1.exeea38cfcc0258377c4feedfc30ed0bbc1.exetestversion.exetestversion.exe

description	pid	process
Token: SeDebugPrivilege	1092	ea38cfcc0258377c4feedfc30ed0bbc1.exe
Token: SeDebugPrivilege	1092	ea38cfcc0258377c4feedfc30ed0bbc1.exe
Token: SeDebugPrivilege	1220	ea38cfcc0258377c4feedfc30ed0bbc1.exe
Token: SeDebugPrivilege	1728	testversion.exe
Token: SeDebugPrivilege	1728	testversion.exe
Token: SeDebugPrivilege	1992	testversion.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

ea38cfcc0258377c4feedfc30ed0bbc1.exeea38cfcc0258377c4feedfc30ed0bbc1.execmd.execmd.exetestversion.exe

description	pid	process	target process
PID 1092 wrote to memory of 1220	1092	ea38cfcc0258377c4feedfc30ed0bbc1.exe	ea38cfcc0258377c4feedfc30ed0bbc1.exe
PID 1092 wrote to memory of 1220	1092	ea38cfcc0258377c4feedfc30ed0bbc1.exe	ea38cfcc0258377c4feedfc30ed0bbc1.exe
PID 1092 wrote to memory of 1220	1092	ea38cfcc0258377c4feedfc30ed0bbc1.exe	ea38cfcc0258377c4feedfc30ed0bbc1.exe
PID 1092 wrote to memory of 1220	1092	ea38cfcc0258377c4feedfc30ed0bbc1.exe	ea38cfcc0258377c4feedfc30ed0bbc1.exe
PID 1092 wrote to memory of 1220	1092	ea38cfcc0258377c4feedfc30ed0bbc1.exe	ea38cfcc0258377c4feedfc30ed0bbc1.exe
PID 1092 wrote to memory of 1220	1092	ea38cfcc0258377c4feedfc30ed0bbc1.exe	ea38cfcc0258377c4feedfc30ed0bbc1.exe
PID 1092 wrote to memory of 1220	1092	ea38cfcc0258377c4feedfc30ed0bbc1.exe	ea38cfcc0258377c4feedfc30ed0bbc1.exe
PID 1092 wrote to memory of 1220	1092	ea38cfcc0258377c4feedfc30ed0bbc1.exe	ea38cfcc0258377c4feedfc30ed0bbc1.exe
PID 1092 wrote to memory of 1220	1092	ea38cfcc0258377c4feedfc30ed0bbc1.exe	ea38cfcc0258377c4feedfc30ed0bbc1.exe
PID 1220 wrote to memory of 584	1220	ea38cfcc0258377c4feedfc30ed0bbc1.exe	cmd.exe
PID 1220 wrote to memory of 584	1220	ea38cfcc0258377c4feedfc30ed0bbc1.exe	cmd.exe
PID 1220 wrote to memory of 584	1220	ea38cfcc0258377c4feedfc30ed0bbc1.exe	cmd.exe
PID 1220 wrote to memory of 584	1220	ea38cfcc0258377c4feedfc30ed0bbc1.exe	cmd.exe
PID 1220 wrote to memory of 2016	1220	ea38cfcc0258377c4feedfc30ed0bbc1.exe	cmd.exe
PID 1220 wrote to memory of 2016	1220	ea38cfcc0258377c4feedfc30ed0bbc1.exe	cmd.exe
PID 1220 wrote to memory of 2016	1220	ea38cfcc0258377c4feedfc30ed0bbc1.exe	cmd.exe
PID 1220 wrote to memory of 2016	1220	ea38cfcc0258377c4feedfc30ed0bbc1.exe	cmd.exe
PID 584 wrote to memory of 2032	584	cmd.exe	schtasks.exe
PID 584 wrote to memory of 2032	584	cmd.exe	schtasks.exe
PID 584 wrote to memory of 2032	584	cmd.exe	schtasks.exe
PID 584 wrote to memory of 2032	584	cmd.exe	schtasks.exe
PID 2016 wrote to memory of 896	2016	cmd.exe	timeout.exe
PID 2016 wrote to memory of 896	2016	cmd.exe	timeout.exe
PID 2016 wrote to memory of 896	2016	cmd.exe	timeout.exe
PID 2016 wrote to memory of 896	2016	cmd.exe	timeout.exe
PID 2016 wrote to memory of 1728	2016	cmd.exe	testversion.exe
PID 2016 wrote to memory of 1728	2016	cmd.exe	testversion.exe
PID 2016 wrote to memory of 1728	2016	cmd.exe	testversion.exe
PID 2016 wrote to memory of 1728	2016	cmd.exe	testversion.exe
PID 1728 wrote to memory of 2028	1728	testversion.exe	testversion.exe
PID 1728 wrote to memory of 2028	1728	testversion.exe	testversion.exe
PID 1728 wrote to memory of 2028	1728	testversion.exe	testversion.exe
PID 1728 wrote to memory of 2028	1728	testversion.exe	testversion.exe
PID 1728 wrote to memory of 1992	1728	testversion.exe	testversion.exe
PID 1728 wrote to memory of 1992	1728	testversion.exe	testversion.exe
PID 1728 wrote to memory of 1992	1728	testversion.exe	testversion.exe
PID 1728 wrote to memory of 1992	1728	testversion.exe	testversion.exe
PID 1728 wrote to memory of 1992	1728	testversion.exe	testversion.exe
PID 1728 wrote to memory of 1992	1728	testversion.exe	testversion.exe
PID 1728 wrote to memory of 1992	1728	testversion.exe	testversion.exe
PID 1728 wrote to memory of 1992	1728	testversion.exe	testversion.exe
PID 1728 wrote to memory of 1992	1728	testversion.exe	testversion.exe

C:\Users\Admin\AppData\Local\Temp\ea38cfcc0258377c4feedfc30ed0bbc1.exe
"C:\Users\Admin\AppData\Local\Temp\ea38cfcc0258377c4feedfc30ed0bbc1.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092

C:\Users\Admin\AppData\Local\Temp\ea38cfcc0258377c4feedfc30ed0bbc1.exe
"C:\Users\Admin\AppData\Local\Temp\ea38cfcc0258377c4feedfc30ed0bbc1.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "testversion" /tr '"C:\Users\Admin\AppData\Local\Temp\testversion.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:584

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "testversion" /tr '"C:\Users\Admin\AppData\Local\Temp\testversion.exe"'
4⤵
- Creates scheduled task(s)
PID:2032

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2A9A.tmp.bat""
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:896

C:\Users\Admin\AppData\Local\Temp\testversion.exe
"C:\Users\Admin\AppData\Local\Temp\testversion.exe"
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728

C:\Users\Admin\AppData\Local\Temp\testversion.exe
"C:\Users\Admin\AppData\Local\Temp\testversion.exe"
5⤵
- Executes dropped EXE
PID:2028

C:\Users\Admin\AppData\Local\Temp\testversion.exe
"C:\Users\Admin\AppData\Local\Temp\testversion.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Winlogon Helper DLL

1

T1004

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\testversion.exe
Filesize
180KB

MD5
ea38cfcc0258377c4feedfc30ed0bbc1

SHA1
7b3bbfdffbfdaf8209d30f33c545b54abfd2816f

SHA256
1b0a551577b66e5829eabfbdd99459b779d713a127812788ab96f90e08340e64

SHA512
3920ac4956040655c0afac75d4030689ae367f324647c70e43a174938bed8a0ae993b417bb21d96a3ca31f631201b7fbfbbf6b89b37814815f51618d0e3928cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\testversion.exe
Filesize
180KB

MD5
ea38cfcc0258377c4feedfc30ed0bbc1

SHA1
7b3bbfdffbfdaf8209d30f33c545b54abfd2816f

SHA256
1b0a551577b66e5829eabfbdd99459b779d713a127812788ab96f90e08340e64

SHA512
3920ac4956040655c0afac75d4030689ae367f324647c70e43a174938bed8a0ae993b417bb21d96a3ca31f631201b7fbfbbf6b89b37814815f51618d0e3928cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\testversion.exe
Filesize
180KB

MD5
ea38cfcc0258377c4feedfc30ed0bbc1

SHA1
7b3bbfdffbfdaf8209d30f33c545b54abfd2816f

SHA256
1b0a551577b66e5829eabfbdd99459b779d713a127812788ab96f90e08340e64

SHA512
3920ac4956040655c0afac75d4030689ae367f324647c70e43a174938bed8a0ae993b417bb21d96a3ca31f631201b7fbfbbf6b89b37814815f51618d0e3928cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\testversion.exe
Filesize
180KB

MD5
ea38cfcc0258377c4feedfc30ed0bbc1

SHA1
7b3bbfdffbfdaf8209d30f33c545b54abfd2816f

SHA256
1b0a551577b66e5829eabfbdd99459b779d713a127812788ab96f90e08340e64

SHA512
3920ac4956040655c0afac75d4030689ae367f324647c70e43a174938bed8a0ae993b417bb21d96a3ca31f631201b7fbfbbf6b89b37814815f51618d0e3928cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2A9A.tmp.bat
Filesize
158B

MD5
fae02d330c33d35d22e9e0eaf2402d7c

SHA1
9a0eb6a774ea1834de27485e78b6645337d2b387

SHA256
4768e0ec833d5a75385d84a38743cd43b01b67776bb173b8e9c1fcf4de59485a

SHA512
0c15fa9871ff3e3ef658249dc819e4b4be1896c3b3d444ca403cd6c30bce3949034b04ab8cf284a7f676d7e7f8b8b87f8729e2033bc4968b720b7bfaac19cafa

Download Submit
\Users\Admin\AppData\Local\Temp\testversion.exe
Filesize
180KB

MD5
ea38cfcc0258377c4feedfc30ed0bbc1

SHA1
7b3bbfdffbfdaf8209d30f33c545b54abfd2816f

SHA256
1b0a551577b66e5829eabfbdd99459b779d713a127812788ab96f90e08340e64

SHA512
3920ac4956040655c0afac75d4030689ae367f324647c70e43a174938bed8a0ae993b417bb21d96a3ca31f631201b7fbfbbf6b89b37814815f51618d0e3928cc

Download Submit
\Users\Admin\AppData\Local\Temp\testversion.exe
Filesize
180KB

MD5
ea38cfcc0258377c4feedfc30ed0bbc1

SHA1
7b3bbfdffbfdaf8209d30f33c545b54abfd2816f

SHA256
1b0a551577b66e5829eabfbdd99459b779d713a127812788ab96f90e08340e64

SHA512
3920ac4956040655c0afac75d4030689ae367f324647c70e43a174938bed8a0ae993b417bb21d96a3ca31f631201b7fbfbbf6b89b37814815f51618d0e3928cc

Download Submit
\Users\Admin\AppData\Local\Temp\testversion.exe
Filesize
180KB

MD5
ea38cfcc0258377c4feedfc30ed0bbc1

SHA1
7b3bbfdffbfdaf8209d30f33c545b54abfd2816f

SHA256
1b0a551577b66e5829eabfbdd99459b779d713a127812788ab96f90e08340e64

SHA512
3920ac4956040655c0afac75d4030689ae367f324647c70e43a174938bed8a0ae993b417bb21d96a3ca31f631201b7fbfbbf6b89b37814815f51618d0e3928cc

Download Submit
memory/584-71-0x0000000000000000-mapping.dmp

Download
memory/896-75-0x0000000000000000-mapping.dmp

Download
memory/1092-54-0x0000000000B10000-0x0000000000B44000-memory.dmp

Filesize
208KB

Download
memory/1092-58-0x00000000004B0000-0x00000000004C2000-memory.dmp

Filesize
72KB

Download
memory/1092-57-0x00000000048A5000-0x00000000048B6000-memory.dmp

Filesize
68KB

Download
memory/1092-56-0x0000000000410000-0x0000000000432000-memory.dmp

Filesize
136KB

Download
memory/1092-55-0x0000000075F61000-0x0000000075F63000-memory.dmp

Filesize
8KB

Download
memory/1220-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1220-65-0x000000000040CBBE-mapping.dmp

Download
memory/1220-59-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1220-69-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1220-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1220-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1220-64-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1220-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1728-82-0x0000000004E35000-0x0000000004E46000-memory.dmp

Filesize
68KB

Download
memory/1728-83-0x00000000005A0000-0x00000000005B2000-memory.dmp

Filesize
72KB

Download
memory/1728-80-0x00000000012F0000-0x0000000001324000-memory.dmp

Filesize
208KB

Download
memory/1728-78-0x0000000000000000-mapping.dmp

Download
memory/1992-93-0x000000000040CBBE-mapping.dmp

Download
memory/2016-72-0x0000000000000000-mapping.dmp

Download
memory/2032-74-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads