asyncrat | 1b0a551577b66e5829eabfbdd99459b779d713a127812788ab96f90e08340e64

General

Target

ea38cfcc0258377c4feedfc30ed0bbc1.exe
Size

180KB
MD5

ea38cfcc0258377c4feedfc30ed0bbc1
SHA1

7b3bbfdffbfdaf8209d30f33c545b54abfd2816f
SHA256

1b0a551577b66e5829eabfbdd99459b779d713a127812788ab96f90e08340e64
SHA512

3920ac4956040655c0afac75d4030689ae367f324647c70e43a174938bed8a0ae993b417bb21d96a3ca31f631201b7fbfbbf6b89b37814815f51618d0e3928cc

Score

10^/10

asyncrat default persistence rat suricata

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

62.197.136.195:3333

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
true
install_file
testversion.exe
install_folder
%Temp%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

ea38cfcc0258377c4feedfc30ed0bbc1.exetestversion.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\9Db52or07ibYr5kr\\w7SjyOExCAfd.exe\",explorer.exe"	ea38cfcc0258377c4feedfc30ed0bbc1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\9Db52or07ibYr5kr\\bPVD5EyqpQv0.exe\",explorer.exe"	testversion.exe

suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT)
suricata

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4636-136-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Executes dropped EXE 2 IoCs

Processes:

testversion.exetestversion.exe

pid process

2028 testversion.exe
4464 testversion.exe

pid	process
2028	testversion.exe
4464	testversion.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ea38cfcc0258377c4feedfc30ed0bbc1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	ea38cfcc0258377c4feedfc30ed0bbc1.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

ea38cfcc0258377c4feedfc30ed0bbc1.exetestversion.exe

description	pid	process	target process
PID 3368 set thread context of 4636	3368	ea38cfcc0258377c4feedfc30ed0bbc1.exe	ea38cfcc0258377c4feedfc30ed0bbc1.exe
PID 2028 set thread context of 4464	2028	testversion.exe	testversion.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3748 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4552 timeout.exe

pid	process
3748	schtasks.exe

pid	process
4552	timeout.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

ea38cfcc0258377c4feedfc30ed0bbc1.exeea38cfcc0258377c4feedfc30ed0bbc1.exetestversion.exe

pid	process
3368	ea38cfcc0258377c4feedfc30ed0bbc1.exe
3368	ea38cfcc0258377c4feedfc30ed0bbc1.exe
3368	ea38cfcc0258377c4feedfc30ed0bbc1.exe
3368	ea38cfcc0258377c4feedfc30ed0bbc1.exe
3368	ea38cfcc0258377c4feedfc30ed0bbc1.exe
3368	ea38cfcc0258377c4feedfc30ed0bbc1.exe
4636	ea38cfcc0258377c4feedfc30ed0bbc1.exe
4636	ea38cfcc0258377c4feedfc30ed0bbc1.exe
4636	ea38cfcc0258377c4feedfc30ed0bbc1.exe
4636	ea38cfcc0258377c4feedfc30ed0bbc1.exe
4636	ea38cfcc0258377c4feedfc30ed0bbc1.exe
4636	ea38cfcc0258377c4feedfc30ed0bbc1.exe
4636	ea38cfcc0258377c4feedfc30ed0bbc1.exe
4636	ea38cfcc0258377c4feedfc30ed0bbc1.exe
4636	ea38cfcc0258377c4feedfc30ed0bbc1.exe
4636	ea38cfcc0258377c4feedfc30ed0bbc1.exe
4636	ea38cfcc0258377c4feedfc30ed0bbc1.exe
4636	ea38cfcc0258377c4feedfc30ed0bbc1.exe
4636	ea38cfcc0258377c4feedfc30ed0bbc1.exe
4636	ea38cfcc0258377c4feedfc30ed0bbc1.exe
4636	ea38cfcc0258377c4feedfc30ed0bbc1.exe
4636	ea38cfcc0258377c4feedfc30ed0bbc1.exe
4636	ea38cfcc0258377c4feedfc30ed0bbc1.exe
4636	ea38cfcc0258377c4feedfc30ed0bbc1.exe
4636	ea38cfcc0258377c4feedfc30ed0bbc1.exe
4636	ea38cfcc0258377c4feedfc30ed0bbc1.exe
4636	ea38cfcc0258377c4feedfc30ed0bbc1.exe
4636	ea38cfcc0258377c4feedfc30ed0bbc1.exe
4636	ea38cfcc0258377c4feedfc30ed0bbc1.exe
2028	testversion.exe
2028	testversion.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

ea38cfcc0258377c4feedfc30ed0bbc1.exeea38cfcc0258377c4feedfc30ed0bbc1.exetestversion.exetestversion.exe

description	pid	process
Token: SeDebugPrivilege	3368	ea38cfcc0258377c4feedfc30ed0bbc1.exe
Token: SeDebugPrivilege	3368	ea38cfcc0258377c4feedfc30ed0bbc1.exe
Token: SeDebugPrivilege	4636	ea38cfcc0258377c4feedfc30ed0bbc1.exe
Token: SeDebugPrivilege	2028	testversion.exe
Token: SeDebugPrivilege	2028	testversion.exe
Token: SeDebugPrivilege	4464	testversion.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

ea38cfcc0258377c4feedfc30ed0bbc1.exeea38cfcc0258377c4feedfc30ed0bbc1.execmd.execmd.exetestversion.exe

description	pid	process	target process
PID 3368 wrote to memory of 976	3368	ea38cfcc0258377c4feedfc30ed0bbc1.exe	ea38cfcc0258377c4feedfc30ed0bbc1.exe
PID 3368 wrote to memory of 976	3368	ea38cfcc0258377c4feedfc30ed0bbc1.exe	ea38cfcc0258377c4feedfc30ed0bbc1.exe
PID 3368 wrote to memory of 976	3368	ea38cfcc0258377c4feedfc30ed0bbc1.exe	ea38cfcc0258377c4feedfc30ed0bbc1.exe
PID 3368 wrote to memory of 4636	3368	ea38cfcc0258377c4feedfc30ed0bbc1.exe	ea38cfcc0258377c4feedfc30ed0bbc1.exe
PID 3368 wrote to memory of 4636	3368	ea38cfcc0258377c4feedfc30ed0bbc1.exe	ea38cfcc0258377c4feedfc30ed0bbc1.exe
PID 3368 wrote to memory of 4636	3368	ea38cfcc0258377c4feedfc30ed0bbc1.exe	ea38cfcc0258377c4feedfc30ed0bbc1.exe
PID 3368 wrote to memory of 4636	3368	ea38cfcc0258377c4feedfc30ed0bbc1.exe	ea38cfcc0258377c4feedfc30ed0bbc1.exe
PID 3368 wrote to memory of 4636	3368	ea38cfcc0258377c4feedfc30ed0bbc1.exe	ea38cfcc0258377c4feedfc30ed0bbc1.exe
PID 3368 wrote to memory of 4636	3368	ea38cfcc0258377c4feedfc30ed0bbc1.exe	ea38cfcc0258377c4feedfc30ed0bbc1.exe
PID 3368 wrote to memory of 4636	3368	ea38cfcc0258377c4feedfc30ed0bbc1.exe	ea38cfcc0258377c4feedfc30ed0bbc1.exe
PID 3368 wrote to memory of 4636	3368	ea38cfcc0258377c4feedfc30ed0bbc1.exe	ea38cfcc0258377c4feedfc30ed0bbc1.exe
PID 4636 wrote to memory of 1404	4636	ea38cfcc0258377c4feedfc30ed0bbc1.exe	cmd.exe
PID 4636 wrote to memory of 1404	4636	ea38cfcc0258377c4feedfc30ed0bbc1.exe	cmd.exe
PID 4636 wrote to memory of 1404	4636	ea38cfcc0258377c4feedfc30ed0bbc1.exe	cmd.exe
PID 4636 wrote to memory of 1288	4636	ea38cfcc0258377c4feedfc30ed0bbc1.exe	cmd.exe
PID 4636 wrote to memory of 1288	4636	ea38cfcc0258377c4feedfc30ed0bbc1.exe	cmd.exe
PID 4636 wrote to memory of 1288	4636	ea38cfcc0258377c4feedfc30ed0bbc1.exe	cmd.exe
PID 1288 wrote to memory of 4552	1288	cmd.exe	timeout.exe
PID 1288 wrote to memory of 4552	1288	cmd.exe	timeout.exe
PID 1288 wrote to memory of 4552	1288	cmd.exe	timeout.exe
PID 1404 wrote to memory of 3748	1404	cmd.exe	schtasks.exe
PID 1404 wrote to memory of 3748	1404	cmd.exe	schtasks.exe
PID 1404 wrote to memory of 3748	1404	cmd.exe	schtasks.exe
PID 1288 wrote to memory of 2028	1288	cmd.exe	testversion.exe
PID 1288 wrote to memory of 2028	1288	cmd.exe	testversion.exe
PID 1288 wrote to memory of 2028	1288	cmd.exe	testversion.exe
PID 2028 wrote to memory of 4464	2028	testversion.exe	testversion.exe
PID 2028 wrote to memory of 4464	2028	testversion.exe	testversion.exe
PID 2028 wrote to memory of 4464	2028	testversion.exe	testversion.exe
PID 2028 wrote to memory of 4464	2028	testversion.exe	testversion.exe
PID 2028 wrote to memory of 4464	2028	testversion.exe	testversion.exe
PID 2028 wrote to memory of 4464	2028	testversion.exe	testversion.exe
PID 2028 wrote to memory of 4464	2028	testversion.exe	testversion.exe
PID 2028 wrote to memory of 4464	2028	testversion.exe	testversion.exe

C:\Users\Admin\AppData\Local\Temp\ea38cfcc0258377c4feedfc30ed0bbc1.exe
"C:\Users\Admin\AppData\Local\Temp\ea38cfcc0258377c4feedfc30ed0bbc1.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3368

C:\Users\Admin\AppData\Local\Temp\ea38cfcc0258377c4feedfc30ed0bbc1.exe
"C:\Users\Admin\AppData\Local\Temp\ea38cfcc0258377c4feedfc30ed0bbc1.exe"
2⤵
PID:976

C:\Users\Admin\AppData\Local\Temp\ea38cfcc0258377c4feedfc30ed0bbc1.exe
"C:\Users\Admin\AppData\Local\Temp\ea38cfcc0258377c4feedfc30ed0bbc1.exe"
2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4636

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "testversion" /tr '"C:\Users\Admin\AppData\Local\Temp\testversion.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "testversion" /tr '"C:\Users\Admin\AppData\Local\Temp\testversion.exe"'
4⤵
- Creates scheduled task(s)
PID:3748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC3C2.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:4552

C:\Users\Admin\AppData\Local\Temp\testversion.exe
"C:\Users\Admin\AppData\Local\Temp\testversion.exe"
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Local\Temp\testversion.exe
"C:\Users\Admin\AppData\Local\Temp\testversion.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4464

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Winlogon Helper DLL

1

T1004

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\testversion.exe
Filesize
180KB

MD5
ea38cfcc0258377c4feedfc30ed0bbc1

SHA1
7b3bbfdffbfdaf8209d30f33c545b54abfd2816f

SHA256
1b0a551577b66e5829eabfbdd99459b779d713a127812788ab96f90e08340e64

SHA512
3920ac4956040655c0afac75d4030689ae367f324647c70e43a174938bed8a0ae993b417bb21d96a3ca31f631201b7fbfbbf6b89b37814815f51618d0e3928cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\testversion.exe
Filesize
180KB

MD5
ea38cfcc0258377c4feedfc30ed0bbc1

SHA1
7b3bbfdffbfdaf8209d30f33c545b54abfd2816f

SHA256
1b0a551577b66e5829eabfbdd99459b779d713a127812788ab96f90e08340e64

SHA512
3920ac4956040655c0afac75d4030689ae367f324647c70e43a174938bed8a0ae993b417bb21d96a3ca31f631201b7fbfbbf6b89b37814815f51618d0e3928cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\testversion.exe
Filesize
180KB

MD5
ea38cfcc0258377c4feedfc30ed0bbc1

SHA1
7b3bbfdffbfdaf8209d30f33c545b54abfd2816f

SHA256
1b0a551577b66e5829eabfbdd99459b779d713a127812788ab96f90e08340e64

SHA512
3920ac4956040655c0afac75d4030689ae367f324647c70e43a174938bed8a0ae993b417bb21d96a3ca31f631201b7fbfbbf6b89b37814815f51618d0e3928cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC3C2.tmp.bat
Filesize
158B

MD5
57c59605e1a87e04b6e19a5a5bcdffd9

SHA1
6d90f7cedd2446e3d8bf46e703e7ba6a6ef4dba8

SHA256
00f8ff824778e2e0f18b3c6f305c83212e1e0175fa6046379371cc1958522462

SHA512
5f8b2b05306a38d4b4dee10b5ead006e2d005c5001786e081ef4a7bbfd644fd9b8cbc02f7b6307f3a3b21de598d308e182acd969fea98ad20b891d233b79d196

Download Submit
memory/976-134-0x0000000000000000-mapping.dmp

Download
memory/1288-138-0x0000000000000000-mapping.dmp

Download
memory/1404-137-0x0000000000000000-mapping.dmp

Download
memory/2028-142-0x0000000000000000-mapping.dmp

Download
memory/3368-130-0x00000000004B0000-0x00000000004E4000-memory.dmp

Filesize
208KB

Download
memory/3368-133-0x0000000004E90000-0x0000000004E9A000-memory.dmp

Filesize
40KB

Download
memory/3368-132-0x0000000004EE0000-0x0000000004F72000-memory.dmp

Filesize
584KB

Download
memory/3368-131-0x0000000005490000-0x0000000005A34000-memory.dmp

Filesize
5.6MB

Download
memory/3748-141-0x0000000000000000-mapping.dmp

Download
memory/4464-145-0x0000000000000000-mapping.dmp

Download
memory/4552-140-0x0000000000000000-mapping.dmp

Download
memory/4636-136-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4636-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads