asyncrat | f1ff4fbaa6991440428ea8b228268b6ba82595aa8cdbcf2e7bb8a69835753b31

General

Target

Re-2181718.exe
Size

172KB
MD5

be2d1ca01da2a323960e94dcae0d4696
SHA1

a0a404c6ef2dcb77f65ddf072402eeeecdd1dc2e
SHA256

f1ff4fbaa6991440428ea8b228268b6ba82595aa8cdbcf2e7bb8a69835753b31
SHA512

883cb35116de50ee923fb5101aa1a6b3dea61897d96a73a51e1bc351dc7181f116dc1e290bf86946300b8998f53e106a064b73e1ebf3f503e1e5e65e2a5ed27c

Score

10^/10

asyncrat blustealer default persistence rat spyware stealer suricata

Malware Config

Extracted

Family

blustealer

Credentials

Protocol: smtp
Host:
smtp.yandex.ru
Port:
587
Username:
t.liaen@yandex.com
Password:
@vZe#$#28990

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:1111

62.197.136.167:6606

62.197.136.167:7707

62.197.136.167:8808

62.197.136.167:1111

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3636-171-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

Processes:

Jcsbrafiyvpxtqostory5m.exe

pid process

4936 Jcsbrafiyvpxtqostory5m.exe

pid	process
4936	Jcsbrafiyvpxtqostory5m.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Re-2181718.exeJcsbrafiyvpxtqostory5m.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	Re-2181718.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	Jcsbrafiyvpxtqostory5m.exe

Loads dropped DLL 2 IoCs

Processes:

InstallUtil.exe

pid process

612 InstallUtil.exe
612 InstallUtil.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
612	InstallUtil.exe
612	InstallUtil.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Re-2181718.exeJcsbrafiyvpxtqostory5m.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Aeigqqh = "\"C:\\Users\\Admin\\AppData\\Roaming\\Tupbtqbro\\Aeigqqh.exe\""	Re-2181718.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Aeigqqh = "\"C:\\Users\\Admin\\AppData\\Roaming\\Tupbtqbro\\Aeigqqh.exe\""	Jcsbrafiyvpxtqostory5m.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Re-2181718.exeInstallUtil.exeJcsbrafiyvpxtqostory5m.exe

description	pid	process	target process
PID 4704 set thread context of 612	4704	Re-2181718.exe	InstallUtil.exe
PID 612 set thread context of 3076	612	InstallUtil.exe	InstallUtil.exe
PID 4936 set thread context of 3636	4936	Jcsbrafiyvpxtqostory5m.exe	InstallUtil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exeRe-2181718.exepowershell.exepowershell.exeJcsbrafiyvpxtqostory5m.exe

pid	process
4780	powershell.exe
4780	powershell.exe
404	powershell.exe
404	powershell.exe
4704	Re-2181718.exe
4704	Re-2181718.exe
5116	powershell.exe
5116	powershell.exe
2488	powershell.exe
2488	powershell.exe
4936	Jcsbrafiyvpxtqostory5m.exe
4936	Jcsbrafiyvpxtqostory5m.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exeRe-2181718.exepowershell.exepowershell.exeJcsbrafiyvpxtqostory5m.exepowershell.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	4780	powershell.exe
Token: SeDebugPrivilege	4704	Re-2181718.exe
Token: SeDebugPrivilege	404	powershell.exe
Token: SeDebugPrivilege	5116	powershell.exe
Token: SeDebugPrivilege	4936	Jcsbrafiyvpxtqostory5m.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	3636	InstallUtil.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

InstallUtil.exe

pid process

612 InstallUtil.exe

pid	process
612	InstallUtil.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

Re-2181718.exeJcsbrafiyvpxtqostory5m.exeInstallUtil.exe

description	pid	process	target process
PID 4704 wrote to memory of 4780	4704	Re-2181718.exe	powershell.exe
PID 4704 wrote to memory of 4780	4704	Re-2181718.exe	powershell.exe
PID 4704 wrote to memory of 4780	4704	Re-2181718.exe	powershell.exe
PID 4704 wrote to memory of 404	4704	Re-2181718.exe	powershell.exe
PID 4704 wrote to memory of 404	4704	Re-2181718.exe	powershell.exe
PID 4704 wrote to memory of 404	4704	Re-2181718.exe	powershell.exe
PID 4704 wrote to memory of 4936	4704	Re-2181718.exe	Jcsbrafiyvpxtqostory5m.exe
PID 4704 wrote to memory of 4936	4704	Re-2181718.exe	Jcsbrafiyvpxtqostory5m.exe
PID 4704 wrote to memory of 4936	4704	Re-2181718.exe	Jcsbrafiyvpxtqostory5m.exe
PID 4704 wrote to memory of 612	4704	Re-2181718.exe	InstallUtil.exe
PID 4704 wrote to memory of 612	4704	Re-2181718.exe	InstallUtil.exe
PID 4704 wrote to memory of 612	4704	Re-2181718.exe	InstallUtil.exe
PID 4936 wrote to memory of 5116	4936	Jcsbrafiyvpxtqostory5m.exe	powershell.exe
PID 4936 wrote to memory of 5116	4936	Jcsbrafiyvpxtqostory5m.exe	powershell.exe
PID 4936 wrote to memory of 5116	4936	Jcsbrafiyvpxtqostory5m.exe	powershell.exe
PID 4704 wrote to memory of 612	4704	Re-2181718.exe	InstallUtil.exe
PID 4704 wrote to memory of 612	4704	Re-2181718.exe	InstallUtil.exe
PID 4704 wrote to memory of 612	4704	Re-2181718.exe	InstallUtil.exe
PID 4704 wrote to memory of 612	4704	Re-2181718.exe	InstallUtil.exe
PID 4704 wrote to memory of 612	4704	Re-2181718.exe	InstallUtil.exe
PID 4936 wrote to memory of 2488	4936	Jcsbrafiyvpxtqostory5m.exe	powershell.exe
PID 4936 wrote to memory of 2488	4936	Jcsbrafiyvpxtqostory5m.exe	powershell.exe
PID 4936 wrote to memory of 2488	4936	Jcsbrafiyvpxtqostory5m.exe	powershell.exe
PID 612 wrote to memory of 3076	612	InstallUtil.exe	InstallUtil.exe
PID 612 wrote to memory of 3076	612	InstallUtil.exe	InstallUtil.exe
PID 612 wrote to memory of 3076	612	InstallUtil.exe	InstallUtil.exe
PID 612 wrote to memory of 3076	612	InstallUtil.exe	InstallUtil.exe
PID 612 wrote to memory of 3076	612	InstallUtil.exe	InstallUtil.exe
PID 4936 wrote to memory of 3636	4936	Jcsbrafiyvpxtqostory5m.exe	InstallUtil.exe
PID 4936 wrote to memory of 3636	4936	Jcsbrafiyvpxtqostory5m.exe	InstallUtil.exe
PID 4936 wrote to memory of 3636	4936	Jcsbrafiyvpxtqostory5m.exe	InstallUtil.exe
PID 4936 wrote to memory of 3636	4936	Jcsbrafiyvpxtqostory5m.exe	InstallUtil.exe
PID 4936 wrote to memory of 3636	4936	Jcsbrafiyvpxtqostory5m.exe	InstallUtil.exe
PID 4936 wrote to memory of 3636	4936	Jcsbrafiyvpxtqostory5m.exe	InstallUtil.exe
PID 4936 wrote to memory of 3636	4936	Jcsbrafiyvpxtqostory5m.exe	InstallUtil.exe
PID 4936 wrote to memory of 3636	4936	Jcsbrafiyvpxtqostory5m.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\Re-2181718.exe
"C:\Users\Admin\AppData\Local\Temp\Re-2181718.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4704

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4780

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAxAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:404

C:\Users\Admin\AppData\Local\Temp\Jcsbrafiyvpxtqostory5m.exe
"C:\Users\Admin\AppData\Local\Temp\Jcsbrafiyvpxtqostory5m.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4936

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5116

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAxAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:612

C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
3⤵
PID:3076

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
3337d66209faa998d52d781d0ff2d804

SHA1
6594b85a70f998f79f43cdf1ca56137997534156

SHA256
9b946b062865f68b9f0f43a011d33d7ea0926a3c8f78fb20d9cab6144314e1bd

SHA512
8bbd14bd73111f7b55712f5d1e1b727e41db8e6e0c1243ee6809ff32b509e52dec7af34c064151fb5beccd59dda434a3f83abe987c561a25abfbb4cbcf9c7f1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
3a55dd28fa62972eed8d90ee9d094836

SHA1
170b12b3b742dd289f40557448345061ea590ab2

SHA256
b600a111405e842d91f0abfb2265e5c219791b0b5f81ec58ff4b4d4779622da8

SHA512
7025568b583de52bfc0a735719c0f906925cc68f9735ac8d7305744779a0fdf3742b27fc398597f170b74313e6681dbbca841d6596e49478148b27f794b5eb12

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jcsbrafiyvpxtqostory5m.exe
Filesize
172KB

MD5
982f97ccf89f9d50dbc5d152c7139a50

SHA1
0ba6c448dd8566a1196e642ef1d834d55bf6e3e6

SHA256
f41360c7779e6656ec89fdfa40ae58b619d80dd27286802a9e902ab9dde19152

SHA512
c51127261b13e135e183c779c2bc10b5f43a2e27ccfd902829abc215beddd2070cf3739ac810201ae4eaf98dc9afab9b5e6923e97b1ca7bd0c7e661706c08fd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jcsbrafiyvpxtqostory5m.exe
Filesize
172KB

MD5
982f97ccf89f9d50dbc5d152c7139a50

SHA1
0ba6c448dd8566a1196e642ef1d834d55bf6e3e6

SHA256
f41360c7779e6656ec89fdfa40ae58b619d80dd27286802a9e902ab9dde19152

SHA512
c51127261b13e135e183c779c2bc10b5f43a2e27ccfd902829abc215beddd2070cf3739ac810201ae4eaf98dc9afab9b5e6923e97b1ca7bd0c7e661706c08fd1

Download Submit
C:\Users\Admin\AppData\Roaming\Tupbtqbro\Aeigqqh.exe
Filesize
172KB

MD5
5419ab9562088c956e56967db9a2a977

SHA1
6b2b5a640bbac460e36608cc40a45e841e48d66e

SHA256
28e2bb86c87d0aa961e3a1cc289a53d897cb8ea49b9e1b4751df8115c5e07983

SHA512
1efbc09ff6b631de4acef6489822422c1f0c2ee54b69d74d4617621d817d6e983d75dbe677e3c3be7a75d2094a6d3716620e73e99da89935851c378d366f6b3a

Download Submit
C:\Users\Public\3037384246424646303030333036443242464246463030303330\SQLite3_StdCall.dll
Filesize
59KB

MD5
d77b227a28a78627c2323cac75948390

SHA1
e228c3951f2a9fd0febfe07390633ab4f35727f4

SHA256
527ec201dcd7695bd9830eb82ab35a3986121de9ea156193834aed9d79223b82

SHA512
5627fbc8bbb98f644e21f101a68f0e0b07b87c264d00ea227286bed8ab6dd4ebf5114f03b632604f775ff93666a409a1a179a81ebfc9246956ba8150ff5b0587

Download Submit
C:\Users\Public\3037384246424646303030333036443242464246463030303330\sqlite3.dll
Filesize
585KB

MD5
5405413fff79b8d9c747aa900f60f082

SHA1
71caf8907ddd9a3a25d71356bd2ce09bd293bd78

SHA256
3e5a28ffde07ac661c26b6ccf94e64c1c90b1f25b3b24c90605aa922b87642eb

SHA512
2f09a30fc4da5166bd665210fefa1d44ce344f0ec6a37f127d677aeb3ca4fc0d09b7c9c1540f57da1e3449b7f588a1c61115395e965fa153d4baa5033266ed66

Download Submit
memory/404-145-0x0000000000000000-mapping.dmp

Download
memory/612-156-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/612-153-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/612-160-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/612-159-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download
memory/612-151-0x0000000000000000-mapping.dmp

Download
memory/2488-161-0x0000000000000000-mapping.dmp

Download
memory/3076-163-0x0000000000000000-mapping.dmp

Download
memory/3076-168-0x000000006F360000-0x000000006F911000-memory.dmp

Filesize
5.7MB

Download
memory/3076-164-0x0000000001210000-0x000000000121E000-memory.dmp

Filesize
56KB

Download
memory/3076-167-0x000000006F360000-0x000000006F911000-memory.dmp

Filesize
5.7MB

Download
memory/3636-171-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3636-172-0x0000000005B50000-0x0000000005BEC000-memory.dmp

Filesize
624KB

Download
memory/3636-170-0x0000000000000000-mapping.dmp

Download
memory/4704-133-0x0000000004D80000-0x0000000004D8A000-memory.dmp

Filesize
40KB

Download
memory/4704-132-0x0000000004BD0000-0x0000000004C62000-memory.dmp

Filesize
584KB

Download
memory/4704-130-0x0000000000210000-0x0000000000240000-memory.dmp

Filesize
192KB

Download
memory/4704-131-0x0000000005240000-0x00000000057E4000-memory.dmp

Filesize
5.6MB

Download
memory/4780-140-0x0000000005580000-0x000000000559E000-memory.dmp

Filesize
120KB

Download
memory/4780-141-0x0000000006DA0000-0x0000000006DE4000-memory.dmp

Filesize
272KB

Download
memory/4780-134-0x0000000000000000-mapping.dmp

Download
memory/4780-135-0x0000000002F00000-0x0000000002F36000-memory.dmp

Filesize
216KB

Download
memory/4780-144-0x0000000007BC0000-0x0000000007BDA000-memory.dmp

Filesize
104KB

Download
memory/4780-143-0x0000000008220000-0x000000000889A000-memory.dmp

Filesize
6.5MB

Download
memory/4780-142-0x0000000007920000-0x0000000007996000-memory.dmp

Filesize
472KB

Download
memory/4780-136-0x0000000005AC0000-0x00000000060E8000-memory.dmp

Filesize
6.2MB

Download
memory/4780-139-0x00000000061E0000-0x0000000006246000-memory.dmp

Filesize
408KB

Download
memory/4780-138-0x0000000005A20000-0x0000000005A86000-memory.dmp

Filesize
408KB

Download
memory/4780-137-0x0000000005980000-0x00000000059A2000-memory.dmp

Filesize
136KB

Download
memory/4936-147-0x0000000000000000-mapping.dmp

Download
memory/4936-150-0x00000000005E0000-0x0000000000610000-memory.dmp

Filesize
192KB

Download
memory/5116-152-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads