asyncrat | 936f58b1813856c65f6206acce0b9711d4ac41598b5492b6951352ac04cc3c62

General

Target

ctfmon.exe
Size

300.0MB
MD5

eb62cecfbe36eeaeab3ea25a65967f9d
SHA1

2a4eb3fc914111cf67939b28ae5833d16b3315db
SHA256

936f58b1813856c65f6206acce0b9711d4ac41598b5492b6951352ac04cc3c62
SHA512

d1239c3a0dc408ba4d7b605adc897bdd183b7b4085847559ba4586a3978c34f414176e680d325b8e50386b5d4366ff3f0edeeab7f04b139e8e6c5defbc87a7db

Score

10^/10

asyncrat nigatex rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Nigatex

C2

nigatex.ml:25565

Mutex

huieqwgehqweqduia

Attributes

delay
1
install
false
install_file
MpCopyAccelerator.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 9 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1096-59-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1096-61-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1096-62-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1096-63-0x000000000040CB9E-mapping.dmp	asyncrat
behavioral1/memory/1096-67-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1096-65-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1096-72-0x0000000000600000-0x000000000060C000-memory.dmp	asyncrat
behavioral1/memory/1088-95-0x000000000040CB9E-mapping.dmp	asyncrat
behavioral1/memory/1336-115-0x000000000040CB9E-mapping.dmp	asyncrat

Executes dropped EXE 3 IoCs

Processes:

nvcontainer.exectfmon32.exectfmon32.exe

pid process

1532 nvcontainer.exe
1300 ctfmon32.exe
1484 ctfmon32.exe
Loads dropped DLL 1 IoCs

Processes:

powershell.exe

pid process

568 powershell.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1532	nvcontainer.exe
1300	ctfmon32.exe
1484	ctfmon32.exe

pid	process
568	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

ctfmon.exectfmon32.exectfmon32.exe

description	pid	process	target process
PID 1212 set thread context of 1096	1212	ctfmon.exe	vbc.exe
PID 1300 set thread context of 1088	1300	ctfmon32.exe	vbc.exe
PID 1484 set thread context of 1336	1484	ctfmon32.exe	vbc.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

876 schtasks.exe
1064 schtasks.exe
1640 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exevbc.exe

pid process

568 powershell.exe
1096 vbc.exe
568 powershell.exe
568 powershell.exe

pid	process
876	schtasks.exe
1064	schtasks.exe
1640	schtasks.exe

pid	process
568	powershell.exe
1096	vbc.exe
568	powershell.exe
568	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

ctfmon.exevbc.exepowershell.exenvcontainer.exectfmon32.exectfmon32.exe

description	pid	process
Token: SeDebugPrivilege	1212	ctfmon.exe
Token: SeDebugPrivilege	1096	vbc.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeDebugPrivilege	1532	nvcontainer.exe
Token: SeDebugPrivilege	1300	ctfmon32.exe
Token: SeDebugPrivilege	1484	ctfmon32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ctfmon.execmd.exevbc.execmd.exepowershell.exetaskeng.exectfmon32.execmd.exectfmon32.exe

description	pid	process	target process
PID 1212 wrote to memory of 1096	1212	ctfmon.exe	vbc.exe
PID 1212 wrote to memory of 1096	1212	ctfmon.exe	vbc.exe
PID 1212 wrote to memory of 1096	1212	ctfmon.exe	vbc.exe
PID 1212 wrote to memory of 1096	1212	ctfmon.exe	vbc.exe
PID 1212 wrote to memory of 1096	1212	ctfmon.exe	vbc.exe
PID 1212 wrote to memory of 1096	1212	ctfmon.exe	vbc.exe
PID 1212 wrote to memory of 1096	1212	ctfmon.exe	vbc.exe
PID 1212 wrote to memory of 1096	1212	ctfmon.exe	vbc.exe
PID 1212 wrote to memory of 1096	1212	ctfmon.exe	vbc.exe
PID 1212 wrote to memory of 624	1212	ctfmon.exe	cmd.exe
PID 1212 wrote to memory of 624	1212	ctfmon.exe	cmd.exe
PID 1212 wrote to memory of 624	1212	ctfmon.exe	cmd.exe
PID 1212 wrote to memory of 624	1212	ctfmon.exe	cmd.exe
PID 624 wrote to memory of 876	624	cmd.exe	schtasks.exe
PID 624 wrote to memory of 876	624	cmd.exe	schtasks.exe
PID 624 wrote to memory of 876	624	cmd.exe	schtasks.exe
PID 624 wrote to memory of 876	624	cmd.exe	schtasks.exe
PID 1212 wrote to memory of 1344	1212	ctfmon.exe	cmd.exe
PID 1212 wrote to memory of 1344	1212	ctfmon.exe	cmd.exe
PID 1212 wrote to memory of 1344	1212	ctfmon.exe	cmd.exe
PID 1212 wrote to memory of 1344	1212	ctfmon.exe	cmd.exe
PID 1096 wrote to memory of 1968	1096	vbc.exe	cmd.exe
PID 1096 wrote to memory of 1968	1096	vbc.exe	cmd.exe
PID 1096 wrote to memory of 1968	1096	vbc.exe	cmd.exe
PID 1096 wrote to memory of 1968	1096	vbc.exe	cmd.exe
PID 1968 wrote to memory of 568	1968	cmd.exe	powershell.exe
PID 1968 wrote to memory of 568	1968	cmd.exe	powershell.exe
PID 1968 wrote to memory of 568	1968	cmd.exe	powershell.exe
PID 1968 wrote to memory of 568	1968	cmd.exe	powershell.exe
PID 568 wrote to memory of 1532	568	powershell.exe	nvcontainer.exe
PID 568 wrote to memory of 1532	568	powershell.exe	nvcontainer.exe
PID 568 wrote to memory of 1532	568	powershell.exe	nvcontainer.exe
PID 568 wrote to memory of 1532	568	powershell.exe	nvcontainer.exe
PID 1444 wrote to memory of 1300	1444	taskeng.exe	ctfmon32.exe
PID 1444 wrote to memory of 1300	1444	taskeng.exe	ctfmon32.exe
PID 1444 wrote to memory of 1300	1444	taskeng.exe	ctfmon32.exe
PID 1444 wrote to memory of 1300	1444	taskeng.exe	ctfmon32.exe
PID 1300 wrote to memory of 1088	1300	ctfmon32.exe	vbc.exe
PID 1300 wrote to memory of 1088	1300	ctfmon32.exe	vbc.exe
PID 1300 wrote to memory of 1088	1300	ctfmon32.exe	vbc.exe
PID 1300 wrote to memory of 1088	1300	ctfmon32.exe	vbc.exe
PID 1300 wrote to memory of 1088	1300	ctfmon32.exe	vbc.exe
PID 1300 wrote to memory of 1088	1300	ctfmon32.exe	vbc.exe
PID 1300 wrote to memory of 1088	1300	ctfmon32.exe	vbc.exe
PID 1300 wrote to memory of 1088	1300	ctfmon32.exe	vbc.exe
PID 1300 wrote to memory of 1088	1300	ctfmon32.exe	vbc.exe
PID 1300 wrote to memory of 1656	1300	ctfmon32.exe	cmd.exe
PID 1300 wrote to memory of 1656	1300	ctfmon32.exe	cmd.exe
PID 1300 wrote to memory of 1656	1300	ctfmon32.exe	cmd.exe
PID 1300 wrote to memory of 1656	1300	ctfmon32.exe	cmd.exe
PID 1656 wrote to memory of 1064	1656	cmd.exe	schtasks.exe
PID 1656 wrote to memory of 1064	1656	cmd.exe	schtasks.exe
PID 1656 wrote to memory of 1064	1656	cmd.exe	schtasks.exe
PID 1656 wrote to memory of 1064	1656	cmd.exe	schtasks.exe
PID 1300 wrote to memory of 2012	1300	ctfmon32.exe	cmd.exe
PID 1300 wrote to memory of 2012	1300	ctfmon32.exe	cmd.exe
PID 1300 wrote to memory of 2012	1300	ctfmon32.exe	cmd.exe
PID 1300 wrote to memory of 2012	1300	ctfmon32.exe	cmd.exe
PID 1444 wrote to memory of 1484	1444	taskeng.exe	ctfmon32.exe
PID 1444 wrote to memory of 1484	1444	taskeng.exe	ctfmon32.exe
PID 1444 wrote to memory of 1484	1444	taskeng.exe	ctfmon32.exe
PID 1444 wrote to memory of 1484	1444	taskeng.exe	ctfmon32.exe
PID 1484 wrote to memory of 1336	1484	ctfmon32.exe	vbc.exe
PID 1484 wrote to memory of 1336	1484	ctfmon32.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\ctfmon.exe
"C:\Users\Admin\AppData\Local\Temp\ctfmon.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\nvcontainer.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\nvcontainer.exe"'
4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:568

C:\Users\Admin\AppData\Local\Temp\nvcontainer.exe
"C:\Users\Admin\AppData\Local\Temp\nvcontainer.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\ctfmon32\ctfmon32.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:624

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\ctfmon32\ctfmon32.exe'" /f
3⤵
- Creates scheduled task(s)
PID:876

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\ctfmon.exe" "C:\Users\Admin\AppData\Roaming\ctfmon32\ctfmon32.exe"
2⤵
PID:1344

C:\Windows\system32\taskeng.exe
taskeng.exe {7220F386-7FDB-405F-9DC8-5A7BAD0E9DE3} S-1-5-21-2277218442-1199762539-2004043321-1000:AUVQQRRF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1444

C:\Users\Admin\AppData\Roaming\ctfmon32\ctfmon32.exe
C:\Users\Admin\AppData\Roaming\ctfmon32\ctfmon32.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1088

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\ctfmon32\ctfmon32.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\ctfmon32\ctfmon32.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1064

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\ctfmon32\ctfmon32.exe" "C:\Users\Admin\AppData\Roaming\ctfmon32\ctfmon32.exe"
3⤵
PID:2012

C:\Users\Admin\AppData\Roaming\ctfmon32\ctfmon32.exe
C:\Users\Admin\AppData\Roaming\ctfmon32\ctfmon32.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1336

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\ctfmon32\ctfmon32.exe'" /f
3⤵
PID:956

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\ctfmon32\ctfmon32.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1640

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\ctfmon32\ctfmon32.exe" "C:\Users\Admin\AppData\Roaming\ctfmon32\ctfmon32.exe"
3⤵
PID:1840

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nvcontainer.exe
Filesize
300.0MB

MD5
e407c7a0f100ef58922d20b19e4e8c35

SHA1
f7972f88dcec0b023fec33cb1b36e7fca5ec83e9

SHA256
da8f0aeae9a1ba45e7ac2f6a8fa31133ead466e88ea46a7f715fb29864fc1eb9

SHA512
72c9e6435b3f56da010aca568d9065283efee6cbb33896a70655cab254c853747692d5ca027cbcf846983fcb2451dad7fd4da944f201156ea6eea2fcc93899d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nvcontainer.exe
Filesize
300.0MB

MD5
e407c7a0f100ef58922d20b19e4e8c35

SHA1
f7972f88dcec0b023fec33cb1b36e7fca5ec83e9

SHA256
da8f0aeae9a1ba45e7ac2f6a8fa31133ead466e88ea46a7f715fb29864fc1eb9

SHA512
72c9e6435b3f56da010aca568d9065283efee6cbb33896a70655cab254c853747692d5ca027cbcf846983fcb2451dad7fd4da944f201156ea6eea2fcc93899d9

Download Submit
C:\Users\Admin\AppData\Roaming\ctfmon32\ctfmon32.exe
Filesize
97.3MB

MD5
e881b739dfc337045d688c701f252a22

SHA1
ceaeca0d2912e1a39a6d68c3eb3a0ab06017654b

SHA256
9dc16eb20e2178bc57aa121ecb5d8e13a6ed553f3c38c8cb90e2b7ba819c142d

SHA512
5a8cf22b1c73a90efd0496a83bd10b7d559c9abe9dc848a8637f15a931fb4e2ff55306e3dc0bae06eadb28d32aa71b24d0b3bea4893d75d37bc4fcd133771c6b

Download Submit
C:\Users\Admin\AppData\Roaming\ctfmon32\ctfmon32.exe
Filesize
277.3MB

MD5
46e35faf288fd93c5d5f783d1dcebc35

SHA1
3f937e36f58251dc31ec1581132738822d9fc692

SHA256
74a78bf3c2048f5fe64abe94018edaf4217a51bfa0c4400ab3618116a66bec1f

SHA512
5b51978361ecaad7bfb7c1414e086f510f48a4cc57d1e49c4810e807972bca2cb1821240ff3d43c2f8d2cdc16e83f360ca970c3ad6f137be19d5d49e64099e91

Download Submit
C:\Users\Admin\AppData\Roaming\ctfmon32\ctfmon32.exe
Filesize
278.8MB

MD5
49a6ae7ce9dd5ee8f02814757910a581

SHA1
d5faf7134b312bde4173d868d20b30ad0e905c4b

SHA256
4c8c09841d81be0d1c6e4e8f4288eb34fc07e539b6ca2ae0db404ce92f66f9d2

SHA512
a6729736fab7770344a79ddc5409ea27124304118a3663b8b7c603bac2cdedd167796e289799f38ddf7500eb796a2b4fbadf1c05ac8a38c86f55e91ef4b5d857

Download Submit
\Users\Admin\AppData\Local\Temp\nvcontainer.exe
Filesize
300.0MB

MD5
e407c7a0f100ef58922d20b19e4e8c35

SHA1
f7972f88dcec0b023fec33cb1b36e7fca5ec83e9

SHA256
da8f0aeae9a1ba45e7ac2f6a8fa31133ead466e88ea46a7f715fb29864fc1eb9

SHA512
72c9e6435b3f56da010aca568d9065283efee6cbb33896a70655cab254c853747692d5ca027cbcf846983fcb2451dad7fd4da944f201156ea6eea2fcc93899d9

Download Submit
memory/568-81-0x000000006EEE0000-0x000000006F48B000-memory.dmp

Filesize
5.7MB

Download
memory/568-74-0x0000000000000000-mapping.dmp

Download
memory/568-76-0x000000006EEE0000-0x000000006F48B000-memory.dmp

Filesize
5.7MB

Download
memory/624-68-0x0000000000000000-mapping.dmp

Download
memory/876-69-0x0000000000000000-mapping.dmp

Download
memory/956-120-0x0000000000000000-mapping.dmp

Download
memory/1064-101-0x0000000000000000-mapping.dmp

Download
memory/1088-95-0x000000000040CB9E-mapping.dmp

Download
memory/1096-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1096-61-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1096-59-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1096-65-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1096-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1096-57-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1096-63-0x000000000040CB9E-mapping.dmp

Download
memory/1096-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1096-72-0x0000000000600000-0x000000000060C000-memory.dmp

Filesize
48KB

Download
memory/1212-55-0x0000000075761000-0x0000000075763000-memory.dmp

Filesize
8KB

Download
memory/1212-54-0x00000000000C0000-0x0000000000110000-memory.dmp

Filesize
320KB

Download
memory/1300-84-0x0000000000000000-mapping.dmp

Download
memory/1300-86-0x0000000000070000-0x00000000000C0000-memory.dmp

Filesize
320KB

Download
memory/1336-115-0x000000000040CB9E-mapping.dmp

Download
memory/1344-70-0x0000000000000000-mapping.dmp

Download
memory/1484-106-0x00000000003A0000-0x00000000003F0000-memory.dmp

Filesize
320KB

Download
memory/1484-104-0x0000000000000000-mapping.dmp

Download
memory/1532-79-0x0000000000000000-mapping.dmp

Download
memory/1532-82-0x000000013F280000-0x000000013F376000-memory.dmp

Filesize
984KB

Download
memory/1640-121-0x0000000000000000-mapping.dmp

Download
memory/1656-99-0x0000000000000000-mapping.dmp

Download
memory/1840-122-0x0000000000000000-mapping.dmp

Download
memory/1968-73-0x0000000000000000-mapping.dmp

Download
memory/2012-102-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads