asyncrat | 14d449fbc2ed1f0bf002d0c599b96ae52c5d77e60ed8714f74aa2e8c7aa8a3eb

General

Target

14d449fbc2ed1f0bf002d0c599b96ae52c5d77e60ed8714f74aa2e8c7aa8a3eb.exe
Size

682KB
MD5

80bb1cba6800f593cf722f35eecf2651
SHA1

ec57b4c93f8e53ba5e2118b2c642b6c83694e0c9
SHA256

14d449fbc2ed1f0bf002d0c599b96ae52c5d77e60ed8714f74aa2e8c7aa8a3eb
SHA512

160782272319358cd5608d1ffa9cb7ee0acfef657366e688b3b944902b2a9221b970fc2a7e55bbd0eb576257070e500f48ebdf9a4a6d49cda57c9e1ce93e1fd4

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7A

Botnet

Default

C2

klol.ddns.net:5353

Mutex

pbkkxzhztwvqna

Attributes

delay
1
install
false
install_file
klol.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1992-80-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1992-82-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1992-83-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1992-84-0x000000000040D1AE-mapping.dmp	asyncrat
behavioral1/memory/1992-86-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1992-88-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Suspicious use of SetThreadContext 1 IoCs

Processes:

14d449fbc2ed1f0bf002d0c599b96ae52c5d77e60ed8714f74aa2e8c7aa8a3eb.exe

description	pid	process	target process
PID 1260 set thread context of 1992	1260	14d449fbc2ed1f0bf002d0c599b96ae52c5d77e60ed8714f74aa2e8c7aa8a3eb.exe	jsc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

14d449fbc2ed1f0bf002d0c599b96ae52c5d77e60ed8714f74aa2e8c7aa8a3eb.exe

description pid process

Token: SeDebugPrivilege 1260 14d449fbc2ed1f0bf002d0c599b96ae52c5d77e60ed8714f74aa2e8c7aa8a3eb.exe

description	pid	process
Token: SeDebugPrivilege	1260	14d449fbc2ed1f0bf002d0c599b96ae52c5d77e60ed8714f74aa2e8c7aa8a3eb.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

14d449fbc2ed1f0bf002d0c599b96ae52c5d77e60ed8714f74aa2e8c7aa8a3eb.exe

description	pid	process	target process
PID 1260 wrote to memory of 1992	1260	14d449fbc2ed1f0bf002d0c599b96ae52c5d77e60ed8714f74aa2e8c7aa8a3eb.exe	jsc.exe
PID 1260 wrote to memory of 1992	1260	14d449fbc2ed1f0bf002d0c599b96ae52c5d77e60ed8714f74aa2e8c7aa8a3eb.exe	jsc.exe
PID 1260 wrote to memory of 1992	1260	14d449fbc2ed1f0bf002d0c599b96ae52c5d77e60ed8714f74aa2e8c7aa8a3eb.exe	jsc.exe
PID 1260 wrote to memory of 1992	1260	14d449fbc2ed1f0bf002d0c599b96ae52c5d77e60ed8714f74aa2e8c7aa8a3eb.exe	jsc.exe
PID 1260 wrote to memory of 1992	1260	14d449fbc2ed1f0bf002d0c599b96ae52c5d77e60ed8714f74aa2e8c7aa8a3eb.exe	jsc.exe
PID 1260 wrote to memory of 1992	1260	14d449fbc2ed1f0bf002d0c599b96ae52c5d77e60ed8714f74aa2e8c7aa8a3eb.exe	jsc.exe
PID 1260 wrote to memory of 1992	1260	14d449fbc2ed1f0bf002d0c599b96ae52c5d77e60ed8714f74aa2e8c7aa8a3eb.exe	jsc.exe
PID 1260 wrote to memory of 1992	1260	14d449fbc2ed1f0bf002d0c599b96ae52c5d77e60ed8714f74aa2e8c7aa8a3eb.exe	jsc.exe
PID 1260 wrote to memory of 1992	1260	14d449fbc2ed1f0bf002d0c599b96ae52c5d77e60ed8714f74aa2e8c7aa8a3eb.exe	jsc.exe

C:\Users\Admin\AppData\Local\Temp\14d449fbc2ed1f0bf002d0c599b96ae52c5d77e60ed8714f74aa2e8c7aa8a3eb.exe
"C:\Users\Admin\AppData\Local\Temp\14d449fbc2ed1f0bf002d0c599b96ae52c5d77e60ed8714f74aa2e8c7aa8a3eb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
2⤵
PID:1992

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1260-54-0x0000000000BF0000-0x0000000000C9E000-memory.dmp

Filesize
696KB

Download
memory/1260-55-0x0000000000410000-0x000000000043A000-memory.dmp

Filesize
168KB

Download
memory/1260-56-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/1260-57-0x0000000075361000-0x0000000075363000-memory.dmp

Filesize
8KB

Download
memory/1260-58-0x0000000000650000-0x000000000065C000-memory.dmp

Filesize
48KB

Download
memory/1260-59-0x0000000000660000-0x000000000066C000-memory.dmp

Filesize
48KB

Download
memory/1260-60-0x0000000000680000-0x0000000000690000-memory.dmp

Filesize
64KB

Download
memory/1260-61-0x0000000000690000-0x000000000069E000-memory.dmp

Filesize
56KB

Download
memory/1260-62-0x0000000000B30000-0x0000000000B52000-memory.dmp

Filesize
136KB

Download
memory/1260-63-0x0000000000740000-0x000000000075C000-memory.dmp

Filesize
112KB

Download
memory/1260-64-0x0000000000B60000-0x0000000000B8C000-memory.dmp

Filesize
176KB

Download
memory/1260-65-0x0000000000760000-0x0000000000774000-memory.dmp

Filesize
80KB

Download
memory/1260-66-0x00000000006B0000-0x00000000006B8000-memory.dmp

Filesize
32KB

Download
memory/1260-67-0x00000000020A0000-0x00000000020BA000-memory.dmp

Filesize
104KB

Download
memory/1260-68-0x0000000000BD0000-0x0000000000BDC000-memory.dmp

Filesize
48KB

Download
memory/1260-69-0x0000000000BE0000-0x0000000000BEE000-memory.dmp

Filesize
56KB

Download
memory/1260-70-0x00000000020C0000-0x00000000020CA000-memory.dmp

Filesize
40KB

Download
memory/1260-71-0x00000000020D0000-0x00000000020DA000-memory.dmp

Filesize
40KB

Download
memory/1260-72-0x0000000002220000-0x0000000002260000-memory.dmp

Filesize
256KB

Download
memory/1260-73-0x00000000021E0000-0x00000000021F2000-memory.dmp

Filesize
72KB

Download
memory/1260-74-0x00000000020D0000-0x00000000020DE000-memory.dmp

Filesize
56KB

Download
memory/1260-75-0x00000000022F0000-0x0000000002314000-memory.dmp

Filesize
144KB

Download
memory/1260-76-0x0000000004430000-0x0000000004458000-memory.dmp

Filesize
160KB

Download
memory/1992-77-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1992-78-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1992-80-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1992-82-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1992-83-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1992-84-0x000000000040D1AE-mapping.dmp

Download
memory/1992-86-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1992-88-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads