asyncrat | e3089b45284605971b1e621968a290fe37d5fba375ccbf83f14bd4b93a33b096

General

Target

e3089b45284605971b1e621968a290fe37d5fba375ccbf83f14bd4b93a33b096.exe
Size

611KB
MD5

415c1a6ab788cf624cb4e6654af3f99d
SHA1

b48d8ecadaaf4afb45b75b6b86ecaeab4de691e8
SHA256

e3089b45284605971b1e621968a290fe37d5fba375ccbf83f14bd4b93a33b096
SHA512

a7c438470010174d241fe59ca58bb61acc00965513d161f8b36f90261d8f98e64312d97a832f4c5cfffea0fe61b2d9ebe93a0678dfafb5351eac3d604763c169

Score

10^/10

asyncrat default persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.6D

Botnet

Default

C2

milla.publicvm.com:6606

milla.publicvm.com:7707

milla.publicvm.com:8808

milla2.ddns.net:6606

milla2.ddns.net:7707

milla2.ddns.net:8808

Mutex

wqyorhighirvir

Attributes

delay
40
install
true
install_file
explorer.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2008-55-0x0000000000170000-0x0000000000182000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

Processes:

explorer.exe

pid process

768 explorer.exe

pid	process
768	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e3089b45284605971b1e621968a290fe37d5fba375ccbf83f14bd4b93a33b096.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Helper = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Helper.exe"	e3089b45284605971b1e621968a290fe37d5fba375ccbf83f14bd4b93a33b096.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Helper = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Helper.exe"	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

604 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1572 timeout.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

e3089b45284605971b1e621968a290fe37d5fba375ccbf83f14bd4b93a33b096.exe

pid process

2008 e3089b45284605971b1e621968a290fe37d5fba375ccbf83f14bd4b93a33b096.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

e3089b45284605971b1e621968a290fe37d5fba375ccbf83f14bd4b93a33b096.exe

description pid process

Token: SeDebugPrivilege 2008 e3089b45284605971b1e621968a290fe37d5fba375ccbf83f14bd4b93a33b096.exe

pid	process
604	schtasks.exe

pid	process
1572	timeout.exe

pid	process
2008	e3089b45284605971b1e621968a290fe37d5fba375ccbf83f14bd4b93a33b096.exe

description	pid	process
Token: SeDebugPrivilege	2008	e3089b45284605971b1e621968a290fe37d5fba375ccbf83f14bd4b93a33b096.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

e3089b45284605971b1e621968a290fe37d5fba375ccbf83f14bd4b93a33b096.execmd.execmd.exe

description	pid	process	target process
PID 2008 wrote to memory of 1252	2008	e3089b45284605971b1e621968a290fe37d5fba375ccbf83f14bd4b93a33b096.exe	cmd.exe
PID 2008 wrote to memory of 1252	2008	e3089b45284605971b1e621968a290fe37d5fba375ccbf83f14bd4b93a33b096.exe	cmd.exe
PID 2008 wrote to memory of 1252	2008	e3089b45284605971b1e621968a290fe37d5fba375ccbf83f14bd4b93a33b096.exe	cmd.exe
PID 2008 wrote to memory of 1180	2008	e3089b45284605971b1e621968a290fe37d5fba375ccbf83f14bd4b93a33b096.exe	cmd.exe
PID 2008 wrote to memory of 1180	2008	e3089b45284605971b1e621968a290fe37d5fba375ccbf83f14bd4b93a33b096.exe	cmd.exe
PID 2008 wrote to memory of 1180	2008	e3089b45284605971b1e621968a290fe37d5fba375ccbf83f14bd4b93a33b096.exe	cmd.exe
PID 1180 wrote to memory of 1572	1180	cmd.exe	timeout.exe
PID 1180 wrote to memory of 1572	1180	cmd.exe	timeout.exe
PID 1180 wrote to memory of 1572	1180	cmd.exe	timeout.exe
PID 1252 wrote to memory of 604	1252	cmd.exe	schtasks.exe
PID 1252 wrote to memory of 604	1252	cmd.exe	schtasks.exe
PID 1252 wrote to memory of 604	1252	cmd.exe	schtasks.exe
PID 1180 wrote to memory of 768	1180	cmd.exe	explorer.exe
PID 1180 wrote to memory of 768	1180	cmd.exe	explorer.exe
PID 1180 wrote to memory of 768	1180	cmd.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\e3089b45284605971b1e621968a290fe37d5fba375ccbf83f14bd4b93a33b096.exe
"C:\Users\Admin\AppData\Local\Temp\e3089b45284605971b1e621968a290fe37d5fba375ccbf83f14bd4b93a33b096.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /ru system /rl highest /tn e3089b45284605971b1e621968a290fe37d5fba375ccbf83f14bd4b93a33b096 /tr '"C:\Users\Admin\AppData\Roaming\explorer.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /ru system /rl highest /tn e3089b45284605971b1e621968a290fe37d5fba375ccbf83f14bd4b93a33b096 /tr '"C:\Users\Admin\AppData\Roaming\explorer.exe"'
3⤵
- Creates scheduled task(s)
PID:604

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpB185.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:1180

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1572

C:\Users\Admin\AppData\Roaming\explorer.exe
"C:\Users\Admin\AppData\Roaming\explorer.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB185.tmp.bat
Filesize
152B

MD5
0a4ab85b461bc4cf6da82ce97b88f817

SHA1
2bfd5d5038e60b6f024d1f8e168ccc3d16095cdb

SHA256
0fdfe8ea6c0e2ccf7edd237c4568349bfaa75641ae09a79bf59501895d36f89d

SHA512
f754edb59fdb67d946c571ca329100bca3fa4c97cfce336954110a37d244af69b4113ca61267012e7f51a3390fe37b180f08e317fca69a76760a58395ef22ede

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Helper.exe
Filesize
611KB

MD5
415c1a6ab788cf624cb4e6654af3f99d

SHA1
b48d8ecadaaf4afb45b75b6b86ecaeab4de691e8

SHA256
e3089b45284605971b1e621968a290fe37d5fba375ccbf83f14bd4b93a33b096

SHA512
a7c438470010174d241fe59ca58bb61acc00965513d161f8b36f90261d8f98e64312d97a832f4c5cfffea0fe61b2d9ebe93a0678dfafb5351eac3d604763c169

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe
Filesize
611KB

MD5
415c1a6ab788cf624cb4e6654af3f99d

SHA1
b48d8ecadaaf4afb45b75b6b86ecaeab4de691e8

SHA256
e3089b45284605971b1e621968a290fe37d5fba375ccbf83f14bd4b93a33b096

SHA512
a7c438470010174d241fe59ca58bb61acc00965513d161f8b36f90261d8f98e64312d97a832f4c5cfffea0fe61b2d9ebe93a0678dfafb5351eac3d604763c169

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe
Filesize
611KB

MD5
415c1a6ab788cf624cb4e6654af3f99d

SHA1
b48d8ecadaaf4afb45b75b6b86ecaeab4de691e8

SHA256
e3089b45284605971b1e621968a290fe37d5fba375ccbf83f14bd4b93a33b096

SHA512
a7c438470010174d241fe59ca58bb61acc00965513d161f8b36f90261d8f98e64312d97a832f4c5cfffea0fe61b2d9ebe93a0678dfafb5351eac3d604763c169

Download Submit
memory/604-60-0x0000000000000000-mapping.dmp

Download
memory/768-61-0x0000000000000000-mapping.dmp

Download
memory/768-64-0x0000000000280000-0x000000000031E000-memory.dmp

Filesize
632KB

Download
memory/1180-57-0x0000000000000000-mapping.dmp

Download
memory/1252-56-0x0000000000000000-mapping.dmp

Download
memory/1572-59-0x0000000000000000-mapping.dmp

Download
memory/2008-54-0x0000000000F00000-0x0000000000F9E000-memory.dmp

Filesize
632KB

Download
memory/2008-55-0x0000000000170000-0x0000000000182000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads