asyncrat | a4a60422374845bf0abd892dd48d352978d697c883196392e0d692f70f0e85c1

General

Target

A4A60422374845BF0ABD892DD48D352978D697C883196.exe
Size

701KB
MD5

1bd98c5b4581aeff9b65ce5653f49cdf
SHA1

3091d81da54ed79391b456e8e94e6b939be2a316
SHA256

a4a60422374845bf0abd892dd48d352978d697c883196392e0d692f70f0e85c1
SHA512

f1462a6d7cfc813cd2ba05d6ccac9656b76ef4ea7418992d1b3b1acdbd779d7b2ab016322f30264c123fea92114a481c1400dc965964731c86974b98922486cc

Score

10^/10

asyncrat default rat suricata

Malware Config

Extracted

Family

asyncrat

Version

0.5.6D

Botnet

Default

C2

milla.publicvm.com:6606

milla.publicvm.com:7707

milla.publicvm.com:8808

Mutex

ncwfisdaribhhybik

Attributes

delay
10
install
true
install_file
syastem.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1660-55-0x0000000000380000-0x0000000000392000-memory.dmp	asyncrat
behavioral1/memory/1296-67-0x0000000000250000-0x0000000000262000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

Processes:

syastem.exe

pid process

1296 syastem.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1132 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

844 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1908 timeout.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

A4A60422374845BF0ABD892DD48D352978D697C883196.exe

pid process

1660 A4A60422374845BF0ABD892DD48D352978D697C883196.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

A4A60422374845BF0ABD892DD48D352978D697C883196.exesyastem.exe

description pid process

Token: SeDebugPrivilege 1660 A4A60422374845BF0ABD892DD48D352978D697C883196.exe
Token: SeDebugPrivilege 1296 syastem.exe

pid	process
1296	syastem.exe

pid	process
1132	cmd.exe

pid	process
844	schtasks.exe

pid	process
1908	timeout.exe

pid	process
1660	A4A60422374845BF0ABD892DD48D352978D697C883196.exe

description	pid	process
Token: SeDebugPrivilege	1660	A4A60422374845BF0ABD892DD48D352978D697C883196.exe
Token: SeDebugPrivilege	1296	syastem.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

A4A60422374845BF0ABD892DD48D352978D697C883196.execmd.execmd.exe

description	pid	process	target process
PID 1660 wrote to memory of 1708	1660	A4A60422374845BF0ABD892DD48D352978D697C883196.exe	cmd.exe
PID 1660 wrote to memory of 1708	1660	A4A60422374845BF0ABD892DD48D352978D697C883196.exe	cmd.exe
PID 1660 wrote to memory of 1708	1660	A4A60422374845BF0ABD892DD48D352978D697C883196.exe	cmd.exe
PID 1660 wrote to memory of 1708	1660	A4A60422374845BF0ABD892DD48D352978D697C883196.exe	cmd.exe
PID 1660 wrote to memory of 1132	1660	A4A60422374845BF0ABD892DD48D352978D697C883196.exe	cmd.exe
PID 1660 wrote to memory of 1132	1660	A4A60422374845BF0ABD892DD48D352978D697C883196.exe	cmd.exe
PID 1660 wrote to memory of 1132	1660	A4A60422374845BF0ABD892DD48D352978D697C883196.exe	cmd.exe
PID 1660 wrote to memory of 1132	1660	A4A60422374845BF0ABD892DD48D352978D697C883196.exe	cmd.exe
PID 1708 wrote to memory of 844	1708	cmd.exe	schtasks.exe
PID 1708 wrote to memory of 844	1708	cmd.exe	schtasks.exe
PID 1708 wrote to memory of 844	1708	cmd.exe	schtasks.exe
PID 1708 wrote to memory of 844	1708	cmd.exe	schtasks.exe
PID 1132 wrote to memory of 1908	1132	cmd.exe	timeout.exe
PID 1132 wrote to memory of 1908	1132	cmd.exe	timeout.exe
PID 1132 wrote to memory of 1908	1132	cmd.exe	timeout.exe
PID 1132 wrote to memory of 1908	1132	cmd.exe	timeout.exe
PID 1132 wrote to memory of 1296	1132	cmd.exe	syastem.exe
PID 1132 wrote to memory of 1296	1132	cmd.exe	syastem.exe
PID 1132 wrote to memory of 1296	1132	cmd.exe	syastem.exe
PID 1132 wrote to memory of 1296	1132	cmd.exe	syastem.exe

C:\Users\Admin\AppData\Local\Temp\A4A60422374845BF0ABD892DD48D352978D697C883196.exe
"C:\Users\Admin\AppData\Local\Temp\A4A60422374845BF0ABD892DD48D352978D697C883196.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /ru system /rl highest /tn A4A60422374845BF0ABD892DD48D352978D697C883196 /tr '"C:\Users\Admin\AppData\Roaming\syastem.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /ru system /rl highest /tn A4A60422374845BF0ABD892DD48D352978D697C883196 /tr '"C:\Users\Admin\AppData\Roaming\syastem.exe"'
3⤵
- Creates scheduled task(s)
PID:844

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp87A7.tmp.bat""
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1132

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1908

C:\Users\Admin\AppData\Roaming\syastem.exe
"C:\Users\Admin\AppData\Roaming\syastem.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1296

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp87A7.tmp.bat
Filesize
151B

MD5
4d98b1f470d85af9081b0a121382821e

SHA1
b3706e80a96d12c2ab4daea321f9efb9ba191c00

SHA256
9b11a3402b33f3b1c4f148cf15dbcce0d77a2ea055c437719612455eef918d9a

SHA512
3c791e570317ad8ce6e5e1be4baec99f4c329b53db8759b7664f97f8c9069603a599c1fd1d8c5d6867b70b4f0a28d62fe4d5fc920a204c519534cedccdb84ebd

Download Submit
C:\Users\Admin\AppData\Roaming\syastem.exe
Filesize
701KB

MD5
1bd98c5b4581aeff9b65ce5653f49cdf

SHA1
3091d81da54ed79391b456e8e94e6b939be2a316

SHA256
a4a60422374845bf0abd892dd48d352978d697c883196392e0d692f70f0e85c1

SHA512
f1462a6d7cfc813cd2ba05d6ccac9656b76ef4ea7418992d1b3b1acdbd779d7b2ab016322f30264c123fea92114a481c1400dc965964731c86974b98922486cc

Download Submit
C:\Users\Admin\AppData\Roaming\syastem.exe
Filesize
701KB

MD5
1bd98c5b4581aeff9b65ce5653f49cdf

SHA1
3091d81da54ed79391b456e8e94e6b939be2a316

SHA256
a4a60422374845bf0abd892dd48d352978d697c883196392e0d692f70f0e85c1

SHA512
f1462a6d7cfc813cd2ba05d6ccac9656b76ef4ea7418992d1b3b1acdbd779d7b2ab016322f30264c123fea92114a481c1400dc965964731c86974b98922486cc

Download Submit
\Users\Admin\AppData\Roaming\syastem.exe
Filesize
701KB

MD5
1bd98c5b4581aeff9b65ce5653f49cdf

SHA1
3091d81da54ed79391b456e8e94e6b939be2a316

SHA256
a4a60422374845bf0abd892dd48d352978d697c883196392e0d692f70f0e85c1

SHA512
f1462a6d7cfc813cd2ba05d6ccac9656b76ef4ea7418992d1b3b1acdbd779d7b2ab016322f30264c123fea92114a481c1400dc965964731c86974b98922486cc

Download Submit
memory/844-59-0x0000000000000000-mapping.dmp

Download
memory/1132-58-0x0000000000000000-mapping.dmp

Download
memory/1296-66-0x0000000000EC0000-0x0000000000F74000-memory.dmp

Filesize
720KB

Download
memory/1296-64-0x0000000000000000-mapping.dmp

Download
memory/1296-67-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/1660-56-0x0000000076781000-0x0000000076783000-memory.dmp

Filesize
8KB

Download
memory/1660-55-0x0000000000380000-0x0000000000392000-memory.dmp

Filesize
72KB

Download
memory/1660-54-0x0000000001080000-0x0000000001134000-memory.dmp

Filesize
720KB

Download
memory/1708-57-0x0000000000000000-mapping.dmp

Download
memory/1908-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads