asyncrat | a4a60422374845bf0abd892dd48d352978d697c883196392e0d692f70f0e85c1

General

Target

A4A60422374845BF0ABD892DD48D352978D697C883196.exe
Size

701KB
MD5

1bd98c5b4581aeff9b65ce5653f49cdf
SHA1

3091d81da54ed79391b456e8e94e6b939be2a316
SHA256

a4a60422374845bf0abd892dd48d352978d697c883196392e0d692f70f0e85c1
SHA512

f1462a6d7cfc813cd2ba05d6ccac9656b76ef4ea7418992d1b3b1acdbd779d7b2ab016322f30264c123fea92114a481c1400dc965964731c86974b98922486cc

Score

10^/10

asyncrat default rat suricata

Malware Config

Extracted

Family

asyncrat

Version

0.5.6D

Botnet

Default

C2

milla.publicvm.com:6606

milla.publicvm.com:7707

milla.publicvm.com:8808

Mutex

ncwfisdaribhhybik

Attributes

delay
10
install
true
install_file
syastem.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1948-55-0x0000000000300000-0x0000000000312000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

Processes:

syastem.exe

pid process

652 syastem.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1692 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2036 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1368 timeout.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

A4A60422374845BF0ABD892DD48D352978D697C883196.exe

pid process

1948 A4A60422374845BF0ABD892DD48D352978D697C883196.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

A4A60422374845BF0ABD892DD48D352978D697C883196.exesyastem.exe

description pid process

Token: SeDebugPrivilege 1948 A4A60422374845BF0ABD892DD48D352978D697C883196.exe
Token: SeDebugPrivilege 652 syastem.exe

pid	process
652	syastem.exe

pid	process
1692	cmd.exe

pid	process
2036	schtasks.exe

pid	process
1368	timeout.exe

pid	process
1948	A4A60422374845BF0ABD892DD48D352978D697C883196.exe

description	pid	process
Token: SeDebugPrivilege	1948	A4A60422374845BF0ABD892DD48D352978D697C883196.exe
Token: SeDebugPrivilege	652	syastem.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

A4A60422374845BF0ABD892DD48D352978D697C883196.execmd.execmd.exe

description	pid	process	target process
PID 1948 wrote to memory of 1328	1948	A4A60422374845BF0ABD892DD48D352978D697C883196.exe	cmd.exe
PID 1948 wrote to memory of 1328	1948	A4A60422374845BF0ABD892DD48D352978D697C883196.exe	cmd.exe
PID 1948 wrote to memory of 1328	1948	A4A60422374845BF0ABD892DD48D352978D697C883196.exe	cmd.exe
PID 1948 wrote to memory of 1328	1948	A4A60422374845BF0ABD892DD48D352978D697C883196.exe	cmd.exe
PID 1948 wrote to memory of 1692	1948	A4A60422374845BF0ABD892DD48D352978D697C883196.exe	cmd.exe
PID 1948 wrote to memory of 1692	1948	A4A60422374845BF0ABD892DD48D352978D697C883196.exe	cmd.exe
PID 1948 wrote to memory of 1692	1948	A4A60422374845BF0ABD892DD48D352978D697C883196.exe	cmd.exe
PID 1948 wrote to memory of 1692	1948	A4A60422374845BF0ABD892DD48D352978D697C883196.exe	cmd.exe
PID 1328 wrote to memory of 2036	1328	cmd.exe	schtasks.exe
PID 1328 wrote to memory of 2036	1328	cmd.exe	schtasks.exe
PID 1328 wrote to memory of 2036	1328	cmd.exe	schtasks.exe
PID 1328 wrote to memory of 2036	1328	cmd.exe	schtasks.exe
PID 1692 wrote to memory of 1368	1692	cmd.exe	timeout.exe
PID 1692 wrote to memory of 1368	1692	cmd.exe	timeout.exe
PID 1692 wrote to memory of 1368	1692	cmd.exe	timeout.exe
PID 1692 wrote to memory of 1368	1692	cmd.exe	timeout.exe
PID 1692 wrote to memory of 652	1692	cmd.exe	syastem.exe
PID 1692 wrote to memory of 652	1692	cmd.exe	syastem.exe
PID 1692 wrote to memory of 652	1692	cmd.exe	syastem.exe
PID 1692 wrote to memory of 652	1692	cmd.exe	syastem.exe

C:\Users\Admin\AppData\Local\Temp\A4A60422374845BF0ABD892DD48D352978D697C883196.exe
"C:\Users\Admin\AppData\Local\Temp\A4A60422374845BF0ABD892DD48D352978D697C883196.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /ru system /rl highest /tn A4A60422374845BF0ABD892DD48D352978D697C883196 /tr '"C:\Users\Admin\AppData\Roaming\syastem.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1328

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /ru system /rl highest /tn A4A60422374845BF0ABD892DD48D352978D697C883196 /tr '"C:\Users\Admin\AppData\Roaming\syastem.exe"'
3⤵
- Creates scheduled task(s)
PID:2036

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp6E4E.tmp.bat""
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1368

C:\Users\Admin\AppData\Roaming\syastem.exe
"C:\Users\Admin\AppData\Roaming\syastem.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6E4E.tmp.bat
Filesize
151B

MD5
3d0e3950cb76e9f357204aa3c568426d

SHA1
72d9bc3585cc7af27a6a4badba0d029e84f6749e

SHA256
bcd9abd209dbf47f99b72179a6e2dd7ef8a3cf120b8319ffddb9bd8635385a8a

SHA512
e92bc29fda6ff7774d2cc63d4321d38948b59349ed7a7adf823b156009c7018157531e1243290fc93a38b8b5b6f88beb6ea7af3354e62a1a3baf2d0e4a2df4d1

Download Submit
C:\Users\Admin\AppData\Roaming\syastem.exe
Filesize
701KB

MD5
1bd98c5b4581aeff9b65ce5653f49cdf

SHA1
3091d81da54ed79391b456e8e94e6b939be2a316

SHA256
a4a60422374845bf0abd892dd48d352978d697c883196392e0d692f70f0e85c1

SHA512
f1462a6d7cfc813cd2ba05d6ccac9656b76ef4ea7418992d1b3b1acdbd779d7b2ab016322f30264c123fea92114a481c1400dc965964731c86974b98922486cc

Download Submit
C:\Users\Admin\AppData\Roaming\syastem.exe
Filesize
701KB

MD5
1bd98c5b4581aeff9b65ce5653f49cdf

SHA1
3091d81da54ed79391b456e8e94e6b939be2a316

SHA256
a4a60422374845bf0abd892dd48d352978d697c883196392e0d692f70f0e85c1

SHA512
f1462a6d7cfc813cd2ba05d6ccac9656b76ef4ea7418992d1b3b1acdbd779d7b2ab016322f30264c123fea92114a481c1400dc965964731c86974b98922486cc

Download Submit
\Users\Admin\AppData\Roaming\syastem.exe
Filesize
701KB

MD5
1bd98c5b4581aeff9b65ce5653f49cdf

SHA1
3091d81da54ed79391b456e8e94e6b939be2a316

SHA256
a4a60422374845bf0abd892dd48d352978d697c883196392e0d692f70f0e85c1

SHA512
f1462a6d7cfc813cd2ba05d6ccac9656b76ef4ea7418992d1b3b1acdbd779d7b2ab016322f30264c123fea92114a481c1400dc965964731c86974b98922486cc

Download Submit
memory/652-64-0x0000000000000000-mapping.dmp

Download
memory/652-66-0x0000000000110000-0x00000000001C4000-memory.dmp

Filesize
720KB

Download
memory/1328-57-0x0000000000000000-mapping.dmp

Download
memory/1368-61-0x0000000000000000-mapping.dmp

Download
memory/1692-58-0x0000000000000000-mapping.dmp

Download
memory/1948-56-0x00000000754A1000-0x00000000754A3000-memory.dmp

Filesize
8KB

Download
memory/1948-55-0x0000000000300000-0x0000000000312000-memory.dmp

Filesize
72KB

Download
memory/1948-54-0x0000000001060000-0x0000000001114000-memory.dmp

Filesize
720KB

Download
memory/2036-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads