asyncrat | 762c259cf0068e583cc70d8839c65bb87401de2f926f8306c66d83e7d7cfda8e

General

Target

762c259cf0068e583cc70d8839c65bb87401de2f926f8306c66d83e7d7cfda8e.exe
Size

239KB
MD5

f3e095480b743b91e227a56dc90f961f
SHA1

c173a87c984a20bf5e3751351e144a62de4ae269
SHA256

762c259cf0068e583cc70d8839c65bb87401de2f926f8306c66d83e7d7cfda8e
SHA512

d7fb57e80d720221aeb1674d7aa967e3c87b334f13c76c26e81d22cc0877d4921deffe37670093de83ebcbf488cdf654eadd12ce9cbd97517068621ec3a15de0

Score

10^/10

asyncrat persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.6A

C2

soft.tjsosda.com:1989

sure.spdns.de:1989

hurricane.rapiddns.ru:1989

Mutex

admin2214

Attributes

delay
5
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1272-57-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

762c259cf0068e583cc70d8839c65bb87401de2f926f8306c66d83e7d7cfda8e.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\ggBin = "C:\\Users\\Admin\\AppData\\Local\\ggBinz\\ggBinzbxc.hta"	762c259cf0068e583cc70d8839c65bb87401de2f926f8306c66d83e7d7cfda8e.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

762c259cf0068e583cc70d8839c65bb87401de2f926f8306c66d83e7d7cfda8e.exe

description	pid	process	target process
PID 1464 set thread context of 1272	1464	762c259cf0068e583cc70d8839c65bb87401de2f926f8306c66d83e7d7cfda8e.exe	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

762c259cf0068e583cc70d8839c65bb87401de2f926f8306c66d83e7d7cfda8e.exeInstallUtil.exe

pid	process
1464	762c259cf0068e583cc70d8839c65bb87401de2f926f8306c66d83e7d7cfda8e.exe
1464	762c259cf0068e583cc70d8839c65bb87401de2f926f8306c66d83e7d7cfda8e.exe
1464	762c259cf0068e583cc70d8839c65bb87401de2f926f8306c66d83e7d7cfda8e.exe
1464	762c259cf0068e583cc70d8839c65bb87401de2f926f8306c66d83e7d7cfda8e.exe
1464	762c259cf0068e583cc70d8839c65bb87401de2f926f8306c66d83e7d7cfda8e.exe
1272	InstallUtil.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

762c259cf0068e583cc70d8839c65bb87401de2f926f8306c66d83e7d7cfda8e.exe

pid process

1464 762c259cf0068e583cc70d8839c65bb87401de2f926f8306c66d83e7d7cfda8e.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

762c259cf0068e583cc70d8839c65bb87401de2f926f8306c66d83e7d7cfda8e.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	1464	762c259cf0068e583cc70d8839c65bb87401de2f926f8306c66d83e7d7cfda8e.exe
Token: SeDebugPrivilege	1272	InstallUtil.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

762c259cf0068e583cc70d8839c65bb87401de2f926f8306c66d83e7d7cfda8e.exe

description	pid	process	target process
PID 1464 wrote to memory of 1272	1464	762c259cf0068e583cc70d8839c65bb87401de2f926f8306c66d83e7d7cfda8e.exe	InstallUtil.exe
PID 1464 wrote to memory of 1272	1464	762c259cf0068e583cc70d8839c65bb87401de2f926f8306c66d83e7d7cfda8e.exe	InstallUtil.exe
PID 1464 wrote to memory of 1272	1464	762c259cf0068e583cc70d8839c65bb87401de2f926f8306c66d83e7d7cfda8e.exe	InstallUtil.exe
PID 1464 wrote to memory of 1272	1464	762c259cf0068e583cc70d8839c65bb87401de2f926f8306c66d83e7d7cfda8e.exe	InstallUtil.exe
PID 1464 wrote to memory of 1272	1464	762c259cf0068e583cc70d8839c65bb87401de2f926f8306c66d83e7d7cfda8e.exe	InstallUtil.exe
PID 1464 wrote to memory of 1272	1464	762c259cf0068e583cc70d8839c65bb87401de2f926f8306c66d83e7d7cfda8e.exe	InstallUtil.exe
PID 1464 wrote to memory of 1272	1464	762c259cf0068e583cc70d8839c65bb87401de2f926f8306c66d83e7d7cfda8e.exe	InstallUtil.exe
PID 1464 wrote to memory of 1272	1464	762c259cf0068e583cc70d8839c65bb87401de2f926f8306c66d83e7d7cfda8e.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\762c259cf0068e583cc70d8839c65bb87401de2f926f8306c66d83e7d7cfda8e.exe
"C:\Users\Admin\AppData\Local\Temp\762c259cf0068e583cc70d8839c65bb87401de2f926f8306c66d83e7d7cfda8e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1272

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1272-56-0x000000000040CCEE-mapping.dmp

Download
memory/1272-57-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1272-59-0x00000000754A1000-0x00000000754A3000-memory.dmp

Filesize
8KB

Download
memory/1464-54-0x0000000000E70000-0x0000000000EB0000-memory.dmp

Filesize
256KB

Download
memory/1464-55-0x0000000000280000-0x0000000000298000-memory.dmp

Filesize
96KB

Download
memory/1464-58-0x0000000000320000-0x0000000000323000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads