asyncrat | 6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a

General

Target

6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe
Size

73KB
MD5

e8032d887188081e383a6ebd6dbcd33a
SHA1

ccbd2b7b1dc9688098636bf4a778ae1e5e90dd17
SHA256

6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a
SHA512

21babd4ff02d906274256c9a6defd85843f08d56a863c4f127f873652cb9b6205e13c581e6eed4ef51f617b4b85efcd87c7473398712131e21ace792fb235060

Score

10^/10

asyncrat default persistence rat suricata

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

vivald21.hopto.org:9954

63.141.237.188:9954

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1732-150-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tej = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\tej.exe\""	6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe

description	pid	process	target process
PID 2324 set thread context of 1732	2324	6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe	6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

powershell.exepowershell.exe6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe

pid	process
1996	powershell.exe
1996	powershell.exe
3844	powershell.exe
3844	powershell.exe
2324	6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe
2324	6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe
2324	6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe
2324	6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe
2324	6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe
2324	6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe
2324	6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe
2324	6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe
2324	6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe
2324	6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exe6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exepowershell.exe6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe

description	pid	process
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	2324	6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe
Token: SeDebugPrivilege	3844	powershell.exe
Token: SeDebugPrivilege	1732	6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe

C:\Users\Admin\AppData\Local\Temp\6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe
"C:\Users\Admin\AppData\Local\Temp\6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3844

C:\Users\Admin\AppData\Local\Temp\6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe
C:\Users\Admin\AppData\Local\Temp\6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe
2⤵
PID:1868

C:\Users\Admin\AppData\Local\Temp\6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe
C:\Users\Admin\AppData\Local\Temp\6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe
2⤵
PID:4800

C:\Users\Admin\AppData\Local\Temp\6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe
C:\Users\Admin\AppData\Local\Temp\6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe.log
Filesize
1KB

MD5
7ebe314bf617dc3e48b995a6c352740c

SHA1
538f643b7b30f9231a3035c448607f767527a870

SHA256
48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

SHA512
0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
3337d66209faa998d52d781d0ff2d804

SHA1
6594b85a70f998f79f43cdf1ca56137997534156

SHA256
9b946b062865f68b9f0f43a011d33d7ea0926a3c8f78fb20d9cab6144314e1bd

SHA512
8bbd14bd73111f7b55712f5d1e1b727e41db8e6e0c1243ee6809ff32b509e52dec7af34c064151fb5beccd59dda434a3f83abe987c561a25abfbb4cbcf9c7f1f

Download Submit
memory/1732-152-0x0000000005240000-0x00000000052DC000-memory.dmp

Filesize
624KB

Download
memory/1732-150-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1732-149-0x0000000000000000-mapping.dmp

Download
memory/1868-147-0x0000000000000000-mapping.dmp

Download
memory/1996-140-0x00000000068C0000-0x00000000068DE000-memory.dmp

Filesize
120KB

Download
memory/1996-134-0x0000000000000000-mapping.dmp

Download
memory/1996-138-0x00000000059F0000-0x0000000005A56000-memory.dmp

Filesize
408KB

Download
memory/1996-139-0x0000000005C10000-0x0000000005C76000-memory.dmp

Filesize
408KB

Download
memory/1996-137-0x00000000058D0000-0x00000000058F2000-memory.dmp

Filesize
136KB

Download
memory/1996-141-0x0000000006DA0000-0x0000000006DE4000-memory.dmp

Filesize
272KB

Download
memory/1996-142-0x0000000007BC0000-0x0000000007C36000-memory.dmp

Filesize
472KB

Download
memory/1996-143-0x00000000082C0000-0x000000000893A000-memory.dmp

Filesize
6.5MB

Download
memory/1996-144-0x0000000007C40000-0x0000000007C5A000-memory.dmp

Filesize
104KB

Download
memory/1996-135-0x0000000002F50000-0x0000000002F86000-memory.dmp

Filesize
216KB

Download
memory/1996-136-0x0000000005CD0000-0x00000000062F8000-memory.dmp

Filesize
6.2MB

Download
memory/2324-130-0x00000000003C0000-0x00000000003D8000-memory.dmp

Filesize
96KB

Download
memory/2324-133-0x0000000004D80000-0x0000000004D8A000-memory.dmp

Filesize
40KB

Download
memory/2324-132-0x0000000004DF0000-0x0000000004E82000-memory.dmp

Filesize
584KB

Download
memory/2324-131-0x00000000053A0000-0x0000000005944000-memory.dmp

Filesize
5.6MB

Download
memory/3844-145-0x0000000000000000-mapping.dmp

Download
memory/4800-148-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 2324 wrote to memory of 1996	2324	6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe	powershell.exe
PID 2324 wrote to memory of 1996	2324	6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe	powershell.exe
PID 2324 wrote to memory of 1996	2324	6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe	powershell.exe
PID 2324 wrote to memory of 3844	2324	6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe	powershell.exe
PID 2324 wrote to memory of 3844	2324	6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe	powershell.exe
PID 2324 wrote to memory of 3844	2324	6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe	powershell.exe
PID 2324 wrote to memory of 1868	2324	6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe	6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe
PID 2324 wrote to memory of 1868	2324	6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe	6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe
PID 2324 wrote to memory of 1868	2324	6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe	6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe
PID 2324 wrote to memory of 4800	2324	6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe	6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe
PID 2324 wrote to memory of 4800	2324	6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe	6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe
PID 2324 wrote to memory of 4800	2324	6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe	6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe
PID 2324 wrote to memory of 1732	2324	6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe	6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe
PID 2324 wrote to memory of 1732	2324	6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe	6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe
PID 2324 wrote to memory of 1732	2324	6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe	6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe
PID 2324 wrote to memory of 1732	2324	6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe	6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe
PID 2324 wrote to memory of 1732	2324	6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe	6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe
PID 2324 wrote to memory of 1732	2324	6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe	6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe
PID 2324 wrote to memory of 1732	2324	6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe	6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe
PID 2324 wrote to memory of 1732	2324	6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe	6fc5883456ca655a74a91c3127486ab5c21186308fdebfca4ec9035e09d7069a.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads