asyncrat | 7bc9a0135244519fe11232f68560692c4fb9c1d67d3d102d5747d8b89a8e7dd4

General

Target

Usd 56,335.71$.exe
Size

827KB
MD5

e01c94d8c361c5214b81d40d4606940a
SHA1

484d35f9015112246a38cccbcb29d8a467d061fb
SHA256

7bc9a0135244519fe11232f68560692c4fb9c1d67d3d102d5747d8b89a8e7dd4
SHA512

1b1bf67380357324c8570b104c6dd0b9d8ea2a099b26c4b043077c87a78c518f192a0235f4e9c6557acd2ffb688b3ccbfb552908642d8437a254f6c87bed834b

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

seamoney.duckdns.org:5721

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1212-71-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat
behavioral1/memory/1212-72-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat
behavioral1/memory/1212-73-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat
behavioral1/memory/1212-74-0x000000000041096E-mapping.dmp	asyncrat
behavioral1/memory/1212-76-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat
behavioral1/memory/1212-78-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat

Suspicious use of SetThreadContext 1 IoCs

Processes:

Usd 56,335.71$.exe

description pid process target process

PID 756 set thread context of 1212 756 Usd 56,335.71$.exe Usd 56,335.71$.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1960 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1972 powershell.exe
952 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exeUsd 56,335.71$.exe

description pid process

Token: SeDebugPrivilege 952 powershell.exe
Token: SeDebugPrivilege 1972 powershell.exe
Token: SeDebugPrivilege 1212 Usd 56,335.71$.exe

description	pid	process	target process
PID 756 set thread context of 1212	756	Usd 56,335.71$.exe	Usd 56,335.71$.exe

pid	process
1960	schtasks.exe

pid	process
1972	powershell.exe
952	powershell.exe

description	pid	process
Token: SeDebugPrivilege	952	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	1212	Usd 56,335.71$.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

Usd 56,335.71$.exe

description	pid	process	target process
PID 756 wrote to memory of 952	756	Usd 56,335.71$.exe	powershell.exe
PID 756 wrote to memory of 952	756	Usd 56,335.71$.exe	powershell.exe
PID 756 wrote to memory of 952	756	Usd 56,335.71$.exe	powershell.exe
PID 756 wrote to memory of 952	756	Usd 56,335.71$.exe	powershell.exe
PID 756 wrote to memory of 1972	756	Usd 56,335.71$.exe	powershell.exe
PID 756 wrote to memory of 1972	756	Usd 56,335.71$.exe	powershell.exe
PID 756 wrote to memory of 1972	756	Usd 56,335.71$.exe	powershell.exe
PID 756 wrote to memory of 1972	756	Usd 56,335.71$.exe	powershell.exe
PID 756 wrote to memory of 1960	756	Usd 56,335.71$.exe	schtasks.exe
PID 756 wrote to memory of 1960	756	Usd 56,335.71$.exe	schtasks.exe
PID 756 wrote to memory of 1960	756	Usd 56,335.71$.exe	schtasks.exe
PID 756 wrote to memory of 1960	756	Usd 56,335.71$.exe	schtasks.exe
PID 756 wrote to memory of 1212	756	Usd 56,335.71$.exe	Usd 56,335.71$.exe
PID 756 wrote to memory of 1212	756	Usd 56,335.71$.exe	Usd 56,335.71$.exe
PID 756 wrote to memory of 1212	756	Usd 56,335.71$.exe	Usd 56,335.71$.exe
PID 756 wrote to memory of 1212	756	Usd 56,335.71$.exe	Usd 56,335.71$.exe
PID 756 wrote to memory of 1212	756	Usd 56,335.71$.exe	Usd 56,335.71$.exe
PID 756 wrote to memory of 1212	756	Usd 56,335.71$.exe	Usd 56,335.71$.exe
PID 756 wrote to memory of 1212	756	Usd 56,335.71$.exe	Usd 56,335.71$.exe
PID 756 wrote to memory of 1212	756	Usd 56,335.71$.exe	Usd 56,335.71$.exe
PID 756 wrote to memory of 1212	756	Usd 56,335.71$.exe	Usd 56,335.71$.exe

C:\Users\Admin\AppData\Local\Temp\Usd 56,335.71$.exe
"C:\Users\Admin\AppData\Local\Temp\Usd 56,335.71$.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Usd 56,335.71$.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:952

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SHhGQnndkQVeW.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SHhGQnndkQVeW" /XML "C:\Users\Admin\AppData\Local\Temp\tmp677B.tmp"
2⤵
- Creates scheduled task(s)
PID:1960

C:\Users\Admin\AppData\Local\Temp\Usd 56,335.71$.exe
"C:\Users\Admin\AppData\Local\Temp\Usd 56,335.71$.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1212

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp677B.tmp
Filesize
1KB

MD5
1a53aabe4aa04c62ea459b49921ad42c

SHA1
f51125d67f79eb1ae40ed6edce4521a0b5d5fdb1

SHA256
beb2b03fca9aa823412afdc2821d5fa78e5e865ea8205873c3662520d2c05dc9

SHA512
da83ce005a37f65f277820b9e2a91ea2826f70eadd72770ab83934626626f97ca6b0701f382fbec1e1a99b76841876c54f74e45855dafdc037a0473b6fb5429d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
8aa19b3fe6a94c6bed08d637b976e472

SHA1
989b087b862c6e6a36b62bfb0273fc6b8acd0107

SHA256
38084b5f3024049dc70f2dac2ee59dac94fab1747680a94b07c56da4cb8a1ab3

SHA512
8b503fc3f0a6691cc05a74196f0ed990832891560836021f88448c1bbd1f05aee03af319d0f94ce73b1cf04c6a9378c4fd0f212c03e43b5cd72366336936b754

Download Submit
memory/756-54-0x0000000000890000-0x0000000000964000-memory.dmp

Filesize
848KB

Download
memory/756-55-0x00000000763E1000-0x00000000763E3000-memory.dmp

Filesize
8KB

Download
memory/756-56-0x0000000000410000-0x0000000000426000-memory.dmp

Filesize
88KB

Download
memory/756-57-0x0000000000530000-0x000000000053A000-memory.dmp

Filesize
40KB

Download
memory/756-58-0x0000000002090000-0x00000000020E0000-memory.dmp

Filesize
320KB

Download
memory/756-59-0x0000000004AD5000-0x0000000004AE6000-memory.dmp

Filesize
68KB

Download
memory/756-67-0x0000000004400000-0x0000000004416000-memory.dmp

Filesize
88KB

Download
memory/952-60-0x0000000000000000-mapping.dmp

Download
memory/952-83-0x000000006B9F0000-0x000000006BF9B000-memory.dmp

Filesize
5.7MB

Download
memory/952-79-0x000000006B9F0000-0x000000006BF9B000-memory.dmp

Filesize
5.7MB

Download
memory/1212-69-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1212-71-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1212-68-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1212-72-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1212-73-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1212-74-0x000000000041096E-mapping.dmp

Download
memory/1212-76-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1212-78-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1960-63-0x0000000000000000-mapping.dmp

Download
memory/1972-80-0x000000006B9F0000-0x000000006BF9B000-memory.dmp

Filesize
5.7MB

Download
memory/1972-82-0x000000006B9F0000-0x000000006BF9B000-memory.dmp

Filesize
5.7MB

Download
memory/1972-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads