asyncrat | bbd275db0ec38e99c088654b042b682c428ba644969ef08f1d9657052f9b1393

General

Target

0x000a000000003c9f-56.exe
Size

64KB
MD5

c75c0d8d46633692c979eb6fbd26094e
SHA1

b3945681b32a90f00ef2fd2af2eb4f5d4208c75d
SHA256

bbd275db0ec38e99c088654b042b682c428ba644969ef08f1d9657052f9b1393
SHA512

5d4ecd6c3fee2cf25cdfc4c6abbb389b261016b805ab1f6c4f0918143df6b02f0647d6ba87b1169ef0040ea9afd0dd22ce2612e2600b48e6dd9ffd7be99a1067

Score

10^/10

asyncrat linkvertise a rat suricata

Malware Config

Extracted

Family

asyncrat

Version

true

Botnet

Linkvertise A

Mutex

RRAT_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
Explorer.exe

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata

Async RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/364-54-0x00000000010D0000-0x00000000010E6000-memory.dmp	asyncrat
\Users\Admin\AppData\Roaming\Explorer.exe	asyncrat
C:\Users\Admin\AppData\Roaming\Explorer.exe	asyncrat
C:\Users\Admin\AppData\Roaming\Explorer.exe	asyncrat
behavioral1/memory/1832-65-0x0000000000210000-0x0000000000226000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

Processes:

Explorer.exe

pid process

1832 Explorer.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2028 cmd.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2036 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1996 timeout.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

0x000a000000003c9f-56.exe

pid process

364 0x000a000000003c9f-56.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0x000a000000003c9f-56.exeExplorer.exe

description pid process

Token: SeDebugPrivilege 364 0x000a000000003c9f-56.exe
Token: SeDebugPrivilege 1832 Explorer.exe

pid	process
1832	Explorer.exe

pid	process
2028	cmd.exe

pid	process
2036	schtasks.exe

pid	process
1996	timeout.exe

pid	process
364	0x000a000000003c9f-56.exe

description	pid	process
Token: SeDebugPrivilege	364	0x000a000000003c9f-56.exe
Token: SeDebugPrivilege	1832	Explorer.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

0x000a000000003c9f-56.execmd.execmd.exe

description	pid	process	target process
PID 364 wrote to memory of 836	364	0x000a000000003c9f-56.exe	cmd.exe
PID 364 wrote to memory of 836	364	0x000a000000003c9f-56.exe	cmd.exe
PID 364 wrote to memory of 836	364	0x000a000000003c9f-56.exe	cmd.exe
PID 364 wrote to memory of 836	364	0x000a000000003c9f-56.exe	cmd.exe
PID 364 wrote to memory of 2028	364	0x000a000000003c9f-56.exe	cmd.exe
PID 364 wrote to memory of 2028	364	0x000a000000003c9f-56.exe	cmd.exe
PID 364 wrote to memory of 2028	364	0x000a000000003c9f-56.exe	cmd.exe
PID 364 wrote to memory of 2028	364	0x000a000000003c9f-56.exe	cmd.exe
PID 836 wrote to memory of 2036	836	cmd.exe	schtasks.exe
PID 836 wrote to memory of 2036	836	cmd.exe	schtasks.exe
PID 836 wrote to memory of 2036	836	cmd.exe	schtasks.exe
PID 836 wrote to memory of 2036	836	cmd.exe	schtasks.exe
PID 2028 wrote to memory of 1996	2028	cmd.exe	timeout.exe
PID 2028 wrote to memory of 1996	2028	cmd.exe	timeout.exe
PID 2028 wrote to memory of 1996	2028	cmd.exe	timeout.exe
PID 2028 wrote to memory of 1996	2028	cmd.exe	timeout.exe
PID 2028 wrote to memory of 1832	2028	cmd.exe	Explorer.exe
PID 2028 wrote to memory of 1832	2028	cmd.exe	Explorer.exe
PID 2028 wrote to memory of 1832	2028	cmd.exe	Explorer.exe
PID 2028 wrote to memory of 1832	2028	cmd.exe	Explorer.exe

C:\Users\Admin\AppData\Local\Temp\0x000a000000003c9f-56.exe
"C:\Users\Admin\AppData\Local\Temp\0x000a000000003c9f-56.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:364

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Explorer" /tr '"C:\Users\Admin\AppData\Roaming\Explorer.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Explorer" /tr '"C:\Users\Admin\AppData\Roaming\Explorer.exe"'
3⤵
- Creates scheduled task(s)
PID:2036

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp11.tmp.bat""
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1996

C:\Users\Admin\AppData\Roaming\Explorer.exe
"C:\Users\Admin\AppData\Roaming\Explorer.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1832

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp11.tmp.bat
Filesize
150B

MD5
55a19ef6de0e79b16061509ebed4b402

SHA1
a4157696f33727673a1d247bc4b7e3ab5a76f84f

SHA256
7a9b303509c7547c357aa5f0d2c6225f34f08281176757f3b083df4a2a438f77

SHA512
c5e5590f7fd04ba54402f299ff1054f49f76bcba9f759a5a1b0d538b3b2ed7015ea4e526f1df928b561ccf658412bef4b5f94fd12a93842696e7add855551322

Download Submit
C:\Users\Admin\AppData\Roaming\Explorer.exe
Filesize
64KB

MD5
c75c0d8d46633692c979eb6fbd26094e

SHA1
b3945681b32a90f00ef2fd2af2eb4f5d4208c75d

SHA256
bbd275db0ec38e99c088654b042b682c428ba644969ef08f1d9657052f9b1393

SHA512
5d4ecd6c3fee2cf25cdfc4c6abbb389b261016b805ab1f6c4f0918143df6b02f0647d6ba87b1169ef0040ea9afd0dd22ce2612e2600b48e6dd9ffd7be99a1067

Download Submit
C:\Users\Admin\AppData\Roaming\Explorer.exe
Filesize
64KB

MD5
c75c0d8d46633692c979eb6fbd26094e

SHA1
b3945681b32a90f00ef2fd2af2eb4f5d4208c75d

SHA256
bbd275db0ec38e99c088654b042b682c428ba644969ef08f1d9657052f9b1393

SHA512
5d4ecd6c3fee2cf25cdfc4c6abbb389b261016b805ab1f6c4f0918143df6b02f0647d6ba87b1169ef0040ea9afd0dd22ce2612e2600b48e6dd9ffd7be99a1067

Download Submit
\Users\Admin\AppData\Roaming\Explorer.exe
Filesize
64KB

MD5
c75c0d8d46633692c979eb6fbd26094e

SHA1
b3945681b32a90f00ef2fd2af2eb4f5d4208c75d

SHA256
bbd275db0ec38e99c088654b042b682c428ba644969ef08f1d9657052f9b1393

SHA512
5d4ecd6c3fee2cf25cdfc4c6abbb389b261016b805ab1f6c4f0918143df6b02f0647d6ba87b1169ef0040ea9afd0dd22ce2612e2600b48e6dd9ffd7be99a1067

Download Submit
memory/364-54-0x00000000010D0000-0x00000000010E6000-memory.dmp

Filesize
88KB

Download
memory/364-55-0x00000000755C1000-0x00000000755C3000-memory.dmp

Filesize
8KB

Download
memory/836-56-0x0000000000000000-mapping.dmp

Download
memory/1832-63-0x0000000000000000-mapping.dmp

Download
memory/1832-65-0x0000000000210000-0x0000000000226000-memory.dmp

Filesize
88KB

Download
memory/1996-60-0x0000000000000000-mapping.dmp

Download
memory/2028-57-0x0000000000000000-mapping.dmp

Download
memory/2036-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads