asyncrat | b1b6896b56865e3cf306b27273571684872a9fc8147262d7f0f8c8f7b33b82b9

General

Target

ac6c59b4841b47bbd42ec091a3d8a2e6.exe
Size

561KB
MD5

ac6c59b4841b47bbd42ec091a3d8a2e6
SHA1

2dd5bd5e0d9a6010d1fba5e617889d4a12dfbaa9
SHA256

b1b6896b56865e3cf306b27273571684872a9fc8147262d7f0f8c8f7b33b82b9
SHA512

aa3821e867153f4887a1168ccff5ed064247df6c6e76a8349951f1e287250cdf41cf65edbf1adf1deafbafcbf4557a6f4378d58c129d9c3fc6a272a838958d02

Score

10^/10

asyncrat rat suricata

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/520-74-0x0000000000540000-0x0000000000564000-memory.dmp	asyncrat

Suspicious use of SetThreadContext 1 IoCs

Processes:

ac6c59b4841b47bbd42ec091a3d8a2e6.exe

description pid process target process

PID 1668 set thread context of 520 1668 ac6c59b4841b47bbd42ec091a3d8a2e6.exe ac6c59b4841b47bbd42ec091a3d8a2e6.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exeac6c59b4841b47bbd42ec091a3d8a2e6.exe

pid process

1380 powershell.exe
1668 ac6c59b4841b47bbd42ec091a3d8a2e6.exe
1668 ac6c59b4841b47bbd42ec091a3d8a2e6.exe

description	pid	process	target process
PID 1668 set thread context of 520	1668	ac6c59b4841b47bbd42ec091a3d8a2e6.exe	ac6c59b4841b47bbd42ec091a3d8a2e6.exe

pid	process
1380	powershell.exe
1668	ac6c59b4841b47bbd42ec091a3d8a2e6.exe
1668	ac6c59b4841b47bbd42ec091a3d8a2e6.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exeac6c59b4841b47bbd42ec091a3d8a2e6.exeac6c59b4841b47bbd42ec091a3d8a2e6.exeshutdown.exe

description	pid	process
Token: SeDebugPrivilege	1380	powershell.exe
Token: SeDebugPrivilege	1668	ac6c59b4841b47bbd42ec091a3d8a2e6.exe
Token: SeDebugPrivilege	520	ac6c59b4841b47bbd42ec091a3d8a2e6.exe
Token: SeShutdownPrivilege	1064	shutdown.exe
Token: SeRemoteShutdownPrivilege	1064	shutdown.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

ac6c59b4841b47bbd42ec091a3d8a2e6.exeac6c59b4841b47bbd42ec091a3d8a2e6.execmd.exe

description	pid	process	target process
PID 1668 wrote to memory of 1380	1668	ac6c59b4841b47bbd42ec091a3d8a2e6.exe	powershell.exe
PID 1668 wrote to memory of 1380	1668	ac6c59b4841b47bbd42ec091a3d8a2e6.exe	powershell.exe
PID 1668 wrote to memory of 1380	1668	ac6c59b4841b47bbd42ec091a3d8a2e6.exe	powershell.exe
PID 1668 wrote to memory of 1380	1668	ac6c59b4841b47bbd42ec091a3d8a2e6.exe	powershell.exe
PID 1668 wrote to memory of 520	1668	ac6c59b4841b47bbd42ec091a3d8a2e6.exe	ac6c59b4841b47bbd42ec091a3d8a2e6.exe
PID 1668 wrote to memory of 520	1668	ac6c59b4841b47bbd42ec091a3d8a2e6.exe	ac6c59b4841b47bbd42ec091a3d8a2e6.exe
PID 1668 wrote to memory of 520	1668	ac6c59b4841b47bbd42ec091a3d8a2e6.exe	ac6c59b4841b47bbd42ec091a3d8a2e6.exe
PID 1668 wrote to memory of 520	1668	ac6c59b4841b47bbd42ec091a3d8a2e6.exe	ac6c59b4841b47bbd42ec091a3d8a2e6.exe
PID 1668 wrote to memory of 520	1668	ac6c59b4841b47bbd42ec091a3d8a2e6.exe	ac6c59b4841b47bbd42ec091a3d8a2e6.exe
PID 1668 wrote to memory of 520	1668	ac6c59b4841b47bbd42ec091a3d8a2e6.exe	ac6c59b4841b47bbd42ec091a3d8a2e6.exe
PID 1668 wrote to memory of 520	1668	ac6c59b4841b47bbd42ec091a3d8a2e6.exe	ac6c59b4841b47bbd42ec091a3d8a2e6.exe
PID 1668 wrote to memory of 520	1668	ac6c59b4841b47bbd42ec091a3d8a2e6.exe	ac6c59b4841b47bbd42ec091a3d8a2e6.exe
PID 1668 wrote to memory of 520	1668	ac6c59b4841b47bbd42ec091a3d8a2e6.exe	ac6c59b4841b47bbd42ec091a3d8a2e6.exe
PID 1668 wrote to memory of 520	1668	ac6c59b4841b47bbd42ec091a3d8a2e6.exe	ac6c59b4841b47bbd42ec091a3d8a2e6.exe
PID 1668 wrote to memory of 520	1668	ac6c59b4841b47bbd42ec091a3d8a2e6.exe	ac6c59b4841b47bbd42ec091a3d8a2e6.exe
PID 1668 wrote to memory of 520	1668	ac6c59b4841b47bbd42ec091a3d8a2e6.exe	ac6c59b4841b47bbd42ec091a3d8a2e6.exe
PID 520 wrote to memory of 1488	520	ac6c59b4841b47bbd42ec091a3d8a2e6.exe	cmd.exe
PID 520 wrote to memory of 1488	520	ac6c59b4841b47bbd42ec091a3d8a2e6.exe	cmd.exe
PID 520 wrote to memory of 1488	520	ac6c59b4841b47bbd42ec091a3d8a2e6.exe	cmd.exe
PID 520 wrote to memory of 1488	520	ac6c59b4841b47bbd42ec091a3d8a2e6.exe	cmd.exe
PID 1488 wrote to memory of 1064	1488	cmd.exe	shutdown.exe
PID 1488 wrote to memory of 1064	1488	cmd.exe	shutdown.exe
PID 1488 wrote to memory of 1064	1488	cmd.exe	shutdown.exe
PID 1488 wrote to memory of 1064	1488	cmd.exe	shutdown.exe

C:\Users\Admin\AppData\Local\Temp\ac6c59b4841b47bbd42ec091a3d8a2e6.exe
"C:\Users\Admin\AppData\Local\Temp\ac6c59b4841b47bbd42ec091a3d8a2e6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1380

C:\Users\Admin\AppData\Local\Temp\ac6c59b4841b47bbd42ec091a3d8a2e6.exe
C:\Users\Admin\AppData\Local\Temp\ac6c59b4841b47bbd42ec091a3d8a2e6.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c Shutdown /r /f /t 00
3⤵
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\SysWOW64\shutdown.exe
Shutdown /r /f /t 00
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1064

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1092

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/520-68-0x0000000000429CBE-mapping.dmp

Download
memory/520-67-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/520-63-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/520-66-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/520-74-0x0000000000540000-0x0000000000564000-memory.dmp

Filesize
144KB

Download
memory/520-70-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/520-62-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/520-72-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/520-65-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1064-76-0x0000000000000000-mapping.dmp

Download
memory/1092-77-0x000007FEFC521000-0x000007FEFC523000-memory.dmp

Filesize
8KB

Download
memory/1380-61-0x0000000071020000-0x00000000715CB000-memory.dmp

Filesize
5.7MB

Download
memory/1380-60-0x0000000071020000-0x00000000715CB000-memory.dmp

Filesize
5.7MB

Download
memory/1380-58-0x0000000000000000-mapping.dmp

Download
memory/1488-75-0x0000000000000000-mapping.dmp

Download
memory/1668-55-0x00000000047B0000-0x0000000004848000-memory.dmp

Filesize
608KB

Download
memory/1668-54-0x0000000000F60000-0x0000000000FF2000-memory.dmp

Filesize
584KB

Download
memory/1668-56-0x0000000000EF0000-0x0000000000F3C000-memory.dmp

Filesize
304KB

Download
memory/1668-57-0x0000000075BF1000-0x0000000075BF3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads