asyncrat | b1b6896b56865e3cf306b27273571684872a9fc8147262d7f0f8c8f7b33b82b9

General

Target

ac6c59b4841b47bbd42ec091a3d8a2e6.exe
Size

561KB
MD5

ac6c59b4841b47bbd42ec091a3d8a2e6
SHA1

2dd5bd5e0d9a6010d1fba5e617889d4a12dfbaa9
SHA256

b1b6896b56865e3cf306b27273571684872a9fc8147262d7f0f8c8f7b33b82b9
SHA512

aa3821e867153f4887a1168ccff5ed064247df6c6e76a8349951f1e287250cdf41cf65edbf1adf1deafbafcbf4557a6f4378d58c129d9c3fc6a272a838958d02

Score

10^/10

asyncrat rat suricata

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ac6c59b4841b47bbd42ec091a3d8a2e6.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	ac6c59b4841b47bbd42ec091a3d8a2e6.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ac6c59b4841b47bbd42ec091a3d8a2e6.exe

description pid process target process

PID 3440 set thread context of 4604 3440 ac6c59b4841b47bbd42ec091a3d8a2e6.exe ac6c59b4841b47bbd42ec091a3d8a2e6.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4796 timeout.exe

description	pid	process	target process
PID 3440 set thread context of 4604	3440	ac6c59b4841b47bbd42ec091a3d8a2e6.exe	ac6c59b4841b47bbd42ec091a3d8a2e6.exe

pid	process
4796	timeout.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exeac6c59b4841b47bbd42ec091a3d8a2e6.exe

pid	process
3588	powershell.exe
3588	powershell.exe
3440	ac6c59b4841b47bbd42ec091a3d8a2e6.exe
3440	ac6c59b4841b47bbd42ec091a3d8a2e6.exe
3440	ac6c59b4841b47bbd42ec091a3d8a2e6.exe
3440	ac6c59b4841b47bbd42ec091a3d8a2e6.exe
3440	ac6c59b4841b47bbd42ec091a3d8a2e6.exe
3440	ac6c59b4841b47bbd42ec091a3d8a2e6.exe
3440	ac6c59b4841b47bbd42ec091a3d8a2e6.exe
3440	ac6c59b4841b47bbd42ec091a3d8a2e6.exe
3440	ac6c59b4841b47bbd42ec091a3d8a2e6.exe
3440	ac6c59b4841b47bbd42ec091a3d8a2e6.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exeac6c59b4841b47bbd42ec091a3d8a2e6.exeac6c59b4841b47bbd42ec091a3d8a2e6.exe

description	pid	process
Token: SeDebugPrivilege	3588	powershell.exe
Token: SeDebugPrivilege	3440	ac6c59b4841b47bbd42ec091a3d8a2e6.exe
Token: SeDebugPrivilege	4604	ac6c59b4841b47bbd42ec091a3d8a2e6.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

ac6c59b4841b47bbd42ec091a3d8a2e6.exeac6c59b4841b47bbd42ec091a3d8a2e6.execmd.exe

C:\Users\Admin\AppData\Local\Temp\ac6c59b4841b47bbd42ec091a3d8a2e6.exe
"C:\Users\Admin\AppData\Local\Temp\ac6c59b4841b47bbd42ec091a3d8a2e6.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3440

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3588

C:\Users\Admin\AppData\Local\Temp\ac6c59b4841b47bbd42ec091a3d8a2e6.exe
C:\Users\Admin\AppData\Local\Temp\ac6c59b4841b47bbd42ec091a3d8a2e6.exe
2⤵
PID:5028

C:\Users\Admin\AppData\Local\Temp\ac6c59b4841b47bbd42ec091a3d8a2e6.exe
C:\Users\Admin\AppData\Local\Temp\ac6c59b4841b47bbd42ec091a3d8a2e6.exe
2⤵
PID:2380

C:\Users\Admin\AppData\Local\Temp\ac6c59b4841b47bbd42ec091a3d8a2e6.exe
C:\Users\Admin\AppData\Local\Temp\ac6c59b4841b47bbd42ec091a3d8a2e6.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC3FC.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:3516

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:4796

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ac6c59b4841b47bbd42ec091a3d8a2e6.exe.log
Filesize
897B

MD5
33a058d176a3052be89f77eee906636c

SHA1
640a98991dddbb776fc2f022e4c1188b5e3b1e51

SHA256
e53ea138ab0993976e59c6592168d7f303e576afb06f431f6ebc32f058331856

SHA512
5a8110b2b77c6e4f1f96c767a4aac1913417f817c1e19930bd3348cc6297fd4defa8b9bb7db3592f47a984b386d75363b6ae1c9f0c79341c939d3e0513aafbd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC3FC.tmp.bat
Filesize
184B

MD5
5d0016bff05d6f00173e6a52acc9b9ec

SHA1
39bc49a4023b16f8c9428fc25ac0e5f1ee60b0e1

SHA256
0bf04ddc2a12e58759931c665d6326602650cff22ddbbf49b70442dd9dda9594

SHA512
5be995f9ac3549cf58bc388981289f453230b847a549785f9e3c98f057a5ec53e804dbca8571b397208c32cb31d7da22c23bde41cf97d8033d1c4058c330149c

Download Submit
memory/2380-143-0x0000000000000000-mapping.dmp

Download
memory/3440-140-0x0000000005750000-0x00000000057E2000-memory.dmp

Filesize
584KB

Download
memory/3440-131-0x0000000004AF0000-0x0000000004B56000-memory.dmp

Filesize
408KB

Download
memory/3440-130-0x0000000000140000-0x00000000001D2000-memory.dmp

Filesize
584KB

Download
memory/3440-141-0x00000000060A0000-0x0000000006644000-memory.dmp

Filesize
5.6MB

Download
memory/3516-150-0x0000000000000000-mapping.dmp

Download
memory/3588-135-0x0000000005650000-0x0000000005672000-memory.dmp

Filesize
136KB

Download
memory/3588-134-0x00000000056D0000-0x0000000005CF8000-memory.dmp

Filesize
6.2MB

Download
memory/3588-138-0x0000000007C60000-0x00000000082DA000-memory.dmp

Filesize
6.5MB

Download
memory/3588-137-0x0000000006620000-0x000000000663E000-memory.dmp

Filesize
120KB

Download
memory/3588-132-0x0000000000000000-mapping.dmp

Download
memory/3588-136-0x0000000005EB0000-0x0000000005F16000-memory.dmp

Filesize
408KB

Download
memory/3588-133-0x0000000005060000-0x0000000005096000-memory.dmp

Filesize
216KB

Download
memory/3588-139-0x0000000006B20000-0x0000000006B3A000-memory.dmp

Filesize
104KB

Download
memory/4604-148-0x0000000006D20000-0x0000000006D96000-memory.dmp

Filesize
472KB

Download
memory/4604-147-0x0000000005710000-0x00000000057AC000-memory.dmp

Filesize
624KB

Download
memory/4604-145-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4604-149-0x0000000006CE0000-0x0000000006CFE000-memory.dmp

Filesize
120KB

Download
memory/4604-144-0x0000000000000000-mapping.dmp

Download
memory/4796-152-0x0000000000000000-mapping.dmp

Download
memory/5028-142-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 3440 wrote to memory of 3588	3440	ac6c59b4841b47bbd42ec091a3d8a2e6.exe	powershell.exe
PID 3440 wrote to memory of 3588	3440	ac6c59b4841b47bbd42ec091a3d8a2e6.exe	powershell.exe
PID 3440 wrote to memory of 3588	3440	ac6c59b4841b47bbd42ec091a3d8a2e6.exe	powershell.exe
PID 3440 wrote to memory of 5028	3440	ac6c59b4841b47bbd42ec091a3d8a2e6.exe	ac6c59b4841b47bbd42ec091a3d8a2e6.exe
PID 3440 wrote to memory of 5028	3440	ac6c59b4841b47bbd42ec091a3d8a2e6.exe	ac6c59b4841b47bbd42ec091a3d8a2e6.exe
PID 3440 wrote to memory of 5028	3440	ac6c59b4841b47bbd42ec091a3d8a2e6.exe	ac6c59b4841b47bbd42ec091a3d8a2e6.exe
PID 3440 wrote to memory of 2380	3440	ac6c59b4841b47bbd42ec091a3d8a2e6.exe	ac6c59b4841b47bbd42ec091a3d8a2e6.exe
PID 3440 wrote to memory of 2380	3440	ac6c59b4841b47bbd42ec091a3d8a2e6.exe	ac6c59b4841b47bbd42ec091a3d8a2e6.exe
PID 3440 wrote to memory of 2380	3440	ac6c59b4841b47bbd42ec091a3d8a2e6.exe	ac6c59b4841b47bbd42ec091a3d8a2e6.exe
PID 3440 wrote to memory of 4604	3440	ac6c59b4841b47bbd42ec091a3d8a2e6.exe	ac6c59b4841b47bbd42ec091a3d8a2e6.exe
PID 3440 wrote to memory of 4604	3440	ac6c59b4841b47bbd42ec091a3d8a2e6.exe	ac6c59b4841b47bbd42ec091a3d8a2e6.exe
PID 3440 wrote to memory of 4604	3440	ac6c59b4841b47bbd42ec091a3d8a2e6.exe	ac6c59b4841b47bbd42ec091a3d8a2e6.exe
PID 3440 wrote to memory of 4604	3440	ac6c59b4841b47bbd42ec091a3d8a2e6.exe	ac6c59b4841b47bbd42ec091a3d8a2e6.exe
PID 3440 wrote to memory of 4604	3440	ac6c59b4841b47bbd42ec091a3d8a2e6.exe	ac6c59b4841b47bbd42ec091a3d8a2e6.exe
PID 3440 wrote to memory of 4604	3440	ac6c59b4841b47bbd42ec091a3d8a2e6.exe	ac6c59b4841b47bbd42ec091a3d8a2e6.exe
PID 3440 wrote to memory of 4604	3440	ac6c59b4841b47bbd42ec091a3d8a2e6.exe	ac6c59b4841b47bbd42ec091a3d8a2e6.exe
PID 3440 wrote to memory of 4604	3440	ac6c59b4841b47bbd42ec091a3d8a2e6.exe	ac6c59b4841b47bbd42ec091a3d8a2e6.exe
PID 4604 wrote to memory of 3516	4604	ac6c59b4841b47bbd42ec091a3d8a2e6.exe	cmd.exe
PID 4604 wrote to memory of 3516	4604	ac6c59b4841b47bbd42ec091a3d8a2e6.exe	cmd.exe
PID 4604 wrote to memory of 3516	4604	ac6c59b4841b47bbd42ec091a3d8a2e6.exe	cmd.exe
PID 3516 wrote to memory of 4796	3516	cmd.exe	timeout.exe
PID 3516 wrote to memory of 4796	3516	cmd.exe	timeout.exe
PID 3516 wrote to memory of 4796	3516	cmd.exe	timeout.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads