asyncrat | 0fbd0deb8891b8836c9987f79c0dcf7383ace21dcd7ee8ffcfdf609311af7808

General

Target

759eb01f8687aa4ab519ce0b8ada22d7.exe
Size

560KB
MD5

759eb01f8687aa4ab519ce0b8ada22d7
SHA1

80086dd4bd562df870ed9556248a0a46177e63d7
SHA256

0fbd0deb8891b8836c9987f79c0dcf7383ace21dcd7ee8ffcfdf609311af7808
SHA512

2ac4cc01afba0ba62db65763f5f3fe9ecfd2e83dbe5a28082d2d61cce92ef37f08e5c0b6f2d7769ff6309f805a3385cf1b4f968ff22e8632b76af3098ee00dc0

Score

10^/10

asyncrat rat suricata

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/912-74-0x0000000001FD0000-0x0000000001FF4000-memory.dmp	asyncrat

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

340 cmd.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

759eb01f8687aa4ab519ce0b8ada22d7.exe

description pid process target process

PID 1224 set thread context of 912 1224 759eb01f8687aa4ab519ce0b8ada22d7.exe 759eb01f8687aa4ab519ce0b8ada22d7.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1564 timeout.exe

pid	process
340	cmd.exe

description	pid	process	target process
PID 1224 set thread context of 912	1224	759eb01f8687aa4ab519ce0b8ada22d7.exe	759eb01f8687aa4ab519ce0b8ada22d7.exe

pid	process
1564	timeout.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exe759eb01f8687aa4ab519ce0b8ada22d7.exe

pid	process
1580	powershell.exe
1224	759eb01f8687aa4ab519ce0b8ada22d7.exe
1224	759eb01f8687aa4ab519ce0b8ada22d7.exe
1224	759eb01f8687aa4ab519ce0b8ada22d7.exe
1224	759eb01f8687aa4ab519ce0b8ada22d7.exe
1224	759eb01f8687aa4ab519ce0b8ada22d7.exe
1224	759eb01f8687aa4ab519ce0b8ada22d7.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exe759eb01f8687aa4ab519ce0b8ada22d7.exe759eb01f8687aa4ab519ce0b8ada22d7.exe

description	pid	process
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	1224	759eb01f8687aa4ab519ce0b8ada22d7.exe
Token: SeDebugPrivilege	912	759eb01f8687aa4ab519ce0b8ada22d7.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

759eb01f8687aa4ab519ce0b8ada22d7.exe759eb01f8687aa4ab519ce0b8ada22d7.execmd.exe

C:\Users\Admin\AppData\Local\Temp\759eb01f8687aa4ab519ce0b8ada22d7.exe
"C:\Users\Admin\AppData\Local\Temp\759eb01f8687aa4ab519ce0b8ada22d7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Users\Admin\AppData\Local\Temp\759eb01f8687aa4ab519ce0b8ada22d7.exe
C:\Users\Admin\AppData\Local\Temp\759eb01f8687aa4ab519ce0b8ada22d7.exe
2⤵
PID:1836

C:\Users\Admin\AppData\Local\Temp\759eb01f8687aa4ab519ce0b8ada22d7.exe
C:\Users\Admin\AppData\Local\Temp\759eb01f8687aa4ab519ce0b8ada22d7.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpC664.tmp.bat""
3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:340

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:1564

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC664.tmp.bat
Filesize
184B

MD5
85128f0d85119cbcd48733ac3841eeaf

SHA1
44c272e683695a5578b91a79a1aa980458540077

SHA256
c5402406e821a0e601741150457103dfcb293faa4dd2647ebc5ea0e8043fd7cd

SHA512
ca1fb794122123990cf2cdeb509e79ea179b5721838e8e6e09c686004402887a7d846be40e7320aa2f997156c5ed1579ae4b7bfb2ac6179bf7abe036ae84d33a

Download Submit
memory/340-75-0x0000000000000000-mapping.dmp

Download
memory/912-67-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/912-68-0x0000000000429FEE-mapping.dmp

Download
memory/912-74-0x0000000001FD0000-0x0000000001FF4000-memory.dmp

Filesize
144KB

Download
memory/912-72-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/912-70-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/912-62-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/912-63-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/912-65-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/912-66-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1224-57-0x0000000076531000-0x0000000076533000-memory.dmp

Filesize
8KB

Download
memory/1224-54-0x0000000000170000-0x0000000000202000-memory.dmp

Filesize
584KB

Download
memory/1224-56-0x00000000003E0000-0x000000000042C000-memory.dmp

Filesize
304KB

Download
memory/1224-55-0x0000000004AE0000-0x0000000004B78000-memory.dmp

Filesize
608KB

Download
memory/1564-77-0x0000000000000000-mapping.dmp

Download
memory/1580-61-0x00000000709B0000-0x0000000070F5B000-memory.dmp

Filesize
5.7MB

Download
memory/1580-60-0x00000000709B0000-0x0000000070F5B000-memory.dmp

Filesize
5.7MB

Download
memory/1580-58-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 1224 wrote to memory of 1580	1224	759eb01f8687aa4ab519ce0b8ada22d7.exe	powershell.exe
PID 1224 wrote to memory of 1580	1224	759eb01f8687aa4ab519ce0b8ada22d7.exe	powershell.exe
PID 1224 wrote to memory of 1580	1224	759eb01f8687aa4ab519ce0b8ada22d7.exe	powershell.exe
PID 1224 wrote to memory of 1580	1224	759eb01f8687aa4ab519ce0b8ada22d7.exe	powershell.exe
PID 1224 wrote to memory of 1836	1224	759eb01f8687aa4ab519ce0b8ada22d7.exe	759eb01f8687aa4ab519ce0b8ada22d7.exe
PID 1224 wrote to memory of 1836	1224	759eb01f8687aa4ab519ce0b8ada22d7.exe	759eb01f8687aa4ab519ce0b8ada22d7.exe
PID 1224 wrote to memory of 1836	1224	759eb01f8687aa4ab519ce0b8ada22d7.exe	759eb01f8687aa4ab519ce0b8ada22d7.exe
PID 1224 wrote to memory of 1836	1224	759eb01f8687aa4ab519ce0b8ada22d7.exe	759eb01f8687aa4ab519ce0b8ada22d7.exe
PID 1224 wrote to memory of 1836	1224	759eb01f8687aa4ab519ce0b8ada22d7.exe	759eb01f8687aa4ab519ce0b8ada22d7.exe
PID 1224 wrote to memory of 1836	1224	759eb01f8687aa4ab519ce0b8ada22d7.exe	759eb01f8687aa4ab519ce0b8ada22d7.exe
PID 1224 wrote to memory of 1836	1224	759eb01f8687aa4ab519ce0b8ada22d7.exe	759eb01f8687aa4ab519ce0b8ada22d7.exe
PID 1224 wrote to memory of 912	1224	759eb01f8687aa4ab519ce0b8ada22d7.exe	759eb01f8687aa4ab519ce0b8ada22d7.exe
PID 1224 wrote to memory of 912	1224	759eb01f8687aa4ab519ce0b8ada22d7.exe	759eb01f8687aa4ab519ce0b8ada22d7.exe
PID 1224 wrote to memory of 912	1224	759eb01f8687aa4ab519ce0b8ada22d7.exe	759eb01f8687aa4ab519ce0b8ada22d7.exe
PID 1224 wrote to memory of 912	1224	759eb01f8687aa4ab519ce0b8ada22d7.exe	759eb01f8687aa4ab519ce0b8ada22d7.exe
PID 1224 wrote to memory of 912	1224	759eb01f8687aa4ab519ce0b8ada22d7.exe	759eb01f8687aa4ab519ce0b8ada22d7.exe
PID 1224 wrote to memory of 912	1224	759eb01f8687aa4ab519ce0b8ada22d7.exe	759eb01f8687aa4ab519ce0b8ada22d7.exe
PID 1224 wrote to memory of 912	1224	759eb01f8687aa4ab519ce0b8ada22d7.exe	759eb01f8687aa4ab519ce0b8ada22d7.exe
PID 1224 wrote to memory of 912	1224	759eb01f8687aa4ab519ce0b8ada22d7.exe	759eb01f8687aa4ab519ce0b8ada22d7.exe
PID 1224 wrote to memory of 912	1224	759eb01f8687aa4ab519ce0b8ada22d7.exe	759eb01f8687aa4ab519ce0b8ada22d7.exe
PID 1224 wrote to memory of 912	1224	759eb01f8687aa4ab519ce0b8ada22d7.exe	759eb01f8687aa4ab519ce0b8ada22d7.exe
PID 1224 wrote to memory of 912	1224	759eb01f8687aa4ab519ce0b8ada22d7.exe	759eb01f8687aa4ab519ce0b8ada22d7.exe
PID 1224 wrote to memory of 912	1224	759eb01f8687aa4ab519ce0b8ada22d7.exe	759eb01f8687aa4ab519ce0b8ada22d7.exe
PID 912 wrote to memory of 340	912	759eb01f8687aa4ab519ce0b8ada22d7.exe	cmd.exe
PID 912 wrote to memory of 340	912	759eb01f8687aa4ab519ce0b8ada22d7.exe	cmd.exe
PID 912 wrote to memory of 340	912	759eb01f8687aa4ab519ce0b8ada22d7.exe	cmd.exe
PID 912 wrote to memory of 340	912	759eb01f8687aa4ab519ce0b8ada22d7.exe	cmd.exe
PID 340 wrote to memory of 1564	340	cmd.exe	timeout.exe
PID 340 wrote to memory of 1564	340	cmd.exe	timeout.exe
PID 340 wrote to memory of 1564	340	cmd.exe	timeout.exe
PID 340 wrote to memory of 1564	340	cmd.exe	timeout.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads