asyncrat | 0fbd0deb8891b8836c9987f79c0dcf7383ace21dcd7ee8ffcfdf609311af7808

Analysis

max time kernel
69s
max time network
148s
platform
windows10_x64
resource
win10-20220414-en
submitted
06-07-2022 10:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0fbd0deb8891b8836c9987f79c0dcf7383ace21dcd7ee8ffcfdf609311af7808.exe
Size

560KB
MD5

759eb01f8687aa4ab519ce0b8ada22d7
SHA1

80086dd4bd562df870ed9556248a0a46177e63d7
SHA256

0fbd0deb8891b8836c9987f79c0dcf7383ace21dcd7ee8ffcfdf609311af7808
SHA512

2ac4cc01afba0ba62db65763f5f3fe9ecfd2e83dbe5a28082d2d61cce92ef37f08e5c0b6f2d7769ff6309f805a3385cf1b4f968ff22e8632b76af3098ee00dc0

Score

10^/10

asyncrat rat suricata

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2644-369-0x00000000073E0000-0x0000000007404000-memory.dmp	asyncrat

Suspicious use of SetThreadContext 1 IoCs

Processes:

0fbd0deb8891b8836c9987f79c0dcf7383ace21dcd7ee8ffcfdf609311af7808.exe

description	pid	process	target process
PID 1040 set thread context of 2644	1040	0fbd0deb8891b8836c9987f79c0dcf7383ace21dcd7ee8ffcfdf609311af7808.exe	0fbd0deb8891b8836c9987f79c0dcf7383ace21dcd7ee8ffcfdf609311af7808.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2268 timeout.exe

pid	process
2268	timeout.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exe0fbd0deb8891b8836c9987f79c0dcf7383ace21dcd7ee8ffcfdf609311af7808.exe

pid	process
3844	powershell.exe
3844	powershell.exe
3844	powershell.exe
1040	0fbd0deb8891b8836c9987f79c0dcf7383ace21dcd7ee8ffcfdf609311af7808.exe
1040	0fbd0deb8891b8836c9987f79c0dcf7383ace21dcd7ee8ffcfdf609311af7808.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exe0fbd0deb8891b8836c9987f79c0dcf7383ace21dcd7ee8ffcfdf609311af7808.exe0fbd0deb8891b8836c9987f79c0dcf7383ace21dcd7ee8ffcfdf609311af7808.exe

description	pid	process
Token: SeDebugPrivilege	3844	powershell.exe
Token: SeDebugPrivilege	1040	0fbd0deb8891b8836c9987f79c0dcf7383ace21dcd7ee8ffcfdf609311af7808.exe
Token: SeDebugPrivilege	2644	0fbd0deb8891b8836c9987f79c0dcf7383ace21dcd7ee8ffcfdf609311af7808.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

0fbd0deb8891b8836c9987f79c0dcf7383ace21dcd7ee8ffcfdf609311af7808.exe0fbd0deb8891b8836c9987f79c0dcf7383ace21dcd7ee8ffcfdf609311af7808.execmd.exe

description	pid	process	target process
PID 1040 wrote to memory of 3844	1040	0fbd0deb8891b8836c9987f79c0dcf7383ace21dcd7ee8ffcfdf609311af7808.exe	powershell.exe
PID 1040 wrote to memory of 3844	1040	0fbd0deb8891b8836c9987f79c0dcf7383ace21dcd7ee8ffcfdf609311af7808.exe	powershell.exe
PID 1040 wrote to memory of 3844	1040	0fbd0deb8891b8836c9987f79c0dcf7383ace21dcd7ee8ffcfdf609311af7808.exe	powershell.exe
PID 1040 wrote to memory of 2644	1040	0fbd0deb8891b8836c9987f79c0dcf7383ace21dcd7ee8ffcfdf609311af7808.exe	0fbd0deb8891b8836c9987f79c0dcf7383ace21dcd7ee8ffcfdf609311af7808.exe
PID 1040 wrote to memory of 2644	1040	0fbd0deb8891b8836c9987f79c0dcf7383ace21dcd7ee8ffcfdf609311af7808.exe	0fbd0deb8891b8836c9987f79c0dcf7383ace21dcd7ee8ffcfdf609311af7808.exe
PID 1040 wrote to memory of 2644	1040	0fbd0deb8891b8836c9987f79c0dcf7383ace21dcd7ee8ffcfdf609311af7808.exe	0fbd0deb8891b8836c9987f79c0dcf7383ace21dcd7ee8ffcfdf609311af7808.exe
PID 1040 wrote to memory of 2644	1040	0fbd0deb8891b8836c9987f79c0dcf7383ace21dcd7ee8ffcfdf609311af7808.exe	0fbd0deb8891b8836c9987f79c0dcf7383ace21dcd7ee8ffcfdf609311af7808.exe
PID 1040 wrote to memory of 2644	1040	0fbd0deb8891b8836c9987f79c0dcf7383ace21dcd7ee8ffcfdf609311af7808.exe	0fbd0deb8891b8836c9987f79c0dcf7383ace21dcd7ee8ffcfdf609311af7808.exe
PID 1040 wrote to memory of 2644	1040	0fbd0deb8891b8836c9987f79c0dcf7383ace21dcd7ee8ffcfdf609311af7808.exe	0fbd0deb8891b8836c9987f79c0dcf7383ace21dcd7ee8ffcfdf609311af7808.exe
PID 1040 wrote to memory of 2644	1040	0fbd0deb8891b8836c9987f79c0dcf7383ace21dcd7ee8ffcfdf609311af7808.exe	0fbd0deb8891b8836c9987f79c0dcf7383ace21dcd7ee8ffcfdf609311af7808.exe
PID 1040 wrote to memory of 2644	1040	0fbd0deb8891b8836c9987f79c0dcf7383ace21dcd7ee8ffcfdf609311af7808.exe	0fbd0deb8891b8836c9987f79c0dcf7383ace21dcd7ee8ffcfdf609311af7808.exe
PID 2644 wrote to memory of 1472	2644	0fbd0deb8891b8836c9987f79c0dcf7383ace21dcd7ee8ffcfdf609311af7808.exe	cmd.exe
PID 2644 wrote to memory of 1472	2644	0fbd0deb8891b8836c9987f79c0dcf7383ace21dcd7ee8ffcfdf609311af7808.exe	cmd.exe
PID 2644 wrote to memory of 1472	2644	0fbd0deb8891b8836c9987f79c0dcf7383ace21dcd7ee8ffcfdf609311af7808.exe	cmd.exe
PID 1472 wrote to memory of 2268	1472	cmd.exe	timeout.exe
PID 1472 wrote to memory of 2268	1472	cmd.exe	timeout.exe
PID 1472 wrote to memory of 2268	1472	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\0fbd0deb8891b8836c9987f79c0dcf7383ace21dcd7ee8ffcfdf609311af7808.exe
"C:\Users\Admin\AppData\Local\Temp\0fbd0deb8891b8836c9987f79c0dcf7383ace21dcd7ee8ffcfdf609311af7808.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1040

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3844

C:\Users\Admin\AppData\Local\Temp\0fbd0deb8891b8836c9987f79c0dcf7383ace21dcd7ee8ffcfdf609311af7808.exe
C:\Users\Admin\AppData\Local\Temp\0fbd0deb8891b8836c9987f79c0dcf7383ace21dcd7ee8ffcfdf609311af7808.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB815.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:2268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\0fbd0deb8891b8836c9987f79c0dcf7383ace21dcd7ee8ffcfdf609311af7808.exe.log
Filesize
897B

MD5
d2d9bab8c35098d9005c0b1ce8c42957

SHA1
7f01a193ee0ecfb8d083e1a21ef7f98683367059

SHA256
2d2ec4c60122d29301f6403f1a68d22c688bc408397107bf55987105916c2d06

SHA512
a5926b9e760d99c738b2f4f1a632afacf6bd02fd848d66bb44b719f31b718b1721d91bb63cbc95de1442fca0b34855b9d79ca5108b5c5cc1b054acd5c14eef69

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB815.tmp.bat
Filesize
216B

MD5
3bb70b326ee7fb21146c979e6c44243b

SHA1
b15266ed73060910942d0dcf1a28dde8ba387787

SHA256
8cb5ec93177681eac2b03b7238b8bb3a34af7946c73174fef50e027220204206

SHA512
af5b87125d0b02b57a8e79ffa865553ee99f009cd093853c89c62a7ca134d54a9dc07d4587380b12442a077e18734ee2712329c06ea2b3b3949a7f0768110dd8

Download Submit
memory/1040-160-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-143-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-120-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-121-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-122-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-123-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-124-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-125-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-126-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-127-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-128-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-129-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-130-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-131-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-132-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-133-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-134-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-135-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-136-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-118-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-138-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-139-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-140-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-141-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-142-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-161-0x0000000004FB0000-0x0000000004FFC000-memory.dmp

Filesize
304KB

Download
memory/1040-144-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-145-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-146-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-147-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-148-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-149-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-150-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-151-0x0000000000640000-0x00000000006D2000-memory.dmp

Filesize
584KB

Download
memory/1040-152-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-153-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-154-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-155-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-156-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-157-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-158-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-159-0x0000000004E30000-0x0000000004EC8000-memory.dmp

Filesize
608KB

Download
memory/1040-137-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-119-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-162-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-163-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-164-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-165-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-166-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-167-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-168-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-169-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-170-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-171-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-172-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-173-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-174-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-175-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-176-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-177-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-178-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-179-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-180-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1040-269-0x0000000005B70000-0x0000000005C02000-memory.dmp

Filesize
584KB

Download
memory/1040-278-0x0000000006350000-0x000000000684E000-memory.dmp

Filesize
5.0MB

Download
memory/1040-117-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/1472-371-0x0000000000000000-mapping.dmp

Download
memory/2268-387-0x0000000000000000-mapping.dmp

Download
memory/2644-358-0x00000000063D0000-0x000000000646C000-memory.dmp

Filesize
624KB

Download
memory/2644-281-0x0000000000429FEE-mapping.dmp

Download
memory/2644-370-0x00000000074E0000-0x00000000074FE000-memory.dmp

Filesize
120KB

Download
memory/2644-315-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2644-369-0x00000000073E0000-0x0000000007404000-memory.dmp

Filesize
144KB

Download
memory/3844-217-0x00000000069B0000-0x00000000069E6000-memory.dmp

Filesize
216KB

Download
memory/3844-183-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-181-0x0000000000000000-mapping.dmp

Download
memory/3844-264-0x0000000008F40000-0x0000000008F5A000-memory.dmp

Filesize
104KB

Download
memory/3844-242-0x0000000007760000-0x00000000077C6000-memory.dmp

Filesize
408KB

Download
memory/3844-222-0x0000000007020000-0x0000000007648000-memory.dmp

Filesize
6.2MB

Download
memory/3844-184-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-240-0x00000000076C0000-0x00000000076E2000-memory.dmp

Filesize
136KB

Download
memory/3844-182-0x00000000775D0000-0x000000007775E000-memory.dmp

Filesize
1.6MB

Download
memory/3844-243-0x0000000007840000-0x00000000078A6000-memory.dmp

Filesize
408KB

Download
memory/3844-247-0x0000000007980000-0x000000000799C000-memory.dmp

Filesize
112KB

Download
memory/3844-248-0x0000000007E60000-0x0000000007EAB000-memory.dmp

Filesize
300KB

Download
memory/3844-252-0x00000000081A0000-0x0000000008216000-memory.dmp

Filesize
472KB

Download
memory/3844-263-0x00000000098D0000-0x0000000009F48000-memory.dmp

Filesize
6.5MB

Download
memory/3844-244-0x0000000007AA0000-0x0000000007DF0000-memory.dmp

Filesize
3.3MB

Download