asyncrat | f605416a4abce35b85ce6d88b370e7bec3c012772a0eb35c70e4f5aa0cdc9b3d

Analysis

max time kernel
39s
max time network
5s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-09-2022 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

F605416A4ABCE35B85CE6D88B370E7BEC3C012772A0EB.exe
Size

70KB
MD5

198a692570d1a3197a7b82d5010ff135
SHA1

757965d8c9f119e87a224f0a8a55fc7cd9225f71
SHA256

f605416a4abce35b85ce6d88b370e7bec3c012772a0eb35c70e4f5aa0cdc9b3d
SHA512

3572fac7eae731cc7499cd9baac1e98b092dd96237352807a659a3890f1a91338ee10a7d25668e98891c3e06d3b3c3354aba63a775100be5007c4584ea57c948
SSDEEP

1536:Okc5mbE6TWogwg5wy74WcMX662ho4zdSmhFNhHMUC:Okc5mbEYWog35T4SXEhzcA3hH7C

Score

10^/10

asyncrat default persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7A

Botnet

Default

163.172.225.185:6606

163.172.225.185:7707

163.172.225.185:8808

163.172.225.185:551

163.172.225.185:677

163.172.225.185:441

163.172.225.185:661

163.172.225.185:412

Mutex

iurufubmszrrcclmx

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4928-141-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

F605416A4ABCE35B85CE6D88B370E7BEC3C012772A0EB.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Arhjvlk = "\"C:\\Users\\Admin\\AppData\\Roaming\\Tnszqkuc\\Arhjvlk.exe\""	F605416A4ABCE35B85CE6D88B370E7BEC3C012772A0EB.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

F605416A4ABCE35B85CE6D88B370E7BEC3C012772A0EB.exe

description pid process target process

PID 2840 set thread context of 4928 2840 F605416A4ABCE35B85CE6D88B370E7BEC3C012772A0EB.exe InstallUtil.exe

description	pid	process	target process
PID 2840 set thread context of 4928	2840	F605416A4ABCE35B85CE6D88B370E7BEC3C012772A0EB.exe	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

F605416A4ABCE35B85CE6D88B370E7BEC3C012772A0EB.exe

pid	process
2840	F605416A4ABCE35B85CE6D88B370E7BEC3C012772A0EB.exe
2840	F605416A4ABCE35B85CE6D88B370E7BEC3C012772A0EB.exe
2840	F605416A4ABCE35B85CE6D88B370E7BEC3C012772A0EB.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

F605416A4ABCE35B85CE6D88B370E7BEC3C012772A0EB.exeInstallUtil.exe

description pid process

Token: SeDebugPrivilege 2840 F605416A4ABCE35B85CE6D88B370E7BEC3C012772A0EB.exe
Token: SeDebugPrivilege 4928 InstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	2840	F605416A4ABCE35B85CE6D88B370E7BEC3C012772A0EB.exe
Token: SeDebugPrivilege	4928	InstallUtil.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

F605416A4ABCE35B85CE6D88B370E7BEC3C012772A0EB.exe

description	pid	process	target process
PID 2840 wrote to memory of 4384	2840	F605416A4ABCE35B85CE6D88B370E7BEC3C012772A0EB.exe	InstallUtil.exe
PID 2840 wrote to memory of 4384	2840	F605416A4ABCE35B85CE6D88B370E7BEC3C012772A0EB.exe	InstallUtil.exe
PID 2840 wrote to memory of 4384	2840	F605416A4ABCE35B85CE6D88B370E7BEC3C012772A0EB.exe	InstallUtil.exe
PID 2840 wrote to memory of 4928	2840	F605416A4ABCE35B85CE6D88B370E7BEC3C012772A0EB.exe	InstallUtil.exe
PID 2840 wrote to memory of 4928	2840	F605416A4ABCE35B85CE6D88B370E7BEC3C012772A0EB.exe	InstallUtil.exe
PID 2840 wrote to memory of 4928	2840	F605416A4ABCE35B85CE6D88B370E7BEC3C012772A0EB.exe	InstallUtil.exe
PID 2840 wrote to memory of 4928	2840	F605416A4ABCE35B85CE6D88B370E7BEC3C012772A0EB.exe	InstallUtil.exe
PID 2840 wrote to memory of 4928	2840	F605416A4ABCE35B85CE6D88B370E7BEC3C012772A0EB.exe	InstallUtil.exe
PID 2840 wrote to memory of 4928	2840	F605416A4ABCE35B85CE6D88B370E7BEC3C012772A0EB.exe	InstallUtil.exe
PID 2840 wrote to memory of 4928	2840	F605416A4ABCE35B85CE6D88B370E7BEC3C012772A0EB.exe	InstallUtil.exe
PID 2840 wrote to memory of 4928	2840	F605416A4ABCE35B85CE6D88B370E7BEC3C012772A0EB.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\F605416A4ABCE35B85CE6D88B370E7BEC3C012772A0EB.exe
"C:\Users\Admin\AppData\Local\Temp\F605416A4ABCE35B85CE6D88B370E7BEC3C012772A0EB.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
2⤵
PID:4384

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2840-132-0x00000000000A0000-0x00000000000B8000-memory.dmp

Filesize
96KB

Download
memory/2840-133-0x0000000005770000-0x00000000057C0000-memory.dmp

Filesize
320KB

Download
memory/2840-134-0x0000000005880000-0x0000000005932000-memory.dmp

Filesize
712KB

Download
memory/2840-135-0x0000000005EF0000-0x0000000006494000-memory.dmp

Filesize
5.6MB

Download
memory/2840-137-0x0000000005970000-0x0000000005992000-memory.dmp

Filesize
136KB

Download
memory/2840-136-0x00000000059E0000-0x0000000005A72000-memory.dmp

Filesize
584KB

Download
memory/2840-138-0x0000000005D10000-0x0000000005D76000-memory.dmp

Filesize
408KB

Download
memory/4384-139-0x0000000000000000-mapping.dmp

Download
memory/4928-141-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4928-140-0x0000000000000000-mapping.dmp

Download
memory/4928-142-0x0000000005BF0000-0x0000000005C8C000-memory.dmp

Filesize
624KB

Download