asyncrat | f5e715d046072f8716f662bb86a02be3f13dd984ed207562c9e8e3feb6aeab40

General

Target

F5E715D046072F8716F662BB86A02BE3F13DD984ED207.exe
Size

176KB
MD5

f8b8c7e30a0c98c7db0c64d4b925db75
SHA1

928ec1e03d21f51f34da1a7c801fdce9a36b3c36
SHA256

f5e715d046072f8716f662bb86a02be3f13dd984ed207562c9e8e3feb6aeab40
SHA512

67d7c8c62877a0d274089ef062a85e1b0622bcb6ccfc86d3bd9234973af514e211c4a3043504c597429ade35524f314efecea75a4695bf5489e282fef3cedef3
SSDEEP

3072:tuK0THf52BTHbvxPZYJ01yDgNlfWSZ0cXF:tuK+chHbIpgy/m

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

zulakim.duckdns.org:6606

zulakim.duckdns.org:7707

zulakim.duckdns.org:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
dllhost.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 5 IoCs

rat

resource	yara_rule
behavioral1/memory/1476-54-0x0000000000A50000-0x0000000000A82000-memory.dmp	asyncrat
behavioral1/files/0x0007000000005c50-61.dat	asyncrat
behavioral1/files/0x0007000000005c50-62.dat	asyncrat
behavioral1/files/0x0007000000005c50-64.dat	asyncrat
behavioral1/memory/520-65-0x0000000000EC0000-0x0000000000EF2000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

pid	Process
520	dllhost.exe

Loads dropped DLL 1 IoCs

pid	Process
940	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1020	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1280	timeout.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1476	F5E715D046072F8716F662BB86A02BE3F13DD984ED207.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1476	F5E715D046072F8716F662BB86A02BE3F13DD984ED207.exe
Token: SeDebugPrivilege	520	dllhost.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 1800	1476	F5E715D046072F8716F662BB86A02BE3F13DD984ED207.exe	27
PID 1476 wrote to memory of 1800	1476	F5E715D046072F8716F662BB86A02BE3F13DD984ED207.exe	27
PID 1476 wrote to memory of 1800	1476	F5E715D046072F8716F662BB86A02BE3F13DD984ED207.exe	27
PID 1476 wrote to memory of 1800	1476	F5E715D046072F8716F662BB86A02BE3F13DD984ED207.exe	27
PID 1476 wrote to memory of 940	1476	F5E715D046072F8716F662BB86A02BE3F13DD984ED207.exe	29
PID 1476 wrote to memory of 940	1476	F5E715D046072F8716F662BB86A02BE3F13DD984ED207.exe	29
PID 1476 wrote to memory of 940	1476	F5E715D046072F8716F662BB86A02BE3F13DD984ED207.exe	29
PID 1476 wrote to memory of 940	1476	F5E715D046072F8716F662BB86A02BE3F13DD984ED207.exe	29
PID 1800 wrote to memory of 1020	1800	cmd.exe	31
PID 1800 wrote to memory of 1020	1800	cmd.exe	31
PID 1800 wrote to memory of 1020	1800	cmd.exe	31
PID 1800 wrote to memory of 1020	1800	cmd.exe	31
PID 940 wrote to memory of 1280	940	cmd.exe	32
PID 940 wrote to memory of 1280	940	cmd.exe	32
PID 940 wrote to memory of 1280	940	cmd.exe	32
PID 940 wrote to memory of 1280	940	cmd.exe	32
PID 940 wrote to memory of 520	940	cmd.exe	33
PID 940 wrote to memory of 520	940	cmd.exe	33
PID 940 wrote to memory of 520	940	cmd.exe	33
PID 940 wrote to memory of 520	940	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\F5E715D046072F8716F662BB86A02BE3F13DD984ED207.exe
"C:\Users\Admin\AppData\Local\Temp\F5E715D046072F8716F662BB86A02BE3F13DD984ED207.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "dllhost" /tr '"C:\Users\Admin\AppData\Roaming\dllhost.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "dllhost" /tr '"C:\Users\Admin\AppData\Roaming\dllhost.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:1020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpEEA4.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1280
- - C:\Users\Admin\AppData\Roaming\dllhost.exe
    "C:\Users\Admin\AppData\Roaming\dllhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpEEA4.tmp.bat

Filesize
151B

MD5
679fbdc0ad0334956a5ba55ed22a1395

SHA1
114626996e5af092e4f466f517d354a0ef72f1cf

SHA256
b4a9f9d51bef371f2f7751c240d7d983ac4c24998a896a022b58614e0888d1e3

SHA512
1bc38e7c409b6e699b54d27df273f2a34c1b5720bc9fecafce04c28913129db82c64ea24859ec57ea4ef6a072f2b8b870b1df0d4f6fb690c4f759f95dc0d1d88

Download Submit
C:\Users\Admin\AppData\Roaming\dllhost.exe

Filesize
176KB

MD5
f8b8c7e30a0c98c7db0c64d4b925db75

SHA1
928ec1e03d21f51f34da1a7c801fdce9a36b3c36

SHA256
f5e715d046072f8716f662bb86a02be3f13dd984ed207562c9e8e3feb6aeab40

SHA512
67d7c8c62877a0d274089ef062a85e1b0622bcb6ccfc86d3bd9234973af514e211c4a3043504c597429ade35524f314efecea75a4695bf5489e282fef3cedef3

Download Submit
C:\Users\Admin\AppData\Roaming\dllhost.exe

Filesize
176KB

MD5
f8b8c7e30a0c98c7db0c64d4b925db75

SHA1
928ec1e03d21f51f34da1a7c801fdce9a36b3c36

SHA256
f5e715d046072f8716f662bb86a02be3f13dd984ed207562c9e8e3feb6aeab40

SHA512
67d7c8c62877a0d274089ef062a85e1b0622bcb6ccfc86d3bd9234973af514e211c4a3043504c597429ade35524f314efecea75a4695bf5489e282fef3cedef3

Download Submit
\Users\Admin\AppData\Roaming\dllhost.exe

Filesize
176KB

MD5
f8b8c7e30a0c98c7db0c64d4b925db75

SHA1
928ec1e03d21f51f34da1a7c801fdce9a36b3c36

SHA256
f5e715d046072f8716f662bb86a02be3f13dd984ed207562c9e8e3feb6aeab40

SHA512
67d7c8c62877a0d274089ef062a85e1b0622bcb6ccfc86d3bd9234973af514e211c4a3043504c597429ade35524f314efecea75a4695bf5489e282fef3cedef3

Download Submit
memory/520-65-0x0000000000EC0000-0x0000000000EF2000-memory.dmp

Filesize
200KB

Download
memory/1476-54-0x0000000000A50000-0x0000000000A82000-memory.dmp

Filesize
200KB

Download
memory/1476-55-0x0000000074C11000-0x0000000074C13000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads