asyncrat | 8e01aa31c94e31de086a742c522520282d8b7fb784bc1875e0c005debfa77a4a

General

Target

tmp.exe
Size

641KB
MD5

cd67ba75d4806b402025205991a2c21a
SHA1

b7da7ff58dd3a75dfcf1998798120cde3af9b50f
SHA256

8e01aa31c94e31de086a742c522520282d8b7fb784bc1875e0c005debfa77a4a
SHA512

94cc00ba428fb1befeb4c3480cfc5f6eb63ac2dbd83b9da701453196b3aab6c6d060363c8c2b01d3e7a6a85836992e705546231fe21e6af38d5ca4eaa8775fa8
SSDEEP

12288:ckBnMd/SN7xFGPYsUEeBujfFT6QGJ26ThJkXvJvwgebrXB4X:c1/nXp6urFT6QGJHhCXSzfe

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

195.133.18.181:8878

Mutex

DcRatMutex_qwqdanchunadsadasadda

Attributes

delay
1
install
true
install_file
ExacqVision.exe
install_folder
%Temp%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1488-135-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Executes dropped EXE 2 IoCs

Processes:

ExacqVision.exeExacqVision.exe

pid process

4360 ExacqVision.exe
3440 ExacqVision.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

tmp.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation tmp.exe

pid	process
4360	ExacqVision.exe
3440	ExacqVision.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

tmp.exeExacqVision.exe

description	pid	process	target process
PID 4568 set thread context of 1488	4568	tmp.exe	tmp.exe
PID 4360 set thread context of 3440	4360	ExacqVision.exe	ExacqVision.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1292 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

448 timeout.exe

pid	process
1292	schtasks.exe

pid	process
448	timeout.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

tmp.exe

pid	process
1488	tmp.exe
1488	tmp.exe
1488	tmp.exe
1488	tmp.exe
1488	tmp.exe
1488	tmp.exe
1488	tmp.exe
1488	tmp.exe
1488	tmp.exe
1488	tmp.exe
1488	tmp.exe
1488	tmp.exe
1488	tmp.exe
1488	tmp.exe
1488	tmp.exe
1488	tmp.exe
1488	tmp.exe
1488	tmp.exe
1488	tmp.exe
1488	tmp.exe
1488	tmp.exe
1488	tmp.exe
1488	tmp.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tmp.exetmp.exeExacqVision.exeExacqVision.exe

description	pid	process
Token: SeDebugPrivilege	4568	tmp.exe
Token: SeDebugPrivilege	1488	tmp.exe
Token: SeDebugPrivilege	4360	ExacqVision.exe
Token: SeDebugPrivilege	3440	ExacqVision.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

tmp.exetmp.execmd.execmd.exeExacqVision.exe

description	pid	process	target process
PID 4568 wrote to memory of 1488	4568	tmp.exe	tmp.exe
PID 4568 wrote to memory of 1488	4568	tmp.exe	tmp.exe
PID 4568 wrote to memory of 1488	4568	tmp.exe	tmp.exe
PID 4568 wrote to memory of 1488	4568	tmp.exe	tmp.exe
PID 4568 wrote to memory of 1488	4568	tmp.exe	tmp.exe
PID 4568 wrote to memory of 1488	4568	tmp.exe	tmp.exe
PID 4568 wrote to memory of 1488	4568	tmp.exe	tmp.exe
PID 4568 wrote to memory of 1488	4568	tmp.exe	tmp.exe
PID 1488 wrote to memory of 4640	1488	tmp.exe	cmd.exe
PID 1488 wrote to memory of 4640	1488	tmp.exe	cmd.exe
PID 1488 wrote to memory of 4640	1488	tmp.exe	cmd.exe
PID 1488 wrote to memory of 3296	1488	tmp.exe	cmd.exe
PID 1488 wrote to memory of 3296	1488	tmp.exe	cmd.exe
PID 1488 wrote to memory of 3296	1488	tmp.exe	cmd.exe
PID 3296 wrote to memory of 448	3296	cmd.exe	timeout.exe
PID 3296 wrote to memory of 448	3296	cmd.exe	timeout.exe
PID 3296 wrote to memory of 448	3296	cmd.exe	timeout.exe
PID 4640 wrote to memory of 1292	4640	cmd.exe	schtasks.exe
PID 4640 wrote to memory of 1292	4640	cmd.exe	schtasks.exe
PID 4640 wrote to memory of 1292	4640	cmd.exe	schtasks.exe
PID 3296 wrote to memory of 4360	3296	cmd.exe	ExacqVision.exe
PID 3296 wrote to memory of 4360	3296	cmd.exe	ExacqVision.exe
PID 3296 wrote to memory of 4360	3296	cmd.exe	ExacqVision.exe
PID 4360 wrote to memory of 3440	4360	ExacqVision.exe	ExacqVision.exe
PID 4360 wrote to memory of 3440	4360	ExacqVision.exe	ExacqVision.exe
PID 4360 wrote to memory of 3440	4360	ExacqVision.exe	ExacqVision.exe
PID 4360 wrote to memory of 3440	4360	ExacqVision.exe	ExacqVision.exe
PID 4360 wrote to memory of 3440	4360	ExacqVision.exe	ExacqVision.exe
PID 4360 wrote to memory of 3440	4360	ExacqVision.exe	ExacqVision.exe
PID 4360 wrote to memory of 3440	4360	ExacqVision.exe	ExacqVision.exe
PID 4360 wrote to memory of 3440	4360	ExacqVision.exe	ExacqVision.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4568

C:\Users\Admin\AppData\Local\Temp\tmp.exe
C:\Users\Admin\AppData\Local\Temp\tmp.exe
2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "ExacqVision" /tr '"C:\Users\Admin\AppData\Local\Temp\ExacqVision.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:4640

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "ExacqVision" /tr '"C:\Users\Admin\AppData\Local\Temp\ExacqVision.exe"'
4⤵
- Creates scheduled task(s)
PID:1292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDC0D.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:3296

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:448

C:\Users\Admin\AppData\Local\Temp\ExacqVision.exe
"C:\Users\Admin\AppData\Local\Temp\ExacqVision.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4360

C:\Users\Admin\AppData\Local\Temp\ExacqVision.exe
C:\Users\Admin\AppData\Local\Temp\ExacqVision.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3440

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ExacqVision.exe.log
Filesize
1KB

MD5
7e88081fcf716d85992bb3af3d9b6454

SHA1
2153780fbc71061b0102a7a7b665349e1013e250

SHA256
5ffb4a3ea94a6a53c4f88e2191c6fec5fd8a7336e367aa113fe8c12631e0c4d2

SHA512
ec606e14367ae221c04f213a61a6f797034495121198e4788e3afa4aa8db67bf59c5c5210a56afae5557158e8923b013b371b84c7d64303618c5b4c57a2224f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tmp.exe.log
Filesize
1KB

MD5
7e88081fcf716d85992bb3af3d9b6454

SHA1
2153780fbc71061b0102a7a7b665349e1013e250

SHA256
5ffb4a3ea94a6a53c4f88e2191c6fec5fd8a7336e367aa113fe8c12631e0c4d2

SHA512
ec606e14367ae221c04f213a61a6f797034495121198e4788e3afa4aa8db67bf59c5c5210a56afae5557158e8923b013b371b84c7d64303618c5b4c57a2224f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ExacqVision.exe
Filesize
641KB

MD5
cd67ba75d4806b402025205991a2c21a

SHA1
b7da7ff58dd3a75dfcf1998798120cde3af9b50f

SHA256
8e01aa31c94e31de086a742c522520282d8b7fb784bc1875e0c005debfa77a4a

SHA512
94cc00ba428fb1befeb4c3480cfc5f6eb63ac2dbd83b9da701453196b3aab6c6d060363c8c2b01d3e7a6a85836992e705546231fe21e6af38d5ca4eaa8775fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ExacqVision.exe
Filesize
641KB

MD5
cd67ba75d4806b402025205991a2c21a

SHA1
b7da7ff58dd3a75dfcf1998798120cde3af9b50f

SHA256
8e01aa31c94e31de086a742c522520282d8b7fb784bc1875e0c005debfa77a4a

SHA512
94cc00ba428fb1befeb4c3480cfc5f6eb63ac2dbd83b9da701453196b3aab6c6d060363c8c2b01d3e7a6a85836992e705546231fe21e6af38d5ca4eaa8775fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ExacqVision.exe
Filesize
641KB

MD5
cd67ba75d4806b402025205991a2c21a

SHA1
b7da7ff58dd3a75dfcf1998798120cde3af9b50f

SHA256
8e01aa31c94e31de086a742c522520282d8b7fb784bc1875e0c005debfa77a4a

SHA512
94cc00ba428fb1befeb4c3480cfc5f6eb63ac2dbd83b9da701453196b3aab6c6d060363c8c2b01d3e7a6a85836992e705546231fe21e6af38d5ca4eaa8775fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDC0D.tmp.bat
Filesize
158B

MD5
5634c56a8a26f1923d41c623d5501a5e

SHA1
98af38226fee739b2bc52d514dae11de88c35e68

SHA256
f76119430369c8f870c7a566ab8f1ee350a87ebc0c85ca4676b4c5f800f2cc3b

SHA512
53280a4b0f5897eeb0658d76d3f002009ffcc9ca758febe7a1f820886d92e4ccf90291969e4663ee21bc6f850c8e96db9c018bd502a35e7afa778db8100f392b

Download Submit
memory/448-140-0x0000000000000000-mapping.dmp

Download
memory/1292-141-0x0000000000000000-mapping.dmp

Download
memory/1488-134-0x0000000000000000-mapping.dmp

Download
memory/1488-135-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3296-138-0x0000000000000000-mapping.dmp

Download
memory/3440-145-0x0000000000000000-mapping.dmp

Download
memory/4360-142-0x0000000000000000-mapping.dmp

Download
memory/4568-132-0x00000000005E0000-0x0000000000686000-memory.dmp

Filesize
664KB

Download
memory/4568-133-0x0000000005320000-0x0000000005342000-memory.dmp

Filesize
136KB

Download
memory/4640-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads