asyncrat | dd44612801b32da18885221e9211c565eecceeef71217b5b9858b839d6f8dc0d

General

Target

tmp.exe
Size

597KB
MD5

adf266d3870069d9c6ec30091d347f68
SHA1

dc27468702ccd3139f773c72ba64d38d8a50ff07
SHA256

dd44612801b32da18885221e9211c565eecceeef71217b5b9858b839d6f8dc0d
SHA512

cf57167932dde49b92cfcb72ee84dca1df51fe66d2ca2d832488bb4d410fd1f5ed9e0e8755a8fd5de41bb96f0e40fce35fa6c678ff4c794b7077026441ba26cd
SSDEEP

6144:xSyBmqk0G78MNNhrXN8d9sx40RZGI8i6e6jherVXLw1Ig:xSycICXhrMWx/4Iae6VkXUWg

Score

10^/10

asyncrat smokeloader backdoor persistence rat trojan

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Detects Smokeloader packer 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/540-93-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral1/memory/540-94-0x0000000000402EBC-mapping.dmp	family_smokeloader
behavioral1/memory/540-96-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral1/memory/540-97-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

tmp.exeldjoqq.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\ViperFolder\\FipersVWV.exe\","	tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Colors\\Pink.exe\","	ldjoqq.exe

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Async RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1408-62-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1408-63-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1408-64-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1408-65-0x000000000040C78E-mapping.dmp	asyncrat
behavioral1/memory/1408-67-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1408-69-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1408-71-0x0000000000690000-0x000000000069C000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

Processes:

ldjoqq.exe

pid process

1268 ldjoqq.exe
Loads dropped DLL 1 IoCs

Processes:

powershell.exe

pid process

1516 powershell.exe

pid	process
1268	ldjoqq.exe

pid	process
1516	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

tmp.exeldjoqq.exe

description	pid	process	target process
PID 1048 set thread context of 1408	1048	tmp.exe	RegAsm.exe
PID 1268 set thread context of 540	1268	ldjoqq.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	RegAsm.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	RegAsm.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

tmp.exepowershell.exeRegAsm.exeldjoqq.exepowershell.exeRegAsm.exe

pid	process
1048	tmp.exe
1048	tmp.exe
1048	tmp.exe
1516	powershell.exe
1408	RegAsm.exe
1516	powershell.exe
1516	powershell.exe
1268	ldjoqq.exe
1268	ldjoqq.exe
1824	powershell.exe
1268	ldjoqq.exe
1268	ldjoqq.exe
1268	ldjoqq.exe
1268	ldjoqq.exe
1268	ldjoqq.exe
540	RegAsm.exe
540	RegAsm.exe
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

RegAsm.exe

pid process

540 RegAsm.exe

pid	process
540	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

tmp.exeRegAsm.exepowershell.exeldjoqq.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1048	tmp.exe
Token: SeDebugPrivilege	1408	RegAsm.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	1268	ldjoqq.exe
Token: SeDebugPrivilege	1824	powershell.exe

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

tmp.exeRegAsm.execmd.exepowershell.exeldjoqq.exe

description	pid	process	target process
PID 1048 wrote to memory of 648	1048	tmp.exe	RegAsm.exe
PID 1048 wrote to memory of 648	1048	tmp.exe	RegAsm.exe
PID 1048 wrote to memory of 648	1048	tmp.exe	RegAsm.exe
PID 1048 wrote to memory of 648	1048	tmp.exe	RegAsm.exe
PID 1048 wrote to memory of 648	1048	tmp.exe	RegAsm.exe
PID 1048 wrote to memory of 648	1048	tmp.exe	RegAsm.exe
PID 1048 wrote to memory of 648	1048	tmp.exe	RegAsm.exe
PID 1048 wrote to memory of 1408	1048	tmp.exe	RegAsm.exe
PID 1048 wrote to memory of 1408	1048	tmp.exe	RegAsm.exe
PID 1048 wrote to memory of 1408	1048	tmp.exe	RegAsm.exe
PID 1048 wrote to memory of 1408	1048	tmp.exe	RegAsm.exe
PID 1048 wrote to memory of 1408	1048	tmp.exe	RegAsm.exe
PID 1048 wrote to memory of 1408	1048	tmp.exe	RegAsm.exe
PID 1048 wrote to memory of 1408	1048	tmp.exe	RegAsm.exe
PID 1048 wrote to memory of 1408	1048	tmp.exe	RegAsm.exe
PID 1048 wrote to memory of 1408	1048	tmp.exe	RegAsm.exe
PID 1048 wrote to memory of 1408	1048	tmp.exe	RegAsm.exe
PID 1048 wrote to memory of 1408	1048	tmp.exe	RegAsm.exe
PID 1048 wrote to memory of 1408	1048	tmp.exe	RegAsm.exe
PID 1408 wrote to memory of 1652	1408	RegAsm.exe	cmd.exe
PID 1408 wrote to memory of 1652	1408	RegAsm.exe	cmd.exe
PID 1408 wrote to memory of 1652	1408	RegAsm.exe	cmd.exe
PID 1408 wrote to memory of 1652	1408	RegAsm.exe	cmd.exe
PID 1652 wrote to memory of 1516	1652	cmd.exe	powershell.exe
PID 1652 wrote to memory of 1516	1652	cmd.exe	powershell.exe
PID 1652 wrote to memory of 1516	1652	cmd.exe	powershell.exe
PID 1652 wrote to memory of 1516	1652	cmd.exe	powershell.exe
PID 1516 wrote to memory of 1268	1516	powershell.exe	ldjoqq.exe
PID 1516 wrote to memory of 1268	1516	powershell.exe	ldjoqq.exe
PID 1516 wrote to memory of 1268	1516	powershell.exe	ldjoqq.exe
PID 1516 wrote to memory of 1268	1516	powershell.exe	ldjoqq.exe
PID 1268 wrote to memory of 1824	1268	ldjoqq.exe	powershell.exe
PID 1268 wrote to memory of 1824	1268	ldjoqq.exe	powershell.exe
PID 1268 wrote to memory of 1824	1268	ldjoqq.exe	powershell.exe
PID 1268 wrote to memory of 1824	1268	ldjoqq.exe	powershell.exe
PID 1268 wrote to memory of 368	1268	ldjoqq.exe	RegAsm.exe
PID 1268 wrote to memory of 368	1268	ldjoqq.exe	RegAsm.exe
PID 1268 wrote to memory of 368	1268	ldjoqq.exe	RegAsm.exe
PID 1268 wrote to memory of 368	1268	ldjoqq.exe	RegAsm.exe
PID 1268 wrote to memory of 368	1268	ldjoqq.exe	RegAsm.exe
PID 1268 wrote to memory of 368	1268	ldjoqq.exe	RegAsm.exe
PID 1268 wrote to memory of 368	1268	ldjoqq.exe	RegAsm.exe
PID 1268 wrote to memory of 896	1268	ldjoqq.exe	RegAsm.exe
PID 1268 wrote to memory of 896	1268	ldjoqq.exe	RegAsm.exe
PID 1268 wrote to memory of 896	1268	ldjoqq.exe	RegAsm.exe
PID 1268 wrote to memory of 896	1268	ldjoqq.exe	RegAsm.exe
PID 1268 wrote to memory of 896	1268	ldjoqq.exe	RegAsm.exe
PID 1268 wrote to memory of 896	1268	ldjoqq.exe	RegAsm.exe
PID 1268 wrote to memory of 896	1268	ldjoqq.exe	RegAsm.exe
PID 1268 wrote to memory of 540	1268	ldjoqq.exe	RegAsm.exe
PID 1268 wrote to memory of 540	1268	ldjoqq.exe	RegAsm.exe
PID 1268 wrote to memory of 540	1268	ldjoqq.exe	RegAsm.exe
PID 1268 wrote to memory of 540	1268	ldjoqq.exe	RegAsm.exe
PID 1268 wrote to memory of 540	1268	ldjoqq.exe	RegAsm.exe
PID 1268 wrote to memory of 540	1268	ldjoqq.exe	RegAsm.exe
PID 1268 wrote to memory of 540	1268	ldjoqq.exe	RegAsm.exe
PID 1268 wrote to memory of 540	1268	ldjoqq.exe	RegAsm.exe
PID 1268 wrote to memory of 540	1268	ldjoqq.exe	RegAsm.exe
PID 1268 wrote to memory of 540	1268	ldjoqq.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
2⤵
PID:648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ldjoqq.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ldjoqq.exe"'
4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516

C:\Users\Admin\AppData\Local\Temp\ldjoqq.exe
"C:\Users\Admin\AppData\Local\Temp\ldjoqq.exe"
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
6⤵
PID:368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
6⤵
PID:896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
6⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:540

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ldjoqq.exe
Filesize
2.3MB

MD5
a08e5952ddaaabe4b7deaf30e3e522d3

SHA1
d111978b9e2ea04f53ce48a36a4fde0e0e900ba3

SHA256
52e3418b1b6e40efcfe1f6509e91da1f2f87bcd4f815cae8d1e89a0ebd6be58f

SHA512
2f4433af151bf7cbf62087206a6bbc4a77dfbf4c5a873edf7828bd54997105f0f413afc21255ea628e648b75c4b82f6a1d402d00fa9f21d01a4013e504195cea

Download Submit
C:\Users\Admin\AppData\Local\Temp\ldjoqq.exe
Filesize
2.3MB

MD5
a08e5952ddaaabe4b7deaf30e3e522d3

SHA1
d111978b9e2ea04f53ce48a36a4fde0e0e900ba3

SHA256
52e3418b1b6e40efcfe1f6509e91da1f2f87bcd4f815cae8d1e89a0ebd6be58f

SHA512
2f4433af151bf7cbf62087206a6bbc4a77dfbf4c5a873edf7828bd54997105f0f413afc21255ea628e648b75c4b82f6a1d402d00fa9f21d01a4013e504195cea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
17e300ddba5a42c66170aa1856ff8fc4

SHA1
c410eb05154b49d2f7877962607bd0defadc2603

SHA256
19989017478ba768100488825f7c1a2ca97ece17dcb8371e78f6adec7d010f48

SHA512
3adf0ff35b41c0b6fe04682f659a0a3d71024739f1cc83e64885dfbdc99fbf0307fbf04461bacd3cf6718dff34bd8980220ada7427d6304adfd550d497312d17

Download Submit
\Users\Admin\AppData\Local\Temp\ldjoqq.exe
Filesize
2.3MB

MD5
a08e5952ddaaabe4b7deaf30e3e522d3

SHA1
d111978b9e2ea04f53ce48a36a4fde0e0e900ba3

SHA256
52e3418b1b6e40efcfe1f6509e91da1f2f87bcd4f815cae8d1e89a0ebd6be58f

SHA512
2f4433af151bf7cbf62087206a6bbc4a77dfbf4c5a873edf7828bd54997105f0f413afc21255ea628e648b75c4b82f6a1d402d00fa9f21d01a4013e504195cea

Download Submit
memory/540-90-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/540-91-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/540-93-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/540-94-0x0000000000402EBC-mapping.dmp

Download
memory/540-96-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/540-97-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1048-58-0x0000000000AF0000-0x0000000000B3C000-memory.dmp

Filesize
304KB

Download
memory/1048-57-0x0000000000A80000-0x0000000000AB0000-memory.dmp

Filesize
192KB

Download
memory/1048-56-0x0000000000340000-0x0000000000392000-memory.dmp

Filesize
328KB

Download
memory/1048-55-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download
memory/1048-54-0x0000000000BA0000-0x0000000000C3C000-memory.dmp

Filesize
624KB

Download
memory/1268-80-0x00000000003A0000-0x00000000005F6000-memory.dmp

Filesize
2.3MB

Download
memory/1268-78-0x0000000000000000-mapping.dmp

Download
memory/1268-81-0x00000000008E0000-0x0000000000988000-memory.dmp

Filesize
672KB

Download
memory/1268-82-0x0000000004AC0000-0x0000000004B52000-memory.dmp

Filesize
584KB

Download
memory/1408-71-0x0000000000690000-0x000000000069C000-memory.dmp

Filesize
48KB

Download
memory/1408-69-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1408-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1408-65-0x000000000040C78E-mapping.dmp

Download
memory/1408-64-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1408-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1408-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1408-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1408-59-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1516-75-0x000000006F0D0000-0x000000006F67B000-memory.dmp

Filesize
5.7MB

Download
memory/1516-83-0x000000006F0D0000-0x000000006F67B000-memory.dmp

Filesize
5.7MB

Download
memory/1516-73-0x0000000000000000-mapping.dmp

Download
memory/1652-72-0x0000000000000000-mapping.dmp

Download
memory/1824-89-0x000000006E000000-0x000000006E5AB000-memory.dmp

Filesize
5.7MB

Download
memory/1824-88-0x000000006E000000-0x000000006E5AB000-memory.dmp

Filesize
5.7MB

Download
memory/1824-85-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads