asyncrat | 5e8c61b17135bc249ad576d94d4ab70f0c8e4b87fb13181d2ba6b56750d897f4

General

Target

5E8C61B17135BC249AD576D94D4AB70F0C8E4B87FB131.exe
Size

4.2MB
MD5

45177df44d074eee7a644ff06bdbf462
SHA1

4dcdb661bb99370beea4423e71ec322e8d13a0d0
SHA256

5e8c61b17135bc249ad576d94d4ab70f0c8e4b87fb13181d2ba6b56750d897f4
SHA512

46abe4164981147ab64c2c860c5887a181f060964c16fdc8e8f5d5b89f7f4459098a29381234595142dccd21883fc89fca4dddc97304d963f0d1809584a1fa34
SSDEEP

98304:tD4WgEZwKnxnA5OCdJR3xLzgI8IP7lSkQuIXFtN:eW3wKnxnaR3F0I8IPZSkQuIX/

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.6D

Botnet

Default

C2

milla.publicvm.com:6606

milla.publicvm.com:7707

milla.publicvm.com:8808

Mutex

hzizmtfuyizxxugkf

Attributes

delay
40
install
true
install_file
cclaner.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/996-55-0x0000000000380000-0x0000000000392000-memory.dmp	asyncrat
behavioral1/memory/984-67-0x0000000000620000-0x0000000000632000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

Processes:

cclaner.exe

pid process

984 cclaner.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1480 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1680 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1292 timeout.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

5E8C61B17135BC249AD576D94D4AB70F0C8E4B87FB131.exe

pid process

996 5E8C61B17135BC249AD576D94D4AB70F0C8E4B87FB131.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

5E8C61B17135BC249AD576D94D4AB70F0C8E4B87FB131.exe

description pid process

Token: SeDebugPrivilege 996 5E8C61B17135BC249AD576D94D4AB70F0C8E4B87FB131.exe

pid	process
984	cclaner.exe

pid	process
1480	cmd.exe

pid	process
1680	schtasks.exe

pid	process
1292	timeout.exe

pid	process
996	5E8C61B17135BC249AD576D94D4AB70F0C8E4B87FB131.exe

description	pid	process
Token: SeDebugPrivilege	996	5E8C61B17135BC249AD576D94D4AB70F0C8E4B87FB131.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

5E8C61B17135BC249AD576D94D4AB70F0C8E4B87FB131.execmd.execmd.exe

description	pid	process	target process
PID 996 wrote to memory of 1144	996	5E8C61B17135BC249AD576D94D4AB70F0C8E4B87FB131.exe	cmd.exe
PID 996 wrote to memory of 1144	996	5E8C61B17135BC249AD576D94D4AB70F0C8E4B87FB131.exe	cmd.exe
PID 996 wrote to memory of 1144	996	5E8C61B17135BC249AD576D94D4AB70F0C8E4B87FB131.exe	cmd.exe
PID 996 wrote to memory of 1144	996	5E8C61B17135BC249AD576D94D4AB70F0C8E4B87FB131.exe	cmd.exe
PID 996 wrote to memory of 1480	996	5E8C61B17135BC249AD576D94D4AB70F0C8E4B87FB131.exe	cmd.exe
PID 996 wrote to memory of 1480	996	5E8C61B17135BC249AD576D94D4AB70F0C8E4B87FB131.exe	cmd.exe
PID 996 wrote to memory of 1480	996	5E8C61B17135BC249AD576D94D4AB70F0C8E4B87FB131.exe	cmd.exe
PID 996 wrote to memory of 1480	996	5E8C61B17135BC249AD576D94D4AB70F0C8E4B87FB131.exe	cmd.exe
PID 1480 wrote to memory of 1292	1480	cmd.exe	timeout.exe
PID 1480 wrote to memory of 1292	1480	cmd.exe	timeout.exe
PID 1480 wrote to memory of 1292	1480	cmd.exe	timeout.exe
PID 1480 wrote to memory of 1292	1480	cmd.exe	timeout.exe
PID 1144 wrote to memory of 1680	1144	cmd.exe	schtasks.exe
PID 1144 wrote to memory of 1680	1144	cmd.exe	schtasks.exe
PID 1144 wrote to memory of 1680	1144	cmd.exe	schtasks.exe
PID 1144 wrote to memory of 1680	1144	cmd.exe	schtasks.exe
PID 1480 wrote to memory of 984	1480	cmd.exe	cclaner.exe
PID 1480 wrote to memory of 984	1480	cmd.exe	cclaner.exe
PID 1480 wrote to memory of 984	1480	cmd.exe	cclaner.exe
PID 1480 wrote to memory of 984	1480	cmd.exe	cclaner.exe

C:\Users\Admin\AppData\Local\Temp\5E8C61B17135BC249AD576D94D4AB70F0C8E4B87FB131.exe
"C:\Users\Admin\AppData\Local\Temp\5E8C61B17135BC249AD576D94D4AB70F0C8E4B87FB131.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /ru system /rl highest /tn 5E8C61B17135BC249AD576D94D4AB70F0C8E4B87FB131 /tr '"C:\Users\Admin\AppData\Roaming\cclaner.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1144

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /ru system /rl highest /tn 5E8C61B17135BC249AD576D94D4AB70F0C8E4B87FB131 /tr '"C:\Users\Admin\AppData\Roaming\cclaner.exe"'
3⤵
- Creates scheduled task(s)
PID:1680

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp5726.tmp.bat""
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1292

C:\Users\Admin\AppData\Roaming\cclaner.exe
"C:\Users\Admin\AppData\Roaming\cclaner.exe"
3⤵
- Executes dropped EXE
PID:984

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5726.tmp.bat
Filesize
151B

MD5
add1b6bb07d58f5508ef6bd78a9282dc

SHA1
0ab1aa077183147a4839791041bd884e21ae0288

SHA256
a1fbe2a6a3f3516d02edd68d29fe8751972734d93641b03340c85e2c2fe31604

SHA512
47097473b7d472f7162d7e663f05c589b224b11945b55f1cbb6c905479fa6fbe47ace29898b415cffea8928eff05bb1de2b07082a3471fb39ea89483df87e49d

Download Submit
C:\Users\Admin\AppData\Roaming\cclaner.exe
Filesize
4.2MB

MD5
45177df44d074eee7a644ff06bdbf462

SHA1
4dcdb661bb99370beea4423e71ec322e8d13a0d0

SHA256
5e8c61b17135bc249ad576d94d4ab70f0c8e4b87fb13181d2ba6b56750d897f4

SHA512
46abe4164981147ab64c2c860c5887a181f060964c16fdc8e8f5d5b89f7f4459098a29381234595142dccd21883fc89fca4dddc97304d963f0d1809584a1fa34

Download Submit
C:\Users\Admin\AppData\Roaming\cclaner.exe
Filesize
4.2MB

MD5
45177df44d074eee7a644ff06bdbf462

SHA1
4dcdb661bb99370beea4423e71ec322e8d13a0d0

SHA256
5e8c61b17135bc249ad576d94d4ab70f0c8e4b87fb13181d2ba6b56750d897f4

SHA512
46abe4164981147ab64c2c860c5887a181f060964c16fdc8e8f5d5b89f7f4459098a29381234595142dccd21883fc89fca4dddc97304d963f0d1809584a1fa34

Download Submit
\Users\Admin\AppData\Roaming\cclaner.exe
Filesize
4.2MB

MD5
45177df44d074eee7a644ff06bdbf462

SHA1
4dcdb661bb99370beea4423e71ec322e8d13a0d0

SHA256
5e8c61b17135bc249ad576d94d4ab70f0c8e4b87fb13181d2ba6b56750d897f4

SHA512
46abe4164981147ab64c2c860c5887a181f060964c16fdc8e8f5d5b89f7f4459098a29381234595142dccd21883fc89fca4dddc97304d963f0d1809584a1fa34

Download Submit
memory/984-67-0x0000000000620000-0x0000000000632000-memory.dmp

Filesize
72KB

Download
memory/984-66-0x0000000000F50000-0x0000000001384000-memory.dmp

Filesize
4.2MB

Download
memory/984-64-0x0000000000000000-mapping.dmp

Download
memory/996-55-0x0000000000380000-0x0000000000392000-memory.dmp

Filesize
72KB

Download
memory/996-56-0x00000000760E1000-0x00000000760E3000-memory.dmp

Filesize
8KB

Download
memory/996-54-0x0000000001190000-0x00000000015C4000-memory.dmp

Filesize
4.2MB

Download
memory/1144-57-0x0000000000000000-mapping.dmp

Download
memory/1292-60-0x0000000000000000-mapping.dmp

Download
memory/1480-58-0x0000000000000000-mapping.dmp

Download
memory/1680-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads