asyncrat | 43356bfd3875d34f14405392208bc7f3c6f71d7fea011ab9acf922acc8c589c5

General

Target

0x000a0000000122e5-58.exe
Size

45KB
MD5

9e320f6163f8d53462d45fbebc282c64
SHA1

b2e0a591204581e78f0ae85ff42a7ca02542e2ae
SHA256

43356bfd3875d34f14405392208bc7f3c6f71d7fea011ab9acf922acc8c589c5
SHA512

4c6d6a76f335d43b36866a0923ed8b6b685761ae61f3910b9c02df2fa60374fe3b6f53361e2d73ff3f5d0243e406aa337682d82c9f923dcf98f98345e727ad65
SSDEEP

768:7uYK9T3kH1jWUvmqRmo2qb0befKoClbPImzjbLgX3iqftcnWDGgjovSTBDZLx:7uYK9T34l2vyyoJm3b0XSqVDJjoS1dLx

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

fresh02.ddns.net:2245

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
logs.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3112-132-0x0000000000640000-0x0000000000652000-memory.dmp	asyncrat
C:\Users\Admin\AppData\Roaming\logs.exe	asyncrat
C:\Users\Admin\AppData\Roaming\logs.exe	asyncrat

Executes dropped EXE 1 IoCs

Processes:

logs.exe

pid process

988 logs.exe

pid	process
988	logs.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0x000a0000000122e5-58.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	0x000a0000000122e5-58.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4700 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1252 timeout.exe

pid	process
4700	schtasks.exe

pid	process
1252	timeout.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

0x000a0000000122e5-58.exe

pid	process
3112	0x000a0000000122e5-58.exe
3112	0x000a0000000122e5-58.exe
3112	0x000a0000000122e5-58.exe
3112	0x000a0000000122e5-58.exe
3112	0x000a0000000122e5-58.exe
3112	0x000a0000000122e5-58.exe
3112	0x000a0000000122e5-58.exe
3112	0x000a0000000122e5-58.exe
3112	0x000a0000000122e5-58.exe
3112	0x000a0000000122e5-58.exe
3112	0x000a0000000122e5-58.exe
3112	0x000a0000000122e5-58.exe
3112	0x000a0000000122e5-58.exe
3112	0x000a0000000122e5-58.exe
3112	0x000a0000000122e5-58.exe
3112	0x000a0000000122e5-58.exe
3112	0x000a0000000122e5-58.exe
3112	0x000a0000000122e5-58.exe
3112	0x000a0000000122e5-58.exe
3112	0x000a0000000122e5-58.exe
3112	0x000a0000000122e5-58.exe
3112	0x000a0000000122e5-58.exe
3112	0x000a0000000122e5-58.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0x000a0000000122e5-58.exelogs.exe

description pid process

Token: SeDebugPrivilege 3112 0x000a0000000122e5-58.exe
Token: SeDebugPrivilege 988 logs.exe

description	pid	process
Token: SeDebugPrivilege	3112	0x000a0000000122e5-58.exe
Token: SeDebugPrivilege	988	logs.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

0x000a0000000122e5-58.execmd.execmd.exe

description	pid	process	target process
PID 3112 wrote to memory of 2980	3112	0x000a0000000122e5-58.exe	cmd.exe
PID 3112 wrote to memory of 2980	3112	0x000a0000000122e5-58.exe	cmd.exe
PID 3112 wrote to memory of 2980	3112	0x000a0000000122e5-58.exe	cmd.exe
PID 3112 wrote to memory of 2268	3112	0x000a0000000122e5-58.exe	cmd.exe
PID 3112 wrote to memory of 2268	3112	0x000a0000000122e5-58.exe	cmd.exe
PID 3112 wrote to memory of 2268	3112	0x000a0000000122e5-58.exe	cmd.exe
PID 2980 wrote to memory of 4700	2980	cmd.exe	schtasks.exe
PID 2980 wrote to memory of 4700	2980	cmd.exe	schtasks.exe
PID 2980 wrote to memory of 4700	2980	cmd.exe	schtasks.exe
PID 2268 wrote to memory of 1252	2268	cmd.exe	timeout.exe
PID 2268 wrote to memory of 1252	2268	cmd.exe	timeout.exe
PID 2268 wrote to memory of 1252	2268	cmd.exe	timeout.exe
PID 2268 wrote to memory of 988	2268	cmd.exe	logs.exe
PID 2268 wrote to memory of 988	2268	cmd.exe	logs.exe
PID 2268 wrote to memory of 988	2268	cmd.exe	logs.exe

C:\Users\Admin\AppData\Local\Temp\0x000a0000000122e5-58.exe
"C:\Users\Admin\AppData\Local\Temp\0x000a0000000122e5-58.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3112

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "logs" /tr '"C:\Users\Admin\AppData\Roaming\logs.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2980

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "logs" /tr '"C:\Users\Admin\AppData\Roaming\logs.exe"'
3⤵
- Creates scheduled task(s)
PID:4700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFC27.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:2268

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1252

C:\Users\Admin\AppData\Roaming\logs.exe
"C:\Users\Admin\AppData\Roaming\logs.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpFC27.tmp.bat
Filesize
148B

MD5
e29cfe6718ba3813a311a53e8671e787

SHA1
1e35909dab1e18446bb727fbe2cff5d491c38bbc

SHA256
5e7ae36cddf23a5f320f3e1e5900b7e51e18ba20d3a969e4432882d9512ac498

SHA512
ccd75ab62af1fd97c160635d5bfac0621b830afca499881cef3fee11d8aa5585235896b8c7dba7c9970de9abee0be339e6a3cd4c8ce302720ebcede41f34a846

Download Submit
C:\Users\Admin\AppData\Roaming\logs.exe
Filesize
45KB

MD5
9e320f6163f8d53462d45fbebc282c64

SHA1
b2e0a591204581e78f0ae85ff42a7ca02542e2ae

SHA256
43356bfd3875d34f14405392208bc7f3c6f71d7fea011ab9acf922acc8c589c5

SHA512
4c6d6a76f335d43b36866a0923ed8b6b685761ae61f3910b9c02df2fa60374fe3b6f53361e2d73ff3f5d0243e406aa337682d82c9f923dcf98f98345e727ad65

Download Submit
C:\Users\Admin\AppData\Roaming\logs.exe
Filesize
45KB

MD5
9e320f6163f8d53462d45fbebc282c64

SHA1
b2e0a591204581e78f0ae85ff42a7ca02542e2ae

SHA256
43356bfd3875d34f14405392208bc7f3c6f71d7fea011ab9acf922acc8c589c5

SHA512
4c6d6a76f335d43b36866a0923ed8b6b685761ae61f3910b9c02df2fa60374fe3b6f53361e2d73ff3f5d0243e406aa337682d82c9f923dcf98f98345e727ad65

Download Submit
memory/988-139-0x0000000000000000-mapping.dmp

Download
memory/1252-138-0x0000000000000000-mapping.dmp

Download
memory/2268-135-0x0000000000000000-mapping.dmp

Download
memory/2980-134-0x0000000000000000-mapping.dmp

Download
memory/3112-132-0x0000000000640000-0x0000000000652000-memory.dmp

Filesize
72KB

Download
memory/3112-133-0x0000000005320000-0x00000000053BC000-memory.dmp

Filesize
624KB

Download
memory/4700-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads