asyncrat | ea54fb8199336bf53f9a7df8f48bb0ae03292b9896223ac86b70df0696e74d90

General

Target

ea54fb8199336bf53f9a7df8f48bb0ae03292b9896223ac86b70df0696e74d90.exe
Size

1.7MB
MD5

4520b916a8ed8d6c7ea4de7039dd0787
SHA1

948f8fa9875d528c02a965a645f09f2bccb8ea47
SHA256

ea54fb8199336bf53f9a7df8f48bb0ae03292b9896223ac86b70df0696e74d90
SHA512

079c110de6e90a14ecae04a1abbe99f8635a569d636f6a3fff8c3c3ca765395013c9c8d91432ab295034b344bac6a24803f5510d43d30da50cc9891045d316c6
SSDEEP

12288:a9v8Y+CjeIOOUNER2Irm7rPpcrnWZQzjFeM6DJOjB9sTTHy7I/F22VZW:csH2DrYrPpcrnYQb6VOsFr8

Score

10^/10

asyncrat default persistence rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

45.137.20.108:8848

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1800-146-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ea54fb8199336bf53f9a7df8f48bb0ae03292b9896223ac86b70df0696e74d90.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	ea54fb8199336bf53f9a7df8f48bb0ae03292b9896223ac86b70df0696e74d90.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ea54fb8199336bf53f9a7df8f48bb0ae03292b9896223ac86b70df0696e74d90.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cnrsel = "\"C:\\Users\\Admin\\AppData\\Roaming\\Deghqq\\Cnrsel.exe\""	ea54fb8199336bf53f9a7df8f48bb0ae03292b9896223ac86b70df0696e74d90.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ea54fb8199336bf53f9a7df8f48bb0ae03292b9896223ac86b70df0696e74d90.exe

description	pid	process	target process
PID 1868 set thread context of 1800	1868	ea54fb8199336bf53f9a7df8f48bb0ae03292b9896223ac86b70df0696e74d90.exe	ea54fb8199336bf53f9a7df8f48bb0ae03292b9896223ac86b70df0696e74d90.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4928 1800 WerFault.exe ea54fb8199336bf53f9a7df8f48bb0ae03292b9896223ac86b70df0696e74d90.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exeea54fb8199336bf53f9a7df8f48bb0ae03292b9896223ac86b70df0696e74d90.exe

pid process

176 powershell.exe
176 powershell.exe
1800 ea54fb8199336bf53f9a7df8f48bb0ae03292b9896223ac86b70df0696e74d90.exe

pid	pid_target	process	target process
4928	1800	WerFault.exe	ea54fb8199336bf53f9a7df8f48bb0ae03292b9896223ac86b70df0696e74d90.exe

pid	process
176	powershell.exe
176	powershell.exe
1800	ea54fb8199336bf53f9a7df8f48bb0ae03292b9896223ac86b70df0696e74d90.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

ea54fb8199336bf53f9a7df8f48bb0ae03292b9896223ac86b70df0696e74d90.exepowershell.exeea54fb8199336bf53f9a7df8f48bb0ae03292b9896223ac86b70df0696e74d90.exe

description	pid	process
Token: SeDebugPrivilege	1868	ea54fb8199336bf53f9a7df8f48bb0ae03292b9896223ac86b70df0696e74d90.exe
Token: SeDebugPrivilege	176	powershell.exe
Token: SeDebugPrivilege	1800	ea54fb8199336bf53f9a7df8f48bb0ae03292b9896223ac86b70df0696e74d90.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

ea54fb8199336bf53f9a7df8f48bb0ae03292b9896223ac86b70df0696e74d90.exe

description	pid	process	target process
PID 1868 wrote to memory of 176	1868	ea54fb8199336bf53f9a7df8f48bb0ae03292b9896223ac86b70df0696e74d90.exe	powershell.exe
PID 1868 wrote to memory of 176	1868	ea54fb8199336bf53f9a7df8f48bb0ae03292b9896223ac86b70df0696e74d90.exe	powershell.exe
PID 1868 wrote to memory of 176	1868	ea54fb8199336bf53f9a7df8f48bb0ae03292b9896223ac86b70df0696e74d90.exe	powershell.exe
PID 1868 wrote to memory of 1800	1868	ea54fb8199336bf53f9a7df8f48bb0ae03292b9896223ac86b70df0696e74d90.exe	ea54fb8199336bf53f9a7df8f48bb0ae03292b9896223ac86b70df0696e74d90.exe
PID 1868 wrote to memory of 1800	1868	ea54fb8199336bf53f9a7df8f48bb0ae03292b9896223ac86b70df0696e74d90.exe	ea54fb8199336bf53f9a7df8f48bb0ae03292b9896223ac86b70df0696e74d90.exe
PID 1868 wrote to memory of 1800	1868	ea54fb8199336bf53f9a7df8f48bb0ae03292b9896223ac86b70df0696e74d90.exe	ea54fb8199336bf53f9a7df8f48bb0ae03292b9896223ac86b70df0696e74d90.exe
PID 1868 wrote to memory of 1800	1868	ea54fb8199336bf53f9a7df8f48bb0ae03292b9896223ac86b70df0696e74d90.exe	ea54fb8199336bf53f9a7df8f48bb0ae03292b9896223ac86b70df0696e74d90.exe
PID 1868 wrote to memory of 1800	1868	ea54fb8199336bf53f9a7df8f48bb0ae03292b9896223ac86b70df0696e74d90.exe	ea54fb8199336bf53f9a7df8f48bb0ae03292b9896223ac86b70df0696e74d90.exe
PID 1868 wrote to memory of 1800	1868	ea54fb8199336bf53f9a7df8f48bb0ae03292b9896223ac86b70df0696e74d90.exe	ea54fb8199336bf53f9a7df8f48bb0ae03292b9896223ac86b70df0696e74d90.exe
PID 1868 wrote to memory of 1800	1868	ea54fb8199336bf53f9a7df8f48bb0ae03292b9896223ac86b70df0696e74d90.exe	ea54fb8199336bf53f9a7df8f48bb0ae03292b9896223ac86b70df0696e74d90.exe
PID 1868 wrote to memory of 1800	1868	ea54fb8199336bf53f9a7df8f48bb0ae03292b9896223ac86b70df0696e74d90.exe	ea54fb8199336bf53f9a7df8f48bb0ae03292b9896223ac86b70df0696e74d90.exe

C:\Users\Admin\AppData\Local\Temp\ea54fb8199336bf53f9a7df8f48bb0ae03292b9896223ac86b70df0696e74d90.exe
"C:\Users\Admin\AppData\Local\Temp\ea54fb8199336bf53f9a7df8f48bb0ae03292b9896223ac86b70df0696e74d90.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:176

C:\Users\Admin\AppData\Local\Temp\ea54fb8199336bf53f9a7df8f48bb0ae03292b9896223ac86b70df0696e74d90.exe
C:\Users\Admin\AppData\Local\Temp\ea54fb8199336bf53f9a7df8f48bb0ae03292b9896223ac86b70df0696e74d90.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2736
3⤵
- Program crash
PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1800 -ip 1800
1⤵
PID:1788

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ea54fb8199336bf53f9a7df8f48bb0ae03292b9896223ac86b70df0696e74d90.exe.log
Filesize
1KB

MD5
3da8c0e0973f3328da5363ce1d655b26

SHA1
12e5547ce28ac5e8b8cfea10cb228fdb207f3d6f

SHA256
1986c5a00286a7bbb272103161f960b11d47e6b67900eaa14e0160bc7d27ca94

SHA512
7a351d62d80a19a1682b54a8850afbb58819f03a7beae9b1feac7246a2d7f275e253ed40e4a9f3ecfecbca4420dae2571cf88872c8543221d490b51949e949c4

Download Submit
memory/176-144-0x00000000061F0000-0x000000000620A000-memory.dmp

Filesize
104KB

Download
memory/176-141-0x0000000005580000-0x00000000055E6000-memory.dmp

Filesize
408KB

Download
memory/176-142-0x0000000005D00000-0x0000000005D1E000-memory.dmp

Filesize
120KB

Download
memory/176-143-0x00000000073A0000-0x0000000007A1A000-memory.dmp

Filesize
6.5MB

Download
memory/176-137-0x0000000000000000-mapping.dmp

Download
memory/176-138-0x0000000002730000-0x0000000002766000-memory.dmp

Filesize
216KB

Download
memory/176-139-0x0000000004F50000-0x0000000005578000-memory.dmp

Filesize
6.2MB

Download
memory/176-140-0x0000000004DE0000-0x0000000004E46000-memory.dmp

Filesize
408KB

Download
memory/1800-146-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1800-145-0x0000000000000000-mapping.dmp

Download
memory/1800-148-0x00000000065D0000-0x000000000666C000-memory.dmp

Filesize
624KB

Download
memory/1800-149-0x00000000079D0000-0x0000000007A46000-memory.dmp

Filesize
472KB

Download
memory/1800-150-0x00000000079B0000-0x00000000079CE000-memory.dmp

Filesize
120KB

Download
memory/1868-135-0x0000000005900000-0x000000000590A000-memory.dmp

Filesize
40KB

Download
memory/1868-136-0x0000000008300000-0x0000000008322000-memory.dmp

Filesize
136KB

Download
memory/1868-132-0x0000000000D00000-0x0000000000EBE000-memory.dmp

Filesize
1.7MB

Download
memory/1868-134-0x0000000005850000-0x00000000058E2000-memory.dmp

Filesize
584KB

Download
memory/1868-133-0x0000000005D20000-0x00000000062C4000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads