asyncrat | c23720918a8e7437696b641fad5fe9b76ac0cea2269ed1e741113c77e434cc00

Analysis

max time kernel
56s
max time network
60s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
11-10-2022 18:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

091087e7aa7c350baaf2bcd98e904a1c.exe
Size

208KB
MD5

091087e7aa7c350baaf2bcd98e904a1c
SHA1

2267aa2069e727acd7c68389655948173898c92a
SHA256

c23720918a8e7437696b641fad5fe9b76ac0cea2269ed1e741113c77e434cc00
SHA512

1e0cc48aef8147de5ddc7e04486761fd8a3fa4d11f4b68d8d21c9cc25d54e2e94f0d2f967e1b252597b52a7b6039f2ca3be6cca1248cd7586d7f56525fdf3505
SSDEEP

3072:kuoETxoZ2p3h3ba1UQXVe2CYCtSZZZZ8Ux:kuoz873b/klCYCtSZZZZ8W

Score

10^/10

asyncrat rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1388-54-0x00000000012D0000-0x000000000130A000-memory.dmp	asyncrat
behavioral1/memory/1388-56-0x00000000008B0000-0x00000000008D6000-memory.dmp	asyncrat
behavioral1/memory/1388-57-0x0000000000C80000-0x0000000000CA4000-memory.dmp	asyncrat

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2756 cmd.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2784 timeout.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

091087e7aa7c350baaf2bcd98e904a1c.exe

description pid process

Token: SeDebugPrivilege 1388 091087e7aa7c350baaf2bcd98e904a1c.exe
Token: SeDebugPrivilege 1388 091087e7aa7c350baaf2bcd98e904a1c.exe

pid	process
2756	cmd.exe

pid	process
2784	timeout.exe

description	pid	process
Token: SeDebugPrivilege	1388	091087e7aa7c350baaf2bcd98e904a1c.exe
Token: SeDebugPrivilege	1388	091087e7aa7c350baaf2bcd98e904a1c.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

091087e7aa7c350baaf2bcd98e904a1c.execmd.exe

description	pid	process	target process
PID 1388 wrote to memory of 2756	1388	091087e7aa7c350baaf2bcd98e904a1c.exe	cmd.exe
PID 1388 wrote to memory of 2756	1388	091087e7aa7c350baaf2bcd98e904a1c.exe	cmd.exe
PID 1388 wrote to memory of 2756	1388	091087e7aa7c350baaf2bcd98e904a1c.exe	cmd.exe
PID 1388 wrote to memory of 2756	1388	091087e7aa7c350baaf2bcd98e904a1c.exe	cmd.exe
PID 2756 wrote to memory of 2784	2756	cmd.exe	timeout.exe
PID 2756 wrote to memory of 2784	2756	cmd.exe	timeout.exe
PID 2756 wrote to memory of 2784	2756	cmd.exe	timeout.exe
PID 2756 wrote to memory of 2784	2756	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\091087e7aa7c350baaf2bcd98e904a1c.exe
"C:\Users\Admin\AppData\Local\Temp\091087e7aa7c350baaf2bcd98e904a1c.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpCD7A.tmp.bat""
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2756

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:2784

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpCD7A.tmp.bat
Filesize
184B

MD5
db4f9a001ceb32b50220c3883712cf4d

SHA1
baf4fc371cb8635f05a15a85b00721aad45a5155

SHA256
960e8c6763ab73720a23a52c4e30edb2dad16eac1d2a3849fcc998e8b3b47916

SHA512
3329d64b784eca4ffce18f70d6750afaec018c83c46b039bef12a720b075e2b7b6b0c2e9c88c37dc4f9e17fb66180c032a05b096ef8ec90f8ef04f6f828442cc

Download Submit
memory/1388-54-0x00000000012D0000-0x000000000130A000-memory.dmp

Filesize
232KB

Download
memory/1388-55-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download
memory/1388-56-0x00000000008B0000-0x00000000008D6000-memory.dmp

Filesize
152KB

Download
memory/1388-57-0x0000000000C80000-0x0000000000CA4000-memory.dmp

Filesize
144KB

Download
memory/2756-58-0x0000000000000000-mapping.dmp

Download
memory/2784-60-0x0000000000000000-mapping.dmp

Download