asyncrat | 7a1294dd26b7c726bc22f9771ca66d8ce6191bd6aa91154059965dcdc0f7510d

General

Target

DOC_20221012_094045716.scr
Size

406.0MB
MD5

e95cc5f4f2be88cdd778ddb951e287e4
SHA1

478fca06aeb68ab97d2e99c1436b4cc3370ec6d9
SHA256

e5b25e4f90530ff9fad1f617d8347f497a8bdba07e707f522564132a5bfab0b5
SHA512

23f420f9e904ab6b2d8954ef2232cd8b84560c8f856bc83e74d8eb17228def2dc6be09db8aa7f8a67d5914be2e2e228cd483d818602a79397f96c709c5e5c49a
SSDEEP

3072:M+rR+Y6VgvQdJK0vtNZg/V7S+O+dvvAun:M+BFI3vtNZNH+dv

Score

10^/10

asyncrat oct 11 rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Oct 11

C2

donzola.duckdns.org:2000

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2784-136-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat

Executes dropped EXE 3 IoCs

Processes:

Windows Media Player Network Sharing Service.exeWindows Media Player Network Sharing Service.exeWindows Media Player Network Sharing Service.exe

pid	process
3872	Windows Media Player Network Sharing Service.exe
4120	Windows Media Player Network Sharing Service.exe
3580	Windows Media Player Network Sharing Service.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

DOC_20221012_094045716.scrWindows Media Player Network Sharing Service.exe

description	pid	process	target process
PID 2348 set thread context of 2784	2348	DOC_20221012_094045716.scr	DOC_20221012_094045716.scr
PID 3872 set thread context of 4120	3872	Windows Media Player Network Sharing Service.exe	Windows Media Player Network Sharing Service.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1532 schtasks.exe
3584 schtasks.exe

pid	process
1532	schtasks.exe
3584	schtasks.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

DOC_20221012_094045716.scrcmd.exeWindows Media Player Network Sharing Service.execmd.exe

description	pid	process	target process
PID 2348 wrote to memory of 2784	2348	DOC_20221012_094045716.scr	DOC_20221012_094045716.scr
PID 2348 wrote to memory of 2784	2348	DOC_20221012_094045716.scr	DOC_20221012_094045716.scr
PID 2348 wrote to memory of 2784	2348	DOC_20221012_094045716.scr	DOC_20221012_094045716.scr
PID 2348 wrote to memory of 2784	2348	DOC_20221012_094045716.scr	DOC_20221012_094045716.scr
PID 2348 wrote to memory of 2784	2348	DOC_20221012_094045716.scr	DOC_20221012_094045716.scr
PID 2348 wrote to memory of 2784	2348	DOC_20221012_094045716.scr	DOC_20221012_094045716.scr
PID 2348 wrote to memory of 2784	2348	DOC_20221012_094045716.scr	DOC_20221012_094045716.scr
PID 2348 wrote to memory of 2784	2348	DOC_20221012_094045716.scr	DOC_20221012_094045716.scr
PID 2348 wrote to memory of 2852	2348	DOC_20221012_094045716.scr	cmd.exe
PID 2348 wrote to memory of 2852	2348	DOC_20221012_094045716.scr	cmd.exe
PID 2348 wrote to memory of 2852	2348	DOC_20221012_094045716.scr	cmd.exe
PID 2348 wrote to memory of 3548	2348	DOC_20221012_094045716.scr	cmd.exe
PID 2348 wrote to memory of 3548	2348	DOC_20221012_094045716.scr	cmd.exe
PID 2348 wrote to memory of 3548	2348	DOC_20221012_094045716.scr	cmd.exe
PID 2348 wrote to memory of 1820	2348	DOC_20221012_094045716.scr	cmd.exe
PID 2348 wrote to memory of 1820	2348	DOC_20221012_094045716.scr	cmd.exe
PID 2348 wrote to memory of 1820	2348	DOC_20221012_094045716.scr	cmd.exe
PID 3548 wrote to memory of 1532	3548	cmd.exe	schtasks.exe
PID 3548 wrote to memory of 1532	3548	cmd.exe	schtasks.exe
PID 3548 wrote to memory of 1532	3548	cmd.exe	schtasks.exe
PID 3872 wrote to memory of 4120	3872	Windows Media Player Network Sharing Service.exe	Windows Media Player Network Sharing Service.exe
PID 3872 wrote to memory of 4120	3872	Windows Media Player Network Sharing Service.exe	Windows Media Player Network Sharing Service.exe
PID 3872 wrote to memory of 4120	3872	Windows Media Player Network Sharing Service.exe	Windows Media Player Network Sharing Service.exe
PID 3872 wrote to memory of 4120	3872	Windows Media Player Network Sharing Service.exe	Windows Media Player Network Sharing Service.exe
PID 3872 wrote to memory of 4120	3872	Windows Media Player Network Sharing Service.exe	Windows Media Player Network Sharing Service.exe
PID 3872 wrote to memory of 4120	3872	Windows Media Player Network Sharing Service.exe	Windows Media Player Network Sharing Service.exe
PID 3872 wrote to memory of 4120	3872	Windows Media Player Network Sharing Service.exe	Windows Media Player Network Sharing Service.exe
PID 3872 wrote to memory of 4120	3872	Windows Media Player Network Sharing Service.exe	Windows Media Player Network Sharing Service.exe
PID 3872 wrote to memory of 4524	3872	Windows Media Player Network Sharing Service.exe	cmd.exe
PID 3872 wrote to memory of 4524	3872	Windows Media Player Network Sharing Service.exe	cmd.exe
PID 3872 wrote to memory of 4524	3872	Windows Media Player Network Sharing Service.exe	cmd.exe
PID 3872 wrote to memory of 4952	3872	Windows Media Player Network Sharing Service.exe	cmd.exe
PID 3872 wrote to memory of 4952	3872	Windows Media Player Network Sharing Service.exe	cmd.exe
PID 3872 wrote to memory of 4952	3872	Windows Media Player Network Sharing Service.exe	cmd.exe
PID 3872 wrote to memory of 2084	3872	Windows Media Player Network Sharing Service.exe	cmd.exe
PID 3872 wrote to memory of 2084	3872	Windows Media Player Network Sharing Service.exe	cmd.exe
PID 3872 wrote to memory of 2084	3872	Windows Media Player Network Sharing Service.exe	cmd.exe
PID 4952 wrote to memory of 3584	4952	cmd.exe	schtasks.exe
PID 4952 wrote to memory of 3584	4952	cmd.exe	schtasks.exe
PID 4952 wrote to memory of 3584	4952	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\DOC_20221012_094045716.scr
"C:\Users\Admin\AppData\Local\Temp\DOC_20221012_094045716.scr" /S
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2348

C:\Users\Admin\AppData\Local\Temp\DOC_20221012_094045716.scr
"C:\Users\Admin\AppData\Local\Temp\DOC_20221012_094045716.scr"
2⤵
PID:2784

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service"
2⤵
PID:2852

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3548

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1532

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\DOC_20221012_094045716.scr" "C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe"
2⤵
PID:1820

C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe
"C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3872

C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe
"C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe"
2⤵
- Executes dropped EXE
PID:4120

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service"
2⤵
PID:4524

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4952

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe'" /f
3⤵
- Creates scheduled task(s)
PID:3584

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe" "C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe"
2⤵
PID:2084

C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe
"C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe"
1⤵
- Executes dropped EXE
PID:3580

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Windows Media Player Network Sharing Service.exe.log
Filesize
612B

MD5
4bc94363628f46b343c5e8e2da62ca26

SHA1
8a41ac46e24d790e11a407d0e957c4a6be6056c4

SHA256
c8e1d0b306825b2c9a3ed32a461dd191ceb861205425fdfb687a4889684a3e1a

SHA512
cf8ede5b84ba775d8ff89752530fa899d6b2e6424549202ab782a3caa92c0d9a31e9b2f660b51eedc932a68ba25e9ec228bb965cdc183e600ea8aa5a6736f829

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe
Filesize
406.0MB

MD5
e95cc5f4f2be88cdd778ddb951e287e4

SHA1
478fca06aeb68ab97d2e99c1436b4cc3370ec6d9

SHA256
e5b25e4f90530ff9fad1f617d8347f497a8bdba07e707f522564132a5bfab0b5

SHA512
23f420f9e904ab6b2d8954ef2232cd8b84560c8f856bc83e74d8eb17228def2dc6be09db8aa7f8a67d5914be2e2e228cd483d818602a79397f96c709c5e5c49a

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe
Filesize
406.0MB

MD5
e95cc5f4f2be88cdd778ddb951e287e4

SHA1
478fca06aeb68ab97d2e99c1436b4cc3370ec6d9

SHA256
e5b25e4f90530ff9fad1f617d8347f497a8bdba07e707f522564132a5bfab0b5

SHA512
23f420f9e904ab6b2d8954ef2232cd8b84560c8f856bc83e74d8eb17228def2dc6be09db8aa7f8a67d5914be2e2e228cd483d818602a79397f96c709c5e5c49a

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe
Filesize
188.3MB

MD5
bbde032eb02ad3dedcba3cd3fd2931b3

SHA1
b3f2b3cfa1d9e632a485b8660ff150e804e13236

SHA256
6b59fb67fc2b87d06ff3e7a18d6a5776595ea4c7f759d94111dd686811e0f75a

SHA512
2f9696d283b8b6835babfe05f11027aa7035b8f09c773ae1c1a3f0f00f52c632c9668420a05791cbb7154e011bb6c78d25deb3b050b227617133f1fff45a2021

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Media Player Network Sharing Service\Windows Media Player Network Sharing Service.exe
Filesize
133.3MB

MD5
b64f1348344bd142ed4524085cd75f6e

SHA1
ee6c6ac59ed692d348cf97bc1f9abc8af3b666aa

SHA256
2dda2d29218c4dabdb8b277f21a023e7bba84654d9300c058144d0804feeff7f

SHA512
52882aaf38b76fa977b8ac5a560bfd634ffd702cada36d5386d456b8d05afdd471a0821fb5b8cf271b41810694a2e9f3b42ec364a1d99a314766cd76a1bac535

Download Submit
memory/1532-140-0x0000000000000000-mapping.dmp

Download
memory/1820-139-0x0000000000000000-mapping.dmp

Download
memory/2084-148-0x0000000000000000-mapping.dmp

Download
memory/2348-132-0x0000000000810000-0x0000000000830000-memory.dmp

Filesize
128KB

Download
memory/2348-133-0x00000000056C0000-0x0000000005C64000-memory.dmp

Filesize
5.6MB

Download
memory/2348-134-0x0000000005180000-0x00000000051E6000-memory.dmp

Filesize
408KB

Download
memory/2784-136-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2784-135-0x0000000000000000-mapping.dmp

Download
memory/2852-137-0x0000000000000000-mapping.dmp

Download
memory/3548-138-0x0000000000000000-mapping.dmp

Download
memory/3584-149-0x0000000000000000-mapping.dmp

Download
memory/4120-143-0x0000000000000000-mapping.dmp

Download
memory/4524-146-0x0000000000000000-mapping.dmp

Download
memory/4952-147-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads