asyncrat | cb21e1a00c4e4a0e70f3cc95396382dba1782c789962544ec64b81453c84d2c7

Analysis

max time kernel
171s
max time network
227s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 18:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb21e1a00c4e4a0e70f3cc95396382dba1782c789962544ec64b81453c84d2c7.exe
Size

939KB
MD5

e82a69162887a5979d6fd396117d7052
SHA1

d6f489eea38eec8485bd447da0a73c64511b51c3
SHA256

cb21e1a00c4e4a0e70f3cc95396382dba1782c789962544ec64b81453c84d2c7
SHA512

33161293699e8c2bdd605603390bf2e5ce5f32d789b014bcd93a4cbe676f1fd9c8b73edc30235acbcc265bd9e90b0cb84238acc9d79b91123e2bdd96cc619358
SSDEEP

6144:SmEB85lH1t7r81Zw/2II/8FtT5wkLB38Uq785t6lD68a8iV4Ifb8P8CkFts2pPYP:

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

192.168.43.64:6606

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2208-137-0x0000000000400000-0x0000000000422000-memory.dmp	asyncrat

Suspicious use of SetThreadContext 1 IoCs

Processes:

cb21e1a00c4e4a0e70f3cc95396382dba1782c789962544ec64b81453c84d2c7.exe

description	pid	process	target process
PID 348 set thread context of 2208	348	cb21e1a00c4e4a0e70f3cc95396382dba1782c789962544ec64b81453c84d2c7.exe	cb21e1a00c4e4a0e70f3cc95396382dba1782c789962544ec64b81453c84d2c7.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

cb21e1a00c4e4a0e70f3cc95396382dba1782c789962544ec64b81453c84d2c7.exe

pid	process
348	cb21e1a00c4e4a0e70f3cc95396382dba1782c789962544ec64b81453c84d2c7.exe
348	cb21e1a00c4e4a0e70f3cc95396382dba1782c789962544ec64b81453c84d2c7.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

cb21e1a00c4e4a0e70f3cc95396382dba1782c789962544ec64b81453c84d2c7.exe

description pid process

Token: SeDebugPrivilege 348 cb21e1a00c4e4a0e70f3cc95396382dba1782c789962544ec64b81453c84d2c7.exe

description	pid	process
Token: SeDebugPrivilege	348	cb21e1a00c4e4a0e70f3cc95396382dba1782c789962544ec64b81453c84d2c7.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

cb21e1a00c4e4a0e70f3cc95396382dba1782c789962544ec64b81453c84d2c7.exe

description	pid	process	target process
PID 348 wrote to memory of 4408	348	cb21e1a00c4e4a0e70f3cc95396382dba1782c789962544ec64b81453c84d2c7.exe	cb21e1a00c4e4a0e70f3cc95396382dba1782c789962544ec64b81453c84d2c7.exe
PID 348 wrote to memory of 4408	348	cb21e1a00c4e4a0e70f3cc95396382dba1782c789962544ec64b81453c84d2c7.exe	cb21e1a00c4e4a0e70f3cc95396382dba1782c789962544ec64b81453c84d2c7.exe
PID 348 wrote to memory of 4408	348	cb21e1a00c4e4a0e70f3cc95396382dba1782c789962544ec64b81453c84d2c7.exe	cb21e1a00c4e4a0e70f3cc95396382dba1782c789962544ec64b81453c84d2c7.exe
PID 348 wrote to memory of 2208	348	cb21e1a00c4e4a0e70f3cc95396382dba1782c789962544ec64b81453c84d2c7.exe	cb21e1a00c4e4a0e70f3cc95396382dba1782c789962544ec64b81453c84d2c7.exe
PID 348 wrote to memory of 2208	348	cb21e1a00c4e4a0e70f3cc95396382dba1782c789962544ec64b81453c84d2c7.exe	cb21e1a00c4e4a0e70f3cc95396382dba1782c789962544ec64b81453c84d2c7.exe
PID 348 wrote to memory of 2208	348	cb21e1a00c4e4a0e70f3cc95396382dba1782c789962544ec64b81453c84d2c7.exe	cb21e1a00c4e4a0e70f3cc95396382dba1782c789962544ec64b81453c84d2c7.exe
PID 348 wrote to memory of 2208	348	cb21e1a00c4e4a0e70f3cc95396382dba1782c789962544ec64b81453c84d2c7.exe	cb21e1a00c4e4a0e70f3cc95396382dba1782c789962544ec64b81453c84d2c7.exe
PID 348 wrote to memory of 2208	348	cb21e1a00c4e4a0e70f3cc95396382dba1782c789962544ec64b81453c84d2c7.exe	cb21e1a00c4e4a0e70f3cc95396382dba1782c789962544ec64b81453c84d2c7.exe
PID 348 wrote to memory of 2208	348	cb21e1a00c4e4a0e70f3cc95396382dba1782c789962544ec64b81453c84d2c7.exe	cb21e1a00c4e4a0e70f3cc95396382dba1782c789962544ec64b81453c84d2c7.exe
PID 348 wrote to memory of 2208	348	cb21e1a00c4e4a0e70f3cc95396382dba1782c789962544ec64b81453c84d2c7.exe	cb21e1a00c4e4a0e70f3cc95396382dba1782c789962544ec64b81453c84d2c7.exe
PID 348 wrote to memory of 2208	348	cb21e1a00c4e4a0e70f3cc95396382dba1782c789962544ec64b81453c84d2c7.exe	cb21e1a00c4e4a0e70f3cc95396382dba1782c789962544ec64b81453c84d2c7.exe

C:\Users\Admin\AppData\Local\Temp\cb21e1a00c4e4a0e70f3cc95396382dba1782c789962544ec64b81453c84d2c7.exe
"C:\Users\Admin\AppData\Local\Temp\cb21e1a00c4e4a0e70f3cc95396382dba1782c789962544ec64b81453c84d2c7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:348

C:\Users\Admin\AppData\Local\Temp\cb21e1a00c4e4a0e70f3cc95396382dba1782c789962544ec64b81453c84d2c7.exe
"C:\Users\Admin\AppData\Local\Temp\cb21e1a00c4e4a0e70f3cc95396382dba1782c789962544ec64b81453c84d2c7.exe"
2⤵
PID:4408

C:\Users\Admin\AppData\Local\Temp\cb21e1a00c4e4a0e70f3cc95396382dba1782c789962544ec64b81453c84d2c7.exe
"C:\Users\Admin\AppData\Local\Temp\cb21e1a00c4e4a0e70f3cc95396382dba1782c789962544ec64b81453c84d2c7.exe"
2⤵
PID:2208

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/348-132-0x0000000000510000-0x0000000000600000-memory.dmp

Filesize
960KB

Download
memory/348-133-0x0000000004F40000-0x0000000004FDC000-memory.dmp

Filesize
624KB

Download
memory/348-134-0x00000000057C0000-0x0000000005D64000-memory.dmp

Filesize
5.6MB

Download
memory/2208-136-0x0000000000000000-mapping.dmp

Download
memory/2208-137-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4408-135-0x0000000000000000-mapping.dmp

Download