asyncrat | 80f785a35f7487df96bb17b1fe2a67f188417ad017db8efac8d83b3858efcd96

General

Target

80f785a35f7487df96bb17b1fe2a67f188417ad017db8efac8d83b3858efcd96.exe
Size

83KB
MD5

56908392d21ec7d8be04f7bbd59732c2
SHA1

c864ef983e05ec65fcb4c9ef19444eef8728cc2b
SHA256

80f785a35f7487df96bb17b1fe2a67f188417ad017db8efac8d83b3858efcd96
SHA512

6d6aa7cc3bc963d8c0ed2eca6250f6a09ca69228704dabf5998bf8069708fbe4739a8e4ca47086cd937984b58c029af239442ac6227335320e51fc6d40e9e981
SSDEEP

1536:msGVpglGkHHFwPtwKOl2Dp+jZuMzJAGdjl:NV9OFtOAQQMzJVdjl

Score

10^/10

asyncrat default persistence rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

2.58.56.22:5211

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_file
Spoofer.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1112-62-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat
behavioral1/memory/1112-63-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat
behavioral1/memory/1112-65-0x000000000041093E-mapping.dmp	asyncrat
behavioral1/memory/1112-64-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat
behavioral1/memory/1112-67-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat
behavioral1/memory/1112-69-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\vlc = "C:\\Program Files (x86)\\vlc\\vlc.exe"	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

80f785a35f7487df96bb17b1fe2a67f188417ad017db8efac8d83b3858efcd96.exe

description	pid	process	target process
PID 1840 set thread context of 1112	1840	80f785a35f7487df96bb17b1fe2a67f188417ad017db8efac8d83b3858efcd96.exe	RegAsm.exe

Drops file in Program Files directory 1 IoCs

Processes:

80f785a35f7487df96bb17b1fe2a67f188417ad017db8efac8d83b3858efcd96.exe

description ioc process

File created C:\Program Files (x86)\vlc\vlc.exe 80f785a35f7487df96bb17b1fe2a67f188417ad017db8efac8d83b3858efcd96.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1356 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 1356 powershell.exe
Token: SeDebugPrivilege 1112 RegAsm.exe

description	ioc	process
File created	C:\Program Files (x86)\vlc\vlc.exe	80f785a35f7487df96bb17b1fe2a67f188417ad017db8efac8d83b3858efcd96.exe

pid	process
1356	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	1112	RegAsm.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

80f785a35f7487df96bb17b1fe2a67f188417ad017db8efac8d83b3858efcd96.exe

description	pid	process	target process
PID 1840 wrote to memory of 1356	1840	80f785a35f7487df96bb17b1fe2a67f188417ad017db8efac8d83b3858efcd96.exe	powershell.exe
PID 1840 wrote to memory of 1356	1840	80f785a35f7487df96bb17b1fe2a67f188417ad017db8efac8d83b3858efcd96.exe	powershell.exe
PID 1840 wrote to memory of 1356	1840	80f785a35f7487df96bb17b1fe2a67f188417ad017db8efac8d83b3858efcd96.exe	powershell.exe
PID 1840 wrote to memory of 1356	1840	80f785a35f7487df96bb17b1fe2a67f188417ad017db8efac8d83b3858efcd96.exe	powershell.exe
PID 1840 wrote to memory of 1112	1840	80f785a35f7487df96bb17b1fe2a67f188417ad017db8efac8d83b3858efcd96.exe	RegAsm.exe
PID 1840 wrote to memory of 1112	1840	80f785a35f7487df96bb17b1fe2a67f188417ad017db8efac8d83b3858efcd96.exe	RegAsm.exe
PID 1840 wrote to memory of 1112	1840	80f785a35f7487df96bb17b1fe2a67f188417ad017db8efac8d83b3858efcd96.exe	RegAsm.exe
PID 1840 wrote to memory of 1112	1840	80f785a35f7487df96bb17b1fe2a67f188417ad017db8efac8d83b3858efcd96.exe	RegAsm.exe
PID 1840 wrote to memory of 1112	1840	80f785a35f7487df96bb17b1fe2a67f188417ad017db8efac8d83b3858efcd96.exe	RegAsm.exe
PID 1840 wrote to memory of 1112	1840	80f785a35f7487df96bb17b1fe2a67f188417ad017db8efac8d83b3858efcd96.exe	RegAsm.exe
PID 1840 wrote to memory of 1112	1840	80f785a35f7487df96bb17b1fe2a67f188417ad017db8efac8d83b3858efcd96.exe	RegAsm.exe
PID 1840 wrote to memory of 1112	1840	80f785a35f7487df96bb17b1fe2a67f188417ad017db8efac8d83b3858efcd96.exe	RegAsm.exe
PID 1840 wrote to memory of 1112	1840	80f785a35f7487df96bb17b1fe2a67f188417ad017db8efac8d83b3858efcd96.exe	RegAsm.exe
PID 1840 wrote to memory of 1112	1840	80f785a35f7487df96bb17b1fe2a67f188417ad017db8efac8d83b3858efcd96.exe	RegAsm.exe
PID 1840 wrote to memory of 1112	1840	80f785a35f7487df96bb17b1fe2a67f188417ad017db8efac8d83b3858efcd96.exe	RegAsm.exe
PID 1840 wrote to memory of 1112	1840	80f785a35f7487df96bb17b1fe2a67f188417ad017db8efac8d83b3858efcd96.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\80f785a35f7487df96bb17b1fe2a67f188417ad017db8efac8d83b3858efcd96.exe
"C:\Users\Admin\AppData\Local\Temp\80f785a35f7487df96bb17b1fe2a67f188417ad017db8efac8d83b3858efcd96.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'vlc';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'vlc' -Value '"C:\Program Files (x86)\vlc\vlc.exe"' -PropertyType 'String'
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1112-64-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1112-62-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1112-69-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1112-65-0x000000000041093E-mapping.dmp

Download
memory/1112-59-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1112-60-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1112-67-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1112-63-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1356-57-0x0000000000000000-mapping.dmp

Download
memory/1356-71-0x0000000073BE0000-0x000000007418B000-memory.dmp

Filesize
5.7MB

Download
memory/1356-72-0x0000000073BE0000-0x000000007418B000-memory.dmp

Filesize
5.7MB

Download
memory/1840-55-0x0000000076401000-0x0000000076403000-memory.dmp

Filesize
8KB

Download
memory/1840-54-0x0000000000EA0000-0x0000000000EBA000-memory.dmp

Filesize
104KB

Download
memory/1840-56-0x0000000000230000-0x000000000024A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads