asyncrat | f0b7a0368fc27d98d42efd4e9c9dd2c252e5fcaaf13ffd67b3c545ec5b1c53e9

Analysis

max time kernel
153s
max time network
207s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 07:58

Target

a.exe
Size

1.4MB
MD5

8a627782b855f06a3d6d273d11f04f46
SHA1

30570c697533fc3fc7a19ad5d4bc3753f2cf1c0b
SHA256

f0b7a0368fc27d98d42efd4e9c9dd2c252e5fcaaf13ffd67b3c545ec5b1c53e9
SHA512

211fed71bcb75201380921a7de7bf8b88c451a5125f751be616a1775ad3c6a1d59ecc77aa997b053583c1a7d6419e4cfa8ff9bc99d50d1440bf34943d2c1a578
SSDEEP

24576:xirh2DKsuoIj4G6KFined4e5+MRicaRT4D2aKpq9ZEjrTnFOyzhyz:Ir0DfFpG6S68+KaRTWNKpEEfTnF

Score

10^/10

Family

asyncrat

Version

XieBroRAT-1.7

Botnet

Default

127.0.0.1:8880

8079048a.e2.luyouxia.net:8880

Mutex

gorousdwoqxqqq

Attributes

aes.plain

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1376-66-0x00000000029A0000-0x00000000029B2000-memory.dmp	asyncrat

Blocklisted process makes network request 3 IoCs

Processes:

powershell.exe

flow pid process

8 1376 powershell.exe
10 1376 powershell.exe
11 1376 powershell.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1376 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1376 powershell.exe
Token: SeDebugPrivilege 1376 powershell.exe

pid	process
1376	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	1376	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

a.exe

description	pid	process	target process
PID 1208 wrote to memory of 1376	1208	a.exe	powershell.exe
PID 1208 wrote to memory of 1376	1208	a.exe	powershell.exe
PID 1208 wrote to memory of 1376	1208	a.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\a.exe
"C:\Users\Admin\AppData\Local\Temp\a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1208

C:\ProgramData\test.ps1
Filesize
310KB

MD5
220e9238b05cb802d63f7d79d11b2a32

SHA1
77324ddee92b5ee1c2d50680ea15dd6e28ef402b

SHA256
248d8893d926c765d168bd48211650094dbcf8a8988c448f3b271c41bec8ca9d

SHA512
748f9149ceaa46789938d66a87dad5c92a9beea65a7c84c07fa42378fdee70b1340d777fcfc78efcd85254660fd4a858fe10bd83464564cde7b12c01ebbcdb7a

Download Submit
memory/1208-54-0x000007FEFBA21000-0x000007FEFBA23000-memory.dmp

Filesize
8KB

Download
memory/1376-55-0x0000000000000000-mapping.dmp

Download
memory/1376-57-0x000007FEF3C60000-0x000007FEF4683000-memory.dmp

Filesize
10.1MB

Download
memory/1376-58-0x000007FEF3100000-0x000007FEF3C5D000-memory.dmp

Filesize
11.4MB

Download
memory/1376-59-0x00000000025A4000-0x00000000025A7000-memory.dmp

Filesize
12KB

Download
memory/1376-60-0x000000001B790000-0x000000001BA8F000-memory.dmp

Filesize
3.0MB

Download
memory/1376-62-0x00000000025AB000-0x00000000025CA000-memory.dmp

Filesize
124KB

Download
memory/1376-63-0x00000000024B0000-0x00000000024C5000-memory.dmp

Filesize
84KB

Download
memory/1376-64-0x00000000025A4000-0x00000000025A7000-memory.dmp

Filesize
12KB

Download
memory/1376-65-0x00000000025AB000-0x00000000025CA000-memory.dmp

Filesize
124KB

Download
memory/1376-66-0x00000000029A0000-0x00000000029B2000-memory.dmp

Filesize
72KB

Download