asyncrat | ffead35df6bc101476d76393619fe0a06a57d93927417d9bcf814d2e4c6b36a0

General

Target

lcomplcmpo.exe
Size

14.7MB
MD5

6f6b812c166e53dc9b52b9b60e5ed369
SHA1

e60cf5e718c030182dec6f7fbbbbf884fcdfcca1
SHA256

ffead35df6bc101476d76393619fe0a06a57d93927417d9bcf814d2e4c6b36a0
SHA512

8e8e5fe21f4b08a053255beb0f4e55f03e0114e7fa2117b8ef8320e7fd88275771394cd9a7e4237793b370f980ff7ed45a6ff78d3d97d59cd077868e7602f4b9
SSDEEP

98304:YxPSlTK4rzJ7WH1jbqWpAFyLDEJLbYaqizJMsv2VRs7m4PDv1wmTfXlQ4ImVhwI:0PST7yxWM4nYaqilMsvkRsDCMfXZI8w

Score

10^/10

asyncrat defendersmartscren rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

DefenderSmartScren

C2

217.64.31.3:8437

Mutex

DefenderSmartScren

Attributes

delay
3
install
false
install_file
SecurityHealtheurvice.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/940-61-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/940-62-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/940-63-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/940-64-0x000000000040D06E-mapping.dmp	asyncrat
behavioral1/memory/940-66-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/940-68-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1724-80-0x000000000040D06E-mapping.dmp	asyncrat

Executes dropped EXE 1 IoCs

Processes:

lcomplcmpo.exe

pid process

944 lcomplcmpo.exe

pid	process
944	lcomplcmpo.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

lcomplcmpo.exelcomplcmpo.exe

description	pid	process	target process
PID 1148 set thread context of 940	1148	lcomplcmpo.exe	RegAsm.exe
PID 944 set thread context of 1724	944	lcomplcmpo.exe	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

lcomplcmpo.exelcomplcmpo.exe

description pid process

Token: SeDebugPrivilege 1148 lcomplcmpo.exe
Token: SeDebugPrivilege 944 lcomplcmpo.exe

description	pid	process
Token: SeDebugPrivilege	1148	lcomplcmpo.exe
Token: SeDebugPrivilege	944	lcomplcmpo.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

lcomplcmpo.exetaskeng.exelcomplcmpo.exe

description	pid	process	target process
PID 1148 wrote to memory of 940	1148	lcomplcmpo.exe	RegAsm.exe
PID 1148 wrote to memory of 940	1148	lcomplcmpo.exe	RegAsm.exe
PID 1148 wrote to memory of 940	1148	lcomplcmpo.exe	RegAsm.exe
PID 1148 wrote to memory of 940	1148	lcomplcmpo.exe	RegAsm.exe
PID 1148 wrote to memory of 940	1148	lcomplcmpo.exe	RegAsm.exe
PID 1148 wrote to memory of 940	1148	lcomplcmpo.exe	RegAsm.exe
PID 1148 wrote to memory of 940	1148	lcomplcmpo.exe	RegAsm.exe
PID 1148 wrote to memory of 940	1148	lcomplcmpo.exe	RegAsm.exe
PID 1148 wrote to memory of 940	1148	lcomplcmpo.exe	RegAsm.exe
PID 1148 wrote to memory of 940	1148	lcomplcmpo.exe	RegAsm.exe
PID 1148 wrote to memory of 940	1148	lcomplcmpo.exe	RegAsm.exe
PID 1148 wrote to memory of 940	1148	lcomplcmpo.exe	RegAsm.exe
PID 952 wrote to memory of 944	952	taskeng.exe	lcomplcmpo.exe
PID 952 wrote to memory of 944	952	taskeng.exe	lcomplcmpo.exe
PID 952 wrote to memory of 944	952	taskeng.exe	lcomplcmpo.exe
PID 952 wrote to memory of 944	952	taskeng.exe	lcomplcmpo.exe
PID 944 wrote to memory of 1724	944	lcomplcmpo.exe	RegAsm.exe
PID 944 wrote to memory of 1724	944	lcomplcmpo.exe	RegAsm.exe
PID 944 wrote to memory of 1724	944	lcomplcmpo.exe	RegAsm.exe
PID 944 wrote to memory of 1724	944	lcomplcmpo.exe	RegAsm.exe
PID 944 wrote to memory of 1724	944	lcomplcmpo.exe	RegAsm.exe
PID 944 wrote to memory of 1724	944	lcomplcmpo.exe	RegAsm.exe
PID 944 wrote to memory of 1724	944	lcomplcmpo.exe	RegAsm.exe
PID 944 wrote to memory of 1724	944	lcomplcmpo.exe	RegAsm.exe
PID 944 wrote to memory of 1724	944	lcomplcmpo.exe	RegAsm.exe
PID 944 wrote to memory of 1724	944	lcomplcmpo.exe	RegAsm.exe
PID 944 wrote to memory of 1724	944	lcomplcmpo.exe	RegAsm.exe
PID 944 wrote to memory of 1724	944	lcomplcmpo.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\lcomplcmpo.exe
"C:\Users\Admin\AppData\Local\Temp\lcomplcmpo.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:940

C:\Windows\system32\taskeng.exe
taskeng.exe {36E87865-48A0-4CCA-827B-0CC1709308FE} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:952

C:\Users\Admin\AppData\Local\Temp\lcomplcmpo.exe
C:\Users\Admin\AppData\Local\Temp\lcomplcmpo.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1724

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lcomplcmpo.exe
Filesize
14.7MB

MD5
6f6b812c166e53dc9b52b9b60e5ed369

SHA1
e60cf5e718c030182dec6f7fbbbbf884fcdfcca1

SHA256
ffead35df6bc101476d76393619fe0a06a57d93927417d9bcf814d2e4c6b36a0

SHA512
8e8e5fe21f4b08a053255beb0f4e55f03e0114e7fa2117b8ef8320e7fd88275771394cd9a7e4237793b370f980ff7ed45a6ff78d3d97d59cd077868e7602f4b9

Download Submit
memory/940-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/940-64-0x000000000040D06E-mapping.dmp

Download
memory/940-68-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/940-58-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/940-59-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/940-61-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/940-66-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/940-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/944-70-0x0000000000000000-mapping.dmp

Download
memory/944-72-0x0000000000A20000-0x00000000018D2000-memory.dmp

Filesize
14.7MB

Download
memory/1148-54-0x0000000000110000-0x0000000000FC2000-memory.dmp

Filesize
14.7MB

Download
memory/1148-56-0x0000000075041000-0x0000000075043000-memory.dmp

Filesize
8KB

Download
memory/1148-57-0x0000000001850000-0x00000000018EC000-memory.dmp

Filesize
624KB

Download
memory/1148-55-0x0000000007D50000-0x0000000007F16000-memory.dmp

Filesize
1.8MB

Download
memory/1724-80-0x000000000040D06E-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads