asyncrat | 198886528a13c0f7f03536bac4a5c449d3b21131887efa7595c9e9a56a2cfc0e

Analysis

max time kernel
44s
max time network
146s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
05-12-2022 17:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f559c085934e6e7d98e6d520684196eb.exe
Size

45KB
MD5

f559c085934e6e7d98e6d520684196eb
SHA1

3a829e2faeaa5a48556770cc159a4e291a91a9c3
SHA256

198886528a13c0f7f03536bac4a5c449d3b21131887efa7595c9e9a56a2cfc0e
SHA512

7451ae89f1df93613069ea4056d9f23b1d8c71636487ee888b39e7887181b03c2f7183673468ead5fec2d0c50396b6545a623e6627a88f0268a68bab47d67f79
SSDEEP

768:SubrdT5UohzWUfpdBmo2qV6KjGKG6PIyzjbFgX3iUqaPkMapBDZHx:SubrdT5Pf2FKYDy3bCXSUqQE3dHx

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:51115

127.0.0.1:26993

127.0.0.1:19624

185.246.220.26:6606

185.246.220.26:7707

185.246.220.26:8808

185.246.220.26:51115

185.246.220.26:26993

185.246.220.26:19624

5.tcp.ngrok.io:6606

5.tcp.ngrok.io:7707

5.tcp.ngrok.io:8808

5.tcp.ngrok.io:51115

5.tcp.ngrok.io:26993

5.tcp.ngrok.io:19624

disownnet.duckdns.org:6606

disownnet.duckdns.org:7707

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_file
services.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1280-54-0x0000000000D60000-0x0000000000D72000-memory.dmp	asyncrat

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

f559c085934e6e7d98e6d520684196eb.exe

description pid process

Token: SeDebugPrivilege 1280 f559c085934e6e7d98e6d520684196eb.exe

description	pid	process
Token: SeDebugPrivilege	1280	f559c085934e6e7d98e6d520684196eb.exe

C:\Users\Admin\AppData\Local\Temp\f559c085934e6e7d98e6d520684196eb.exe
"C:\Users\Admin\AppData\Local\Temp\f559c085934e6e7d98e6d520684196eb.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1280

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1280-54-0x0000000000D60000-0x0000000000D72000-memory.dmp

Filesize
72KB

Download
memory/1280-55-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download