asyncrat | 15ec1422db74fb41b7d086c608055aa1c3f9bb15fd5c3bfb40412f03d3eba565

General

Target

15ec1422db74fb41b7d086c608055aa1c3f9bb15fd5c3bfb40412f03d3eba565.exe
Size

160KB
MD5

d32f06aa276a1ef87396ca0692f74214
SHA1

60f910d6a81e4978a803ad6e5388afb21a435a9a
SHA256

15ec1422db74fb41b7d086c608055aa1c3f9bb15fd5c3bfb40412f03d3eba565
SHA512

e8b07c4321c1173d5d9ea591bd4ac59047a77843439c59b841ffc92657074ad1a12f4fc0aa9098e514777356c31d57f1fb124effc6f6b8505c5153ea48bae4f7
SSDEEP

3072:p9ywHtYCIHfecjxrW4l248V3FMrF4MdFU0ohs8:NHtYjfrCVdKrLTU0o

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

chinasea.duckdns.org:5201

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2168-140-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Drops startup file 2 IoCs

Processes:

Powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systhhdfhsdem.exe	Powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systhhdfhsdem.exe	Powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

15ec1422db74fb41b7d086c608055aa1c3f9bb15fd5c3bfb40412f03d3eba565.exe

description	pid	process	target process
PID 4436 set thread context of 2168	4436	15ec1422db74fb41b7d086c608055aa1c3f9bb15fd5c3bfb40412f03d3eba565.exe	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

15ec1422db74fb41b7d086c608055aa1c3f9bb15fd5c3bfb40412f03d3eba565.exePowershell.exe

pid	process
4436	15ec1422db74fb41b7d086c608055aa1c3f9bb15fd5c3bfb40412f03d3eba565.exe
4436	15ec1422db74fb41b7d086c608055aa1c3f9bb15fd5c3bfb40412f03d3eba565.exe
4184	Powershell.exe
4184	Powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

15ec1422db74fb41b7d086c608055aa1c3f9bb15fd5c3bfb40412f03d3eba565.exePowershell.exe

description	pid	process
Token: SeDebugPrivilege	4436	15ec1422db74fb41b7d086c608055aa1c3f9bb15fd5c3bfb40412f03d3eba565.exe
Token: SeDebugPrivilege	4184	Powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

15ec1422db74fb41b7d086c608055aa1c3f9bb15fd5c3bfb40412f03d3eba565.exe

description	pid	process	target process
PID 4436 wrote to memory of 4184	4436	15ec1422db74fb41b7d086c608055aa1c3f9bb15fd5c3bfb40412f03d3eba565.exe	Powershell.exe
PID 4436 wrote to memory of 4184	4436	15ec1422db74fb41b7d086c608055aa1c3f9bb15fd5c3bfb40412f03d3eba565.exe	Powershell.exe
PID 4436 wrote to memory of 4184	4436	15ec1422db74fb41b7d086c608055aa1c3f9bb15fd5c3bfb40412f03d3eba565.exe	Powershell.exe
PID 4436 wrote to memory of 4424	4436	15ec1422db74fb41b7d086c608055aa1c3f9bb15fd5c3bfb40412f03d3eba565.exe	RegSvcs.exe
PID 4436 wrote to memory of 4424	4436	15ec1422db74fb41b7d086c608055aa1c3f9bb15fd5c3bfb40412f03d3eba565.exe	RegSvcs.exe
PID 4436 wrote to memory of 4424	4436	15ec1422db74fb41b7d086c608055aa1c3f9bb15fd5c3bfb40412f03d3eba565.exe	RegSvcs.exe
PID 4436 wrote to memory of 2168	4436	15ec1422db74fb41b7d086c608055aa1c3f9bb15fd5c3bfb40412f03d3eba565.exe	RegSvcs.exe
PID 4436 wrote to memory of 2168	4436	15ec1422db74fb41b7d086c608055aa1c3f9bb15fd5c3bfb40412f03d3eba565.exe	RegSvcs.exe
PID 4436 wrote to memory of 2168	4436	15ec1422db74fb41b7d086c608055aa1c3f9bb15fd5c3bfb40412f03d3eba565.exe	RegSvcs.exe
PID 4436 wrote to memory of 2168	4436	15ec1422db74fb41b7d086c608055aa1c3f9bb15fd5c3bfb40412f03d3eba565.exe	RegSvcs.exe
PID 4436 wrote to memory of 2168	4436	15ec1422db74fb41b7d086c608055aa1c3f9bb15fd5c3bfb40412f03d3eba565.exe	RegSvcs.exe
PID 4436 wrote to memory of 2168	4436	15ec1422db74fb41b7d086c608055aa1c3f9bb15fd5c3bfb40412f03d3eba565.exe	RegSvcs.exe
PID 4436 wrote to memory of 2168	4436	15ec1422db74fb41b7d086c608055aa1c3f9bb15fd5c3bfb40412f03d3eba565.exe	RegSvcs.exe
PID 4436 wrote to memory of 2168	4436	15ec1422db74fb41b7d086c608055aa1c3f9bb15fd5c3bfb40412f03d3eba565.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\15ec1422db74fb41b7d086c608055aa1c3f9bb15fd5c3bfb40412f03d3eba565.exe
"C:\Users\Admin\AppData\Local\Temp\15ec1422db74fb41b7d086c608055aa1c3f9bb15fd5c3bfb40412f03d3eba565.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4436

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell" Copy-Item 'C:\Users\Admin\AppData\Local\Temp\15ec1422db74fb41b7d086c608055aa1c3f9bb15fd5c3bfb40412f03d3eba565.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Systhhdfhsdem.exe'
2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:4424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:2168

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2168-139-0x0000000000000000-mapping.dmp

Download
memory/2168-140-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4184-136-0x0000000002F00000-0x0000000002F36000-memory.dmp

Filesize
216KB

Download
memory/4184-144-0x0000000006830000-0x000000000684E000-memory.dmp

Filesize
120KB

Download
memory/4184-147-0x0000000006DE0000-0x0000000006E02000-memory.dmp

Filesize
136KB

Download
memory/4184-137-0x0000000005A10000-0x0000000006038000-memory.dmp

Filesize
6.2MB

Download
memory/4184-146-0x0000000006D80000-0x0000000006D9A000-memory.dmp

Filesize
104KB

Download
memory/4184-145-0x0000000007870000-0x0000000007906000-memory.dmp

Filesize
600KB

Download
memory/4184-135-0x0000000000000000-mapping.dmp

Download
memory/4184-141-0x00000000056E0000-0x0000000005702000-memory.dmp

Filesize
136KB

Download
memory/4184-142-0x0000000006140000-0x00000000061A6000-memory.dmp

Filesize
408KB

Download
memory/4184-143-0x00000000061B0000-0x0000000006216000-memory.dmp

Filesize
408KB

Download
memory/4424-138-0x0000000000000000-mapping.dmp

Download
memory/4436-133-0x0000000005240000-0x00000000057E4000-memory.dmp

Filesize
5.6MB

Download
memory/4436-134-0x0000000004C90000-0x0000000004D2C000-memory.dmp

Filesize
624KB

Download
memory/4436-132-0x0000000000220000-0x000000000024E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads