asyncrat | f6d5ea83aaaf2ca9a161157d1c87697bbeed9818c3d148dd1ef421884637cf36

General

Target

399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403.exe
Size

14.7MB
MD5

2cbd5d9d43c5c49f0580975e9e620808
SHA1

17e209b6d6c66882ed78a40d7e0d211760b489a0
SHA256

399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403
SHA512

26e06d3d3b4f8d1198f483e2485ee107782c7f5b70ddb4d48dd84c9ef81029af316ad3a184c90921c6f1188f92d88b9fd6a152eaba5648a03bfbdea589202812
SSDEEP

196608:X0hLU8m9T9crlNBd8Sbrlzg0IzM7djVK2:khA595q38SbBs0IzM3

Score

10^/10

asyncrat system guard runtime rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

System Guard Runtime

C2

85.105.88.221:2531

Mutex

System Guard Runtime

Attributes

delay
3
install
false
install_file
System Guard Runtime
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/268-62-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/268-63-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/268-64-0x000000000040D0EE-mapping.dmp	asyncrat
behavioral1/memory/268-61-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/268-66-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/268-68-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1532-80-0x000000000040D0EE-mapping.dmp	asyncrat

Executes dropped EXE 1 IoCs

Processes:

399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403.exe

pid process

1040 399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403.exe

pid	process
1040	399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403.exe399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403.exe

description	pid	process	target process
PID 1752 set thread context of 268	1752	399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403.exe	RegAsm.exe
PID 1040 set thread context of 1532	1040	399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403.exe	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403.exe399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403.exe

description	pid	process
Token: SeDebugPrivilege	1752	399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403.exe
Token: SeDebugPrivilege	1040	399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403.exetaskeng.exe399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403.exe

description	pid	process	target process
PID 1752 wrote to memory of 268	1752	399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403.exe	RegAsm.exe
PID 1752 wrote to memory of 268	1752	399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403.exe	RegAsm.exe
PID 1752 wrote to memory of 268	1752	399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403.exe	RegAsm.exe
PID 1752 wrote to memory of 268	1752	399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403.exe	RegAsm.exe
PID 1752 wrote to memory of 268	1752	399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403.exe	RegAsm.exe
PID 1752 wrote to memory of 268	1752	399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403.exe	RegAsm.exe
PID 1752 wrote to memory of 268	1752	399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403.exe	RegAsm.exe
PID 1752 wrote to memory of 268	1752	399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403.exe	RegAsm.exe
PID 1752 wrote to memory of 268	1752	399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403.exe	RegAsm.exe
PID 1752 wrote to memory of 268	1752	399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403.exe	RegAsm.exe
PID 1752 wrote to memory of 268	1752	399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403.exe	RegAsm.exe
PID 1752 wrote to memory of 268	1752	399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403.exe	RegAsm.exe
PID 1956 wrote to memory of 1040	1956	taskeng.exe	399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403.exe
PID 1956 wrote to memory of 1040	1956	taskeng.exe	399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403.exe
PID 1956 wrote to memory of 1040	1956	taskeng.exe	399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403.exe
PID 1956 wrote to memory of 1040	1956	taskeng.exe	399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403.exe
PID 1040 wrote to memory of 1532	1040	399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403.exe	RegAsm.exe
PID 1040 wrote to memory of 1532	1040	399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403.exe	RegAsm.exe
PID 1040 wrote to memory of 1532	1040	399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403.exe	RegAsm.exe
PID 1040 wrote to memory of 1532	1040	399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403.exe	RegAsm.exe
PID 1040 wrote to memory of 1532	1040	399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403.exe	RegAsm.exe
PID 1040 wrote to memory of 1532	1040	399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403.exe	RegAsm.exe
PID 1040 wrote to memory of 1532	1040	399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403.exe	RegAsm.exe
PID 1040 wrote to memory of 1532	1040	399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403.exe	RegAsm.exe
PID 1040 wrote to memory of 1532	1040	399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403.exe	RegAsm.exe
PID 1040 wrote to memory of 1532	1040	399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403.exe	RegAsm.exe
PID 1040 wrote to memory of 1532	1040	399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403.exe	RegAsm.exe
PID 1040 wrote to memory of 1532	1040	399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403.exe
"C:\Users\Admin\AppData\Local\Temp\399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:268

C:\Windows\system32\taskeng.exe
taskeng.exe {AA402CD5-97AD-446C-A010-8032BB2784B3} S-1-5-21-3385717845-2518323428-350143044-1000:SABDUHNY\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1956

C:\Users\Admin\AppData\Local\Temp\399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403.exe
C:\Users\Admin\AppData\Local\Temp\399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1532

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403.exe
Filesize
14.7MB

MD5
2cbd5d9d43c5c49f0580975e9e620808

SHA1
17e209b6d6c66882ed78a40d7e0d211760b489a0

SHA256
399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403

SHA512
26e06d3d3b4f8d1198f483e2485ee107782c7f5b70ddb4d48dd84c9ef81029af316ad3a184c90921c6f1188f92d88b9fd6a152eaba5648a03bfbdea589202812

Download Submit
memory/268-59-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/268-58-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/268-68-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/268-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/268-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/268-64-0x000000000040D0EE-mapping.dmp

Download
memory/268-66-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/268-61-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1040-70-0x0000000000000000-mapping.dmp

Download
memory/1040-72-0x0000000000380000-0x0000000001230000-memory.dmp

Filesize
14.7MB

Download
memory/1532-80-0x000000000040D0EE-mapping.dmp

Download
memory/1752-54-0x0000000000330000-0x00000000011E0000-memory.dmp

Filesize
14.7MB

Download
memory/1752-56-0x0000000075C41000-0x0000000075C43000-memory.dmp

Filesize
8KB

Download
memory/1752-57-0x0000000005820000-0x00000000058BC000-memory.dmp

Filesize
624KB

Download
memory/1752-55-0x0000000007D90000-0x0000000007F56000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads