asyncrat | 995acc0c0b336e14634549f8b106f5e527064e7acad6ee2b559b506ecedfb622

General

Target

995acc0c0b336e14634549f8b106f5e527064e7acad6ee2b559b506ecedfb622.exe
Size

47KB
MD5

dfc1d2be8746faa1cd9c78f0a82f555c
SHA1

0413e787dffd86ce159cf722f313ba60b8d3e10e
SHA256

995acc0c0b336e14634549f8b106f5e527064e7acad6ee2b559b506ecedfb622
SHA512

f6e4308ce753970125c45fad1ff600d53318a63a9cebf90e5c01921e52d3fe76dcaad8489061bbf2b55ba5b3a73fc3ea317325e595bbe1067dfb0bb05e48afca
SSDEEP

768:/uAgtT3nsubWUn1qwmo2qB8oN+1vPIPRnsbwGL0bWKU6KcqKQ0na1TWBX7tTSBD/:/uAgtT3s42u+qPRtbWMeUauJodnx

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

5.188.86.237:6606

5.188.86.237:7707

5.188.86.237:8808

Mutex

mFSq#1^fdgSq#78

Attributes

delay
15
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/956-54-0x0000000000310000-0x0000000000322000-memory.dmp	asyncrat

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

995acc0c0b336e14634549f8b106f5e527064e7acad6ee2b559b506ecedfb622.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F036A9F42D77B20924E7C465BE02340804B909BB\Blob = 190000000100000010000000fdac2220a1b72b723adeaafd6c8604b90f00000001000000200000001a85371bd992072035ad7a40601b3f7a40eeb658689d110f972a7a361e435a90030000000100000014000000f036a9f42d77b20924e7c465be02340804b909bb1400000001000000140000009f4953d60ac46d12745d0b07dc4d94f1e20dbce82000000001000000f9020000308202f5308201dda00302010202106cdcfa4484b297ff3b9ddee3424ac982300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232313131363136303030305a170d3237313131353136303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100b4511c91d42699857d5b4060c483aed56a3a69652f31590f972a829ed72a78530a8e0aa33a09e8846b17b0b1f05f49a54eaa57dea663b7119deafaea80b2a9458c80cee8ef7b8fc88c9e135fdfbf7939ba83852f462cb29c302e175f3ed78e1a79d5baf148c26b3d03e9ca0cba4af8af7d518206ac727a8eea2f14e7557f3b894a3cf5a908d73e62e057da0ecb39f9f582ccb65d2e928faeddf638b95a379999017d1f625296e92b43695ac42a65c3ba2bfa70e3b25bd67ca34c3a88671dc41cf61cc039349f859a2470f92e08512cbd6769b6a689939c46ef596babce686d71a3457590667359d657c6b9db598b08ba24069e305d1209a638b4ae1115bf295f0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e041604149f4953d60ac46d12745d0b07dc4d94f1e20dbce8300d06092a864886f70d01010b050003820101007c8f0197657590de8652d0e6b9895e9740549ae9bd9cd2fca8d8bdea30602d89e581d95ecaf618adb22e97b00de3147034a9a6e140bb8a5e1fe8c5c42071f5f6d81fbe108ecf18d5bba3429620bb213b41a3a4f832ba409f68a342d51d320994130ddb1a679e05813cccdc9872a4b4515c4b0966d179758bc70418bafb556cbd1afd24d63f2daf6712490a0a4e0cc2c34c5fe2012f32d4917365084f3615ca2696cf0868dd119491cfd4f6aa725b40aab88fffa2778b599bb73871b7d3e066f29227f7994ecbba2a820fa29df3f657183a2a5a2fbe74eede68a9f3b5166bc33d4b587757699f7f026f84cfd3fe5f0be1722aad6e690ffa7ab4c4d13f15ede1ac	995acc0c0b336e14634549f8b106f5e527064e7acad6ee2b559b506ecedfb622.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F036A9F42D77B20924E7C465BE02340804B909BB	995acc0c0b336e14634549f8b106f5e527064e7acad6ee2b559b506ecedfb622.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F036A9F42D77B20924E7C465BE02340804B909BB\Blob = 0f00000001000000200000001a85371bd992072035ad7a40601b3f7a40eeb658689d110f972a7a361e435a90030000000100000014000000f036a9f42d77b20924e7c465be02340804b909bb2000000001000000f9020000308202f5308201dda00302010202106cdcfa4484b297ff3b9ddee3424ac982300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232313131363136303030305a170d3237313131353136303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100b4511c91d42699857d5b4060c483aed56a3a69652f31590f972a829ed72a78530a8e0aa33a09e8846b17b0b1f05f49a54eaa57dea663b7119deafaea80b2a9458c80cee8ef7b8fc88c9e135fdfbf7939ba83852f462cb29c302e175f3ed78e1a79d5baf148c26b3d03e9ca0cba4af8af7d518206ac727a8eea2f14e7557f3b894a3cf5a908d73e62e057da0ecb39f9f582ccb65d2e928faeddf638b95a379999017d1f625296e92b43695ac42a65c3ba2bfa70e3b25bd67ca34c3a88671dc41cf61cc039349f859a2470f92e08512cbd6769b6a689939c46ef596babce686d71a3457590667359d657c6b9db598b08ba24069e305d1209a638b4ae1115bf295f0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e041604149f4953d60ac46d12745d0b07dc4d94f1e20dbce8300d06092a864886f70d01010b050003820101007c8f0197657590de8652d0e6b9895e9740549ae9bd9cd2fca8d8bdea30602d89e581d95ecaf618adb22e97b00de3147034a9a6e140bb8a5e1fe8c5c42071f5f6d81fbe108ecf18d5bba3429620bb213b41a3a4f832ba409f68a342d51d320994130ddb1a679e05813cccdc9872a4b4515c4b0966d179758bc70418bafb556cbd1afd24d63f2daf6712490a0a4e0cc2c34c5fe2012f32d4917365084f3615ca2696cf0868dd119491cfd4f6aa725b40aab88fffa2778b599bb73871b7d3e066f29227f7994ecbba2a820fa29df3f657183a2a5a2fbe74eede68a9f3b5166bc33d4b587757699f7f026f84cfd3fe5f0be1722aad6e690ffa7ab4c4d13f15ede1ac	995acc0c0b336e14634549f8b106f5e527064e7acad6ee2b559b506ecedfb622.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F036A9F42D77B20924E7C465BE02340804B909BB\Blob = 1400000001000000140000009f4953d60ac46d12745d0b07dc4d94f1e20dbce8030000000100000014000000f036a9f42d77b20924e7c465be02340804b909bb0f00000001000000200000001a85371bd992072035ad7a40601b3f7a40eeb658689d110f972a7a361e435a902000000001000000f9020000308202f5308201dda00302010202106cdcfa4484b297ff3b9ddee3424ac982300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232313131363136303030305a170d3237313131353136303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100b4511c91d42699857d5b4060c483aed56a3a69652f31590f972a829ed72a78530a8e0aa33a09e8846b17b0b1f05f49a54eaa57dea663b7119deafaea80b2a9458c80cee8ef7b8fc88c9e135fdfbf7939ba83852f462cb29c302e175f3ed78e1a79d5baf148c26b3d03e9ca0cba4af8af7d518206ac727a8eea2f14e7557f3b894a3cf5a908d73e62e057da0ecb39f9f582ccb65d2e928faeddf638b95a379999017d1f625296e92b43695ac42a65c3ba2bfa70e3b25bd67ca34c3a88671dc41cf61cc039349f859a2470f92e08512cbd6769b6a689939c46ef596babce686d71a3457590667359d657c6b9db598b08ba24069e305d1209a638b4ae1115bf295f0203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e041604149f4953d60ac46d12745d0b07dc4d94f1e20dbce8300d06092a864886f70d01010b050003820101007c8f0197657590de8652d0e6b9895e9740549ae9bd9cd2fca8d8bdea30602d89e581d95ecaf618adb22e97b00de3147034a9a6e140bb8a5e1fe8c5c42071f5f6d81fbe108ecf18d5bba3429620bb213b41a3a4f832ba409f68a342d51d320994130ddb1a679e05813cccdc9872a4b4515c4b0966d179758bc70418bafb556cbd1afd24d63f2daf6712490a0a4e0cc2c34c5fe2012f32d4917365084f3615ca2696cf0868dd119491cfd4f6aa725b40aab88fffa2778b599bb73871b7d3e066f29227f7994ecbba2a820fa29df3f657183a2a5a2fbe74eede68a9f3b5166bc33d4b587757699f7f026f84cfd3fe5f0be1722aad6e690ffa7ab4c4d13f15ede1ac	995acc0c0b336e14634549f8b106f5e527064e7acad6ee2b559b506ecedfb622.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

995acc0c0b336e14634549f8b106f5e527064e7acad6ee2b559b506ecedfb622.exe

description pid process

Token: SeDebugPrivilege 956 995acc0c0b336e14634549f8b106f5e527064e7acad6ee2b559b506ecedfb622.exe

description	pid	process
Token: SeDebugPrivilege	956	995acc0c0b336e14634549f8b106f5e527064e7acad6ee2b559b506ecedfb622.exe

C:\Users\Admin\AppData\Local\Temp\995acc0c0b336e14634549f8b106f5e527064e7acad6ee2b559b506ecedfb622.exe
"C:\Users\Admin\AppData\Local\Temp\995acc0c0b336e14634549f8b106f5e527064e7acad6ee2b559b506ecedfb622.exe"
1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/956-54-0x0000000000310000-0x0000000000322000-memory.dmp

Filesize
72KB

Download
memory/956-55-0x00000000760A1000-0x00000000760A3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing