asyncrat | 95a3f149f32f979d93fb121ce69c44a0675ae7597ae1346b836a0f0ef2a08c78

General

Target

95a3f149f32f979d93fb121ce69c44a0675ae7597ae1346b836a0f0ef2a08c78.exe
Size

258KB
MD5

1985c36cdbb06273876e5f31f9b9366b
SHA1

74f30afdca2c62a8ff593e8fa255e26a718bbaed
SHA256

95a3f149f32f979d93fb121ce69c44a0675ae7597ae1346b836a0f0ef2a08c78
SHA512

71f8d5d27d70e2a9cdca9a9955f907496a227061bc79b7ba6ba0681fa700c4762d0ac8f6a50cb8246f94a3ac305e58dee42bbeb3646c7281b200b2d89467196e
SSDEEP

3072:vbw0rds5QHlrDAN6JajEBafUM6Wpn2WQfdwzfFFfbp6Vvgx84y/jdMM4qOLXECuc:kONrDAN6J3afwluFpHyRMR00are

Score

10^/10

asyncrat default persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:1604

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\sex.exe	asyncrat
C:\Users\Admin\AppData\Local\Temp\sex.exe	asyncrat
behavioral2/memory/2688-140-0x0000000000670000-0x0000000000682000-memory.dmp	asyncrat

Executes dropped EXE 2 IoCs

Processes:

RunIt.exesex.exe

pid process

3444 RunIt.exe
2688 sex.exe

pid	process
3444	RunIt.exe
2688	sex.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

95a3f149f32f979d93fb121ce69c44a0675ae7597ae1346b836a0f0ef2a08c78.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	95a3f149f32f979d93fb121ce69c44a0675ae7597ae1346b836a0f0ef2a08c78.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RunIt.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rnts.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Rnts.exe"	RunIt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

sex.exe

description pid process

Token: SeDebugPrivilege 2688 sex.exe
Token: SeDebugPrivilege 2688 sex.exe

description	pid	process
Token: SeDebugPrivilege	2688	sex.exe
Token: SeDebugPrivilege	2688	sex.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

95a3f149f32f979d93fb121ce69c44a0675ae7597ae1346b836a0f0ef2a08c78.exe

description	pid	process	target process
PID 4776 wrote to memory of 2688	4776	95a3f149f32f979d93fb121ce69c44a0675ae7597ae1346b836a0f0ef2a08c78.exe	sex.exe
PID 4776 wrote to memory of 2688	4776	95a3f149f32f979d93fb121ce69c44a0675ae7597ae1346b836a0f0ef2a08c78.exe	sex.exe
PID 4776 wrote to memory of 2688	4776	95a3f149f32f979d93fb121ce69c44a0675ae7597ae1346b836a0f0ef2a08c78.exe	sex.exe
PID 4776 wrote to memory of 3444	4776	95a3f149f32f979d93fb121ce69c44a0675ae7597ae1346b836a0f0ef2a08c78.exe	RunIt.exe
PID 4776 wrote to memory of 3444	4776	95a3f149f32f979d93fb121ce69c44a0675ae7597ae1346b836a0f0ef2a08c78.exe	RunIt.exe
PID 4776 wrote to memory of 3444	4776	95a3f149f32f979d93fb121ce69c44a0675ae7597ae1346b836a0f0ef2a08c78.exe	RunIt.exe

C:\Users\Admin\AppData\Local\Temp\95a3f149f32f979d93fb121ce69c44a0675ae7597ae1346b836a0f0ef2a08c78.exe
"C:\Users\Admin\AppData\Local\Temp\95a3f149f32f979d93fb121ce69c44a0675ae7597ae1346b836a0f0ef2a08c78.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4776

C:\Users\Admin\AppData\Local\Temp\sex.exe
"C:\Users\Admin\AppData\Local\Temp\sex.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2688

C:\Users\Admin\AppData\Local\Temp\RunIt.exe
"C:\Users\Admin\AppData\Local\Temp\RunIt.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3444

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RunIt.exe
Filesize
143KB

MD5
d067619856f7f3079375960f62b99369

SHA1
964d548557dec3aa8e851526b71adca4b4ddbfd5

SHA256
9770561d2a27dbc16c230fe88af51f718d7d6274fcd63a3f109c381be848b4a9

SHA512
1ec891082ac133833217ce8314f6d163451c5554b789cbf8a5ff0d5ebd0b55a7ec49ea5c408bf784e6952a37526de9e77e6c39b9a4ea3b950c3fda44e7f973b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RunIt.exe
Filesize
143KB

MD5
d067619856f7f3079375960f62b99369

SHA1
964d548557dec3aa8e851526b71adca4b4ddbfd5

SHA256
9770561d2a27dbc16c230fe88af51f718d7d6274fcd63a3f109c381be848b4a9

SHA512
1ec891082ac133833217ce8314f6d163451c5554b789cbf8a5ff0d5ebd0b55a7ec49ea5c408bf784e6952a37526de9e77e6c39b9a4ea3b950c3fda44e7f973b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sex.exe
Filesize
45KB

MD5
638cb409c295f9f8e9344253974bbee9

SHA1
0bee4c240d141f5ed41caa8cd3d4417c551240b9

SHA256
0551b731ffdcd6265f0ae3cfe686df6f5dff0d6659d022e280b4d5e88fa3cd78

SHA512
d4322b2fa2a7e8706bdc29061f1c6b08c481da300d39a24902a6ddabe58978824627e0f828c6cbd74423e9b878a15b00c739a83c4cfd4fef62f603b9bb04b97d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sex.exe
Filesize
45KB

MD5
638cb409c295f9f8e9344253974bbee9

SHA1
0bee4c240d141f5ed41caa8cd3d4417c551240b9

SHA256
0551b731ffdcd6265f0ae3cfe686df6f5dff0d6659d022e280b4d5e88fa3cd78

SHA512
d4322b2fa2a7e8706bdc29061f1c6b08c481da300d39a24902a6ddabe58978824627e0f828c6cbd74423e9b878a15b00c739a83c4cfd4fef62f603b9bb04b97d

Download Submit
memory/2688-140-0x0000000000670000-0x0000000000682000-memory.dmp

Filesize
72KB

Download
memory/2688-134-0x0000000000000000-mapping.dmp

Download
memory/2688-146-0x0000000005070000-0x00000000050D6000-memory.dmp

Filesize
408KB

Download
memory/3444-135-0x0000000000000000-mapping.dmp

Download
memory/3444-141-0x00000000003F0000-0x000000000041A000-memory.dmp

Filesize
168KB

Download
memory/3444-142-0x0000000005430000-0x00000000059D4000-memory.dmp

Filesize
5.6MB

Download
memory/3444-143-0x0000000004F20000-0x0000000004FB2000-memory.dmp

Filesize
584KB

Download
memory/3444-144-0x0000000005040000-0x00000000050DC000-memory.dmp

Filesize
624KB

Download
memory/3444-145-0x0000000004FD0000-0x0000000004FDA000-memory.dmp

Filesize
40KB

Download
memory/4776-133-0x00007FFC86D70000-0x00007FFC87831000-memory.dmp

Filesize
10.8MB

Download
memory/4776-132-0x00000000009C0000-0x0000000000A08000-memory.dmp

Filesize
288KB

Download
memory/4776-147-0x00007FFC86D70000-0x00007FFC87831000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads