asyncrat | 3a617a7952e9ea3f03052844e4ed2e0262c937d5c62de5e1753ec23dbde3e4a2

General

Target

3a617a7952e9ea3f03052844e4ed2e0262c937d5c62de5e1753ec23dbde3e4a2.exe
Size

417KB
MD5

eba584dbe102dea11a92683e90bc5306
SHA1

3ec661ea74194a24a1468ea932c0f658bdf1080c
SHA256

3a617a7952e9ea3f03052844e4ed2e0262c937d5c62de5e1753ec23dbde3e4a2
SHA512

6d1f7874809b1416be371be2dbeefa79e0ecbaf782a2800c4a6b6537ef408d3f1c6d13842937dd055e5941d31d3884348d69d0d25a545e43bcd67e6ecadea4e1
SSDEEP

12288:NomltV+kni0u8wHEnjQHyUjCa9q9Zsdk:pKFHXj/9q9KS

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

0.tcp.ngrok.io:6032

Mutex

Asyn♦cMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_file
svchost.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1608-63-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1608-64-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1608-65-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1608-66-0x000000000040D07E-mapping.dmp	asyncrat
behavioral1/memory/1608-68-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1608-70-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Suspicious use of SetThreadContext 1 IoCs

Processes:

3a617a7952e9ea3f03052844e4ed2e0262c937d5c62de5e1753ec23dbde3e4a2.exe

description	pid	process	target process
PID 1480 set thread context of 1608	1480	3a617a7952e9ea3f03052844e4ed2e0262c937d5c62de5e1753ec23dbde3e4a2.exe	MSBuild.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1876 schtasks.exe

pid	process
1876	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

3a617a7952e9ea3f03052844e4ed2e0262c937d5c62de5e1753ec23dbde3e4a2.exe

pid	process
1480	3a617a7952e9ea3f03052844e4ed2e0262c937d5c62de5e1753ec23dbde3e4a2.exe
1480	3a617a7952e9ea3f03052844e4ed2e0262c937d5c62de5e1753ec23dbde3e4a2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3a617a7952e9ea3f03052844e4ed2e0262c937d5c62de5e1753ec23dbde3e4a2.exe

description pid process

Token: SeDebugPrivilege 1480 3a617a7952e9ea3f03052844e4ed2e0262c937d5c62de5e1753ec23dbde3e4a2.exe

description	pid	process
Token: SeDebugPrivilege	1480	3a617a7952e9ea3f03052844e4ed2e0262c937d5c62de5e1753ec23dbde3e4a2.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

3a617a7952e9ea3f03052844e4ed2e0262c937d5c62de5e1753ec23dbde3e4a2.exe

description	pid	process	target process
PID 1480 wrote to memory of 1876	1480	3a617a7952e9ea3f03052844e4ed2e0262c937d5c62de5e1753ec23dbde3e4a2.exe	schtasks.exe
PID 1480 wrote to memory of 1876	1480	3a617a7952e9ea3f03052844e4ed2e0262c937d5c62de5e1753ec23dbde3e4a2.exe	schtasks.exe
PID 1480 wrote to memory of 1876	1480	3a617a7952e9ea3f03052844e4ed2e0262c937d5c62de5e1753ec23dbde3e4a2.exe	schtasks.exe
PID 1480 wrote to memory of 1876	1480	3a617a7952e9ea3f03052844e4ed2e0262c937d5c62de5e1753ec23dbde3e4a2.exe	schtasks.exe
PID 1480 wrote to memory of 1608	1480	3a617a7952e9ea3f03052844e4ed2e0262c937d5c62de5e1753ec23dbde3e4a2.exe	MSBuild.exe
PID 1480 wrote to memory of 1608	1480	3a617a7952e9ea3f03052844e4ed2e0262c937d5c62de5e1753ec23dbde3e4a2.exe	MSBuild.exe
PID 1480 wrote to memory of 1608	1480	3a617a7952e9ea3f03052844e4ed2e0262c937d5c62de5e1753ec23dbde3e4a2.exe	MSBuild.exe
PID 1480 wrote to memory of 1608	1480	3a617a7952e9ea3f03052844e4ed2e0262c937d5c62de5e1753ec23dbde3e4a2.exe	MSBuild.exe
PID 1480 wrote to memory of 1608	1480	3a617a7952e9ea3f03052844e4ed2e0262c937d5c62de5e1753ec23dbde3e4a2.exe	MSBuild.exe
PID 1480 wrote to memory of 1608	1480	3a617a7952e9ea3f03052844e4ed2e0262c937d5c62de5e1753ec23dbde3e4a2.exe	MSBuild.exe
PID 1480 wrote to memory of 1608	1480	3a617a7952e9ea3f03052844e4ed2e0262c937d5c62de5e1753ec23dbde3e4a2.exe	MSBuild.exe
PID 1480 wrote to memory of 1608	1480	3a617a7952e9ea3f03052844e4ed2e0262c937d5c62de5e1753ec23dbde3e4a2.exe	MSBuild.exe
PID 1480 wrote to memory of 1608	1480	3a617a7952e9ea3f03052844e4ed2e0262c937d5c62de5e1753ec23dbde3e4a2.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\3a617a7952e9ea3f03052844e4ed2e0262c937d5c62de5e1753ec23dbde3e4a2.exe
"C:\Users\Admin\AppData\Local\Temp\3a617a7952e9ea3f03052844e4ed2e0262c937d5c62de5e1753ec23dbde3e4a2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QxJiZoTYrf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1D32.tmp"
2⤵
- Creates scheduled task(s)
PID:1876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"{path}"
2⤵
PID:1608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1D32.tmp
Filesize
1KB

MD5
be66e3625568e5899701b1009b8935d5

SHA1
4d3da312d2a9303e177829015bc60ebbf9bd1047

SHA256
2b1dcb73c4871e3e853181f6caacd3c23dca08630d946b2eacc5d9ca7be1239f

SHA512
4ab7b35475afe81b833d0385adba1b3a75f98d253e217a987d1c4d3680c1f55bfd048fadfb87e734022fb8c1dcbf2fe3747639e31e1f6885adb4e02ed5596100

Download Submit
memory/1480-55-0x0000000076581000-0x0000000076583000-memory.dmp

Filesize
8KB

Download
memory/1480-56-0x0000000001DC0000-0x0000000001DD2000-memory.dmp

Filesize
72KB

Download
memory/1480-57-0x0000000000550000-0x000000000058E000-memory.dmp

Filesize
248KB

Download
memory/1480-54-0x00000000002B0000-0x0000000000320000-memory.dmp

Filesize
448KB

Download
memory/1608-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1608-61-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1608-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1608-64-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1608-65-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1608-66-0x000000000040D07E-mapping.dmp

Download
memory/1608-68-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1608-70-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1876-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads