asyncrat | 680dae64f8ef7393f9c4ed1970fbdf921cf7bf7917237a89ab8720146ed9b765

Analysis

max time kernel
146s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-01-2023 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

680dae64f8ef7393f9c4ed1970fbdf921cf7bf7917237a89ab8720146ed9b765.exe
Size

389KB
MD5

5e5057f51b2b340aeff3a0a60a4f85d6
SHA1

74444082c9ab79db48b43dbd96c0510e0bf67031
SHA256

680dae64f8ef7393f9c4ed1970fbdf921cf7bf7917237a89ab8720146ed9b765
SHA512

c1eed5839f4086c074de51ed4646734797b5f7f937d5adcf431d72afc58caef126c0841b59ca2f95c27d60e62ba25ba79e944ff7fe5feefa2ab5d32d9f4e508f
SSDEEP

12288:/iVKKd7YHvLgUYm7UW9uJQaSBOM8L/7DrGYQYXcLMoIq:/iVKKd7IvLgUYm7b9uJ7fM8r7HGd15

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

127.0.0.1:81

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1516-56-0x0000000000480000-0x0000000000492000-memory.dmp	asyncrat

Modifies registry class 5 IoCs

Processes:

680dae64f8ef7393f9c4ed1970fbdf921cf7bf7917237a89ab8720146ed9b765.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CID\{49007000-3200-3500-4800-7A0045004E00}\1 = "wrdGAVlUfAJ0VuYt6OVTjqvKZekr3LNO2fIv45OSkWFPgH3lEWWSIHu07puKBFRiXZ2WnJ7foY2JDOnjCHtSIoDRtKN2+NABHgve/fT5jRAhhq5knOPEmvPuLz9w4p10E1v3UrTRp+DJNMZOc+t6Zk3xG4SaVH6oFmnyc5bMX6MUTWDP3UglQ5Txtv0KJL5t"	680dae64f8ef7393f9c4ed1970fbdf921cf7bf7917237a89ab8720146ed9b765.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CID\{63004100-5700-5A00-6E00-630069006C00}	680dae64f8ef7393f9c4ed1970fbdf921cf7bf7917237a89ab8720146ed9b765.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CID	680dae64f8ef7393f9c4ed1970fbdf921cf7bf7917237a89ab8720146ed9b765.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CID\{63004100-5700-5A00-6E00-630069006C00}\1 = "MNf0Yy49451orla+c0GDaTY+zFf0VE1nlfiyp0kmNNMh0xFrxAyI4uQsjoH5bWiujCCOSbowf1oNKPxKcXdNYi19x8jWUvdemTwC2iVDtCPVIZS0dji17rPTL+Z9E4AxZrIAVhlH33QbPmzRNHgbpOim6C+YXqXwhoEUKfaUifzL/0eCGSrPz8druezOOKqwqz56LOX5kwT2XzCXoNhDc4AW4+FknNa4Ry5sv6b19hASzgCglDI3SQ2on4ZPrX25+uYQWilIBBA8ieqzcDeBrrK/0U9xkVD7OKcxE8lG4LcbOX5jwxgZYEZ8am4TeVNFgxYENWrCQvip5KwagCydHkxR6cNTLzbSDH22/qkANdpUk8pQMWCSsCWbHm2wKWhXlnXxmPkcLbUxWUrqIkNllEWkbDuWRFUC6otHAJVfJqSpG1kADj536o0X/+ahYeC02byrg3QXK8ffjW4BQmX6ag=="	680dae64f8ef7393f9c4ed1970fbdf921cf7bf7917237a89ab8720146ed9b765.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CID\{49007000-3200-3500-4800-7A0045004E00}	680dae64f8ef7393f9c4ed1970fbdf921cf7bf7917237a89ab8720146ed9b765.exe

NTFS ADS 6 IoCs

Processes:

680dae64f8ef7393f9c4ed1970fbdf921cf7bf7917237a89ab8720146ed9b765.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp:{63004100-5700-5A00-6E00-630069006C00}	680dae64f8ef7393f9c4ed1970fbdf921cf7bf7917237a89ab8720146ed9b765.exe
File created	C:\Users\Admin\Documents\My Music:{63004100-5700-5A00-6E00-630069006C00}	680dae64f8ef7393f9c4ed1970fbdf921cf7bf7917237a89ab8720146ed9b765.exe
File created	C:\MSOCache:{63004100-5700-5A00-6E00-630069006C00}	680dae64f8ef7393f9c4ed1970fbdf921cf7bf7917237a89ab8720146ed9b765.exe
File created	C:\Users\Admin\AppData\Local\Temp:{49007000-3200-3500-4800-7A0045004E00}	680dae64f8ef7393f9c4ed1970fbdf921cf7bf7917237a89ab8720146ed9b765.exe
File created	C:\Users\Admin\Documents\My Music:{49007000-3200-3500-4800-7A0045004E00}	680dae64f8ef7393f9c4ed1970fbdf921cf7bf7917237a89ab8720146ed9b765.exe
File created	C:\MSOCache:{49007000-3200-3500-4800-7A0045004E00}	680dae64f8ef7393f9c4ed1970fbdf921cf7bf7917237a89ab8720146ed9b765.exe

C:\Users\Admin\AppData\Local\Temp\680dae64f8ef7393f9c4ed1970fbdf921cf7bf7917237a89ab8720146ed9b765.exe
"C:\Users\Admin\AppData\Local\Temp\680dae64f8ef7393f9c4ed1970fbdf921cf7bf7917237a89ab8720146ed9b765.exe"
1⤵
- Modifies registry class
- NTFS ADS
PID:1516

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1516-54-0x0000000000140000-0x00000000001AA000-memory.dmp

Filesize
424KB

Download
memory/1516-55-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1516-56-0x0000000000480000-0x0000000000492000-memory.dmp

Filesize
72KB

Download