asyncrat | ecce569ab37bb81362c33374e867303b5927689ad15a54a88e6013a3b85c1d80

General

Target

ecce569ab37bb81362c33374e867303b5927689ad15a54a88e6013a3b85c1d80.exe
Size

507KB
MD5

dcbd5c74983063308220a5fe8426dad7
SHA1

6bcb87b9c97ae777c35ba6f0c3171bc056935714
SHA256

ecce569ab37bb81362c33374e867303b5927689ad15a54a88e6013a3b85c1d80
SHA512

238d3c4978707dbd5060c18c8b83b91c1aa9e4649430a3116570265e89b7bd0f5ebbe2820267c4e78bf726b48398b0175a44bba6d3b28d73e6689768b1d90d79
SSDEEP

12288:5hqxSLo5C1Ps4XhitX+t498svkg44SDxSECrtIf0:5HLmCiIhiXzkg44SDMECrKM

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

v13cracker.ddns.net:6606

Mutex

&&pLO91K^RG#!P72IIrjkU^kv9qPNuvKBnGN5#l8^5a9kN9jA9

Attributes

delay
3
install
false
install_file
system.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\PERICO.exe	asyncrat
C:\Users\Admin\AppData\Local\Temp\PERICO.exe	asyncrat
behavioral2/memory/2192-140-0x00000000006C0000-0x00000000006D2000-memory.dmp	asyncrat

Executes dropped EXE 2 IoCs

Processes:

ee.exePERICO.exe

pid process

2548 ee.exe
2192 PERICO.exe

pid	process
2548	ee.exe
2192	PERICO.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ecce569ab37bb81362c33374e867303b5927689ad15a54a88e6013a3b85c1d80.exeee.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	ecce569ab37bb81362c33374e867303b5927689ad15a54a88e6013a3b85c1d80.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	ee.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

ecce569ab37bb81362c33374e867303b5927689ad15a54a88e6013a3b85c1d80.execmd.exeee.exe

description	pid	process	target process
PID 4152 wrote to memory of 1448	4152	ecce569ab37bb81362c33374e867303b5927689ad15a54a88e6013a3b85c1d80.exe	cmd.exe
PID 4152 wrote to memory of 1448	4152	ecce569ab37bb81362c33374e867303b5927689ad15a54a88e6013a3b85c1d80.exe	cmd.exe
PID 4152 wrote to memory of 1448	4152	ecce569ab37bb81362c33374e867303b5927689ad15a54a88e6013a3b85c1d80.exe	cmd.exe
PID 1448 wrote to memory of 2548	1448	cmd.exe	ee.exe
PID 1448 wrote to memory of 2548	1448	cmd.exe	ee.exe
PID 1448 wrote to memory of 2548	1448	cmd.exe	ee.exe
PID 2548 wrote to memory of 2192	2548	ee.exe	PERICO.exe
PID 2548 wrote to memory of 2192	2548	ee.exe	PERICO.exe
PID 2548 wrote to memory of 2192	2548	ee.exe	PERICO.exe

C:\Users\Admin\AppData\Local\Temp\ecce569ab37bb81362c33374e867303b5927689ad15a54a88e6013a3b85c1d80.exe
"C:\Users\Admin\AppData\Local\Temp\ecce569ab37bb81362c33374e867303b5927689ad15a54a88e6013a3b85c1d80.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pan.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1448

C:\Users\Admin\AppData\Local\Temp\ee.exe
ee.exe -plexe -dC:\Users\Admin\AppData\Local\Temp
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2548

C:\Users\Admin\AppData\Local\Temp\PERICO.exe
"C:\Users\Admin\AppData\Local\Temp\PERICO.exe"
4⤵
- Executes dropped EXE
PID:2192

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PERICO.exe
Filesize
45KB

MD5
5dad596213c35c415955e7cf0206a903

SHA1
14008918a346472a3ab74df5449039c8f2ce99cc

SHA256
778d0168edf4e3d03772d0fbc9e00b59c3e34031d2ebcff8e95b9533afda4e7d

SHA512
c1eee7899a7ac62b64674d2aa6c862a56a38d3667342725faaa9575735499d828757cdcf0bfec3fd0b48bb076e3eba17a2ec856b5d343f416dbbbc8d419192d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\PERICO.exe
Filesize
45KB

MD5
5dad596213c35c415955e7cf0206a903

SHA1
14008918a346472a3ab74df5449039c8f2ce99cc

SHA256
778d0168edf4e3d03772d0fbc9e00b59c3e34031d2ebcff8e95b9533afda4e7d

SHA512
c1eee7899a7ac62b64674d2aa6c862a56a38d3667342725faaa9575735499d828757cdcf0bfec3fd0b48bb076e3eba17a2ec856b5d343f416dbbbc8d419192d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ee.exe
Filesize
343KB

MD5
fbae2a2bf4ceda0dfde6df65eb49bef2

SHA1
1fffb3b743e2dc9845d160bad258e3ae68423b01

SHA256
caed3b8ea321af9a4bb58624b3f7a4c2da846808a018ed21985b0b7fd005c318

SHA512
1eeabd0c87690e97c6df6b0774f36429334ab45eaa14fc73c841606447ee72dd546b60e97806980d26eba1d7ff4093d234e6c1b8703eddda6128690e55ecd1b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ee.exe
Filesize
343KB

MD5
fbae2a2bf4ceda0dfde6df65eb49bef2

SHA1
1fffb3b743e2dc9845d160bad258e3ae68423b01

SHA256
caed3b8ea321af9a4bb58624b3f7a4c2da846808a018ed21985b0b7fd005c318

SHA512
1eeabd0c87690e97c6df6b0774f36429334ab45eaa14fc73c841606447ee72dd546b60e97806980d26eba1d7ff4093d234e6c1b8703eddda6128690e55ecd1b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pan.bat
Filesize
22B

MD5
604cbba2d09ea0f8fdaa4e8610023a86

SHA1
d792b17505c6bf6be6b52dc87d31995fdf200f68

SHA256
ba080a72ba0ed23e6ce7777e2c805b2b2f862a8f622be829526796ee972acf25

SHA512
71a884276edd6a1ce174a6730467aa71faa39300c6040ab16bf85a067ee7eb751c07507d921083ae3f4273514279d5be28acc3c15636519accfd4349f39bfad8

Download Submit
memory/1448-132-0x0000000000000000-mapping.dmp

Download
memory/2192-137-0x0000000000000000-mapping.dmp

Download
memory/2192-140-0x00000000006C0000-0x00000000006D2000-memory.dmp

Filesize
72KB

Download
memory/2548-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads