asyncrat | 1f349eb4f2907662b86d1f94cea26d2857e8728ef13228cd7cf48c367ba118a4

Analysis

max time kernel
184s
max time network
94s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29-01-2023 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f349eb4f2907662b86d1f94cea26d2857e8728ef13228cd7cf48c367ba118a4.exe
Size

507KB
MD5

d8851e861c60745223c8545d327e7c02
SHA1

68a2772a8750ac4ce84b206c6a79502a4864743a
SHA256

1f349eb4f2907662b86d1f94cea26d2857e8728ef13228cd7cf48c367ba118a4
SHA512

528b54ecacc6f7b01a47d0404b960dfd0d3270131ef0744c067126714052c3e05d7e9d9ee377e72e333822a8d3b76634ef6f33f5d8882d6aced483b88d3a0520
SSDEEP

12288:5hqxSLo5C1Ps4XhitX+t498qkgj4SRW+ftfeGF034r+:5HLmCiIhiX6A4S9ft2BIr+

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

v13cracker.ddns.net:6606

Mutex

&&pLO91K^RG#!P72IIrjkU^kv9qPNuvKBnGN5#l8^5a9kN9jA9

Attributes

delay
3
install
false
install_file
system.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\jp.exe	asyncrat
\Users\Admin\AppData\Local\Temp\jp.exe	asyncrat
\Users\Admin\AppData\Local\Temp\jp.exe	asyncrat
\Users\Admin\AppData\Local\Temp\jp.exe	asyncrat
C:\Users\Admin\AppData\Local\Temp\jp.exe	asyncrat
C:\Users\Admin\AppData\Local\Temp\jp.exe	asyncrat
behavioral1/memory/1772-69-0x00000000000B0000-0x00000000000C2000-memory.dmp	asyncrat

Executes dropped EXE 2 IoCs

Processes:

jpg.exejp.exe

pid process

520 jpg.exe
1772 jp.exe
Loads dropped DLL 5 IoCs

Processes:

cmd.exejpg.exe

pid process

580 cmd.exe
520 jpg.exe
520 jpg.exe
520 jpg.exe
520 jpg.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
520	jpg.exe
1772	jp.exe

pid	process
580	cmd.exe
520	jpg.exe
520	jpg.exe
520	jpg.exe
520	jpg.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

1f349eb4f2907662b86d1f94cea26d2857e8728ef13228cd7cf48c367ba118a4.execmd.exejpg.exe

description	pid	process	target process
PID 1144 wrote to memory of 580	1144	1f349eb4f2907662b86d1f94cea26d2857e8728ef13228cd7cf48c367ba118a4.exe	cmd.exe
PID 1144 wrote to memory of 580	1144	1f349eb4f2907662b86d1f94cea26d2857e8728ef13228cd7cf48c367ba118a4.exe	cmd.exe
PID 1144 wrote to memory of 580	1144	1f349eb4f2907662b86d1f94cea26d2857e8728ef13228cd7cf48c367ba118a4.exe	cmd.exe
PID 1144 wrote to memory of 580	1144	1f349eb4f2907662b86d1f94cea26d2857e8728ef13228cd7cf48c367ba118a4.exe	cmd.exe
PID 580 wrote to memory of 520	580	cmd.exe	jpg.exe
PID 580 wrote to memory of 520	580	cmd.exe	jpg.exe
PID 580 wrote to memory of 520	580	cmd.exe	jpg.exe
PID 580 wrote to memory of 520	580	cmd.exe	jpg.exe
PID 520 wrote to memory of 1772	520	jpg.exe	jp.exe
PID 520 wrote to memory of 1772	520	jpg.exe	jp.exe
PID 520 wrote to memory of 1772	520	jpg.exe	jp.exe
PID 520 wrote to memory of 1772	520	jpg.exe	jp.exe

C:\Users\Admin\AppData\Local\Temp\1f349eb4f2907662b86d1f94cea26d2857e8728ef13228cd7cf48c367ba118a4.exe
"C:\Users\Admin\AppData\Local\Temp\1f349eb4f2907662b86d1f94cea26d2857e8728ef13228cd7cf48c367ba118a4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1144

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\an.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:580

C:\Users\Admin\AppData\Local\Temp\jpg.exe
jpg.exe -pjavipg* -dC:\Users\Admin\AppData\Local\Temp
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:520

C:\Users\Admin\AppData\Local\Temp\jp.exe
"C:\Users\Admin\AppData\Local\Temp\jp.exe"
4⤵
- Executes dropped EXE
PID:1772

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\an.bat
Filesize
26B

MD5
e7b6794b26ecbf0b80a8fb738e821998

SHA1
cf0fe55901d197d94148b50c4cec4a21dbfd61c4

SHA256
9516c358b7468f8796a275f7f8cc47398f74ac8711d8d2c8e7f40c44ffe3c6e9

SHA512
d25dca72d5d35c537d56124fab49519de5272a1993c9cea4ce02f3327e80b29e650138594f2b5967825d080ebff16e25ddf4a331ef5cd6d859efc7b52faf41ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\jp.exe
Filesize
45KB

MD5
423bed330652033effb3a81b85a6002e

SHA1
64dc00d9c943bfb796f443b7161ee5f37318fef5

SHA256
6a420a2236fd1f7286217ec66a0bc5f269ae8d4e4b31506209fecefb811e43d7

SHA512
47cdcce48f8aa3654eadc41d3383c0a9726765ea7fe1ed2a03c1f2d0f1102096615b8afab929147387f938b4bb027b72d8bf946e956b862942e7986f9ddfa992

Download Submit
C:\Users\Admin\AppData\Local\Temp\jp.exe
Filesize
45KB

MD5
423bed330652033effb3a81b85a6002e

SHA1
64dc00d9c943bfb796f443b7161ee5f37318fef5

SHA256
6a420a2236fd1f7286217ec66a0bc5f269ae8d4e4b31506209fecefb811e43d7

SHA512
47cdcce48f8aa3654eadc41d3383c0a9726765ea7fe1ed2a03c1f2d0f1102096615b8afab929147387f938b4bb027b72d8bf946e956b862942e7986f9ddfa992

Download Submit
C:\Users\Admin\AppData\Local\Temp\jpg.exe
Filesize
343KB

MD5
1399db959053a18752efaea98959d26b

SHA1
0420ffd1c1cc8ddfb3afc662b96eed1aedb0fdd3

SHA256
5587ef2ef4c44df541dce9134336b25c2641ef5dc4e014794a31dccedc6900e3

SHA512
37310b82022cc4c5a62fca7102d281b4d183dd30cf2221f1d0a40bf74bdbf634a60c8e7c05df9ad762ebe74fc1fa289482e9475d2c4d1f661452c2a57c51e1d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jpg.exe
Filesize
343KB

MD5
1399db959053a18752efaea98959d26b

SHA1
0420ffd1c1cc8ddfb3afc662b96eed1aedb0fdd3

SHA256
5587ef2ef4c44df541dce9134336b25c2641ef5dc4e014794a31dccedc6900e3

SHA512
37310b82022cc4c5a62fca7102d281b4d183dd30cf2221f1d0a40bf74bdbf634a60c8e7c05df9ad762ebe74fc1fa289482e9475d2c4d1f661452c2a57c51e1d4

Download Submit
\Users\Admin\AppData\Local\Temp\jp.exe
Filesize
45KB

MD5
423bed330652033effb3a81b85a6002e

SHA1
64dc00d9c943bfb796f443b7161ee5f37318fef5

SHA256
6a420a2236fd1f7286217ec66a0bc5f269ae8d4e4b31506209fecefb811e43d7

SHA512
47cdcce48f8aa3654eadc41d3383c0a9726765ea7fe1ed2a03c1f2d0f1102096615b8afab929147387f938b4bb027b72d8bf946e956b862942e7986f9ddfa992

Download Submit
\Users\Admin\AppData\Local\Temp\jp.exe
Filesize
45KB

MD5
423bed330652033effb3a81b85a6002e

SHA1
64dc00d9c943bfb796f443b7161ee5f37318fef5

SHA256
6a420a2236fd1f7286217ec66a0bc5f269ae8d4e4b31506209fecefb811e43d7

SHA512
47cdcce48f8aa3654eadc41d3383c0a9726765ea7fe1ed2a03c1f2d0f1102096615b8afab929147387f938b4bb027b72d8bf946e956b862942e7986f9ddfa992

Download Submit
\Users\Admin\AppData\Local\Temp\jp.exe
Filesize
45KB

MD5
423bed330652033effb3a81b85a6002e

SHA1
64dc00d9c943bfb796f443b7161ee5f37318fef5

SHA256
6a420a2236fd1f7286217ec66a0bc5f269ae8d4e4b31506209fecefb811e43d7

SHA512
47cdcce48f8aa3654eadc41d3383c0a9726765ea7fe1ed2a03c1f2d0f1102096615b8afab929147387f938b4bb027b72d8bf946e956b862942e7986f9ddfa992

Download Submit
\Users\Admin\AppData\Local\Temp\jp.exe
Filesize
45KB

MD5
423bed330652033effb3a81b85a6002e

SHA1
64dc00d9c943bfb796f443b7161ee5f37318fef5

SHA256
6a420a2236fd1f7286217ec66a0bc5f269ae8d4e4b31506209fecefb811e43d7

SHA512
47cdcce48f8aa3654eadc41d3383c0a9726765ea7fe1ed2a03c1f2d0f1102096615b8afab929147387f938b4bb027b72d8bf946e956b862942e7986f9ddfa992

Download Submit
\Users\Admin\AppData\Local\Temp\jpg.exe
Filesize
343KB

MD5
1399db959053a18752efaea98959d26b

SHA1
0420ffd1c1cc8ddfb3afc662b96eed1aedb0fdd3

SHA256
5587ef2ef4c44df541dce9134336b25c2641ef5dc4e014794a31dccedc6900e3

SHA512
37310b82022cc4c5a62fca7102d281b4d183dd30cf2221f1d0a40bf74bdbf634a60c8e7c05df9ad762ebe74fc1fa289482e9475d2c4d1f661452c2a57c51e1d4

Download Submit
memory/520-59-0x0000000000000000-mapping.dmp

Download
memory/580-55-0x0000000000000000-mapping.dmp

Download
memory/1144-54-0x00000000759C1000-0x00000000759C3000-memory.dmp

Filesize
8KB

Download
memory/1772-66-0x0000000000000000-mapping.dmp

Download
memory/1772-69-0x00000000000B0000-0x00000000000C2000-memory.dmp

Filesize
72KB

Download