asyncrat | da5eb5bceeb347021b50d99bbc43ded3e72f4ede42ee3133f9070a1bc2403581

General

Target

915218971d799dd8d84bcf104a727d40f5bea6456ea20d93d97bcd9e771dabf6.exe
Size

550KB
MD5

a47355c5131e669569fd038d40ec3b30
SHA1

5c8069a1ee5a606b8c8614606e63c73abaf9d20b
SHA256

915218971d799dd8d84bcf104a727d40f5bea6456ea20d93d97bcd9e771dabf6
SHA512

6bad6ee4e622273fd67d369a27e8f25cffbc5e38587345cb93597ade4c58225de8245d31cf30edd6a17616b75d5d05c6e8497d4687e0a5d1ea647568bfc81a0f
SSDEEP

12288:Is7nq0Xp2iNUWgMlSYtz8L6guw4YXxtaXryOxRNAeINEFgvMIr:31bfoL342xta3N6

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

192.3.193.136:2023

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 6 IoCs

rat

resource	yara_rule
behavioral1/memory/1384-67-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1384-68-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1384-69-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1384-70-0x000000000040C72E-mapping.dmp	asyncrat
behavioral1/memory/1384-72-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1384-74-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1696 set thread context of 1384	1696	915218971d799dd8d84bcf104a727d40f5bea6456ea20d93d97bcd9e771dabf6.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1168	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1044	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1044	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 1044	1696	915218971d799dd8d84bcf104a727d40f5bea6456ea20d93d97bcd9e771dabf6.exe	28
PID 1696 wrote to memory of 1044	1696	915218971d799dd8d84bcf104a727d40f5bea6456ea20d93d97bcd9e771dabf6.exe	28
PID 1696 wrote to memory of 1044	1696	915218971d799dd8d84bcf104a727d40f5bea6456ea20d93d97bcd9e771dabf6.exe	28
PID 1696 wrote to memory of 1044	1696	915218971d799dd8d84bcf104a727d40f5bea6456ea20d93d97bcd9e771dabf6.exe	28
PID 1696 wrote to memory of 1168	1696	915218971d799dd8d84bcf104a727d40f5bea6456ea20d93d97bcd9e771dabf6.exe	30
PID 1696 wrote to memory of 1168	1696	915218971d799dd8d84bcf104a727d40f5bea6456ea20d93d97bcd9e771dabf6.exe	30
PID 1696 wrote to memory of 1168	1696	915218971d799dd8d84bcf104a727d40f5bea6456ea20d93d97bcd9e771dabf6.exe	30
PID 1696 wrote to memory of 1168	1696	915218971d799dd8d84bcf104a727d40f5bea6456ea20d93d97bcd9e771dabf6.exe	30
PID 1696 wrote to memory of 1384	1696	915218971d799dd8d84bcf104a727d40f5bea6456ea20d93d97bcd9e771dabf6.exe	32
PID 1696 wrote to memory of 1384	1696	915218971d799dd8d84bcf104a727d40f5bea6456ea20d93d97bcd9e771dabf6.exe	32
PID 1696 wrote to memory of 1384	1696	915218971d799dd8d84bcf104a727d40f5bea6456ea20d93d97bcd9e771dabf6.exe	32
PID 1696 wrote to memory of 1384	1696	915218971d799dd8d84bcf104a727d40f5bea6456ea20d93d97bcd9e771dabf6.exe	32
PID 1696 wrote to memory of 1384	1696	915218971d799dd8d84bcf104a727d40f5bea6456ea20d93d97bcd9e771dabf6.exe	32
PID 1696 wrote to memory of 1384	1696	915218971d799dd8d84bcf104a727d40f5bea6456ea20d93d97bcd9e771dabf6.exe	32
PID 1696 wrote to memory of 1384	1696	915218971d799dd8d84bcf104a727d40f5bea6456ea20d93d97bcd9e771dabf6.exe	32
PID 1696 wrote to memory of 1384	1696	915218971d799dd8d84bcf104a727d40f5bea6456ea20d93d97bcd9e771dabf6.exe	32
PID 1696 wrote to memory of 1384	1696	915218971d799dd8d84bcf104a727d40f5bea6456ea20d93d97bcd9e771dabf6.exe	32
PID 1696 wrote to memory of 1384	1696	915218971d799dd8d84bcf104a727d40f5bea6456ea20d93d97bcd9e771dabf6.exe	32
PID 1696 wrote to memory of 1384	1696	915218971d799dd8d84bcf104a727d40f5bea6456ea20d93d97bcd9e771dabf6.exe	32
PID 1696 wrote to memory of 1384	1696	915218971d799dd8d84bcf104a727d40f5bea6456ea20d93d97bcd9e771dabf6.exe	32

C:\Users\Admin\AppData\Local\Temp\915218971d799dd8d84bcf104a727d40f5bea6456ea20d93d97bcd9e771dabf6.exe
"C:\Users\Admin\AppData\Local\Temp\915218971d799dd8d84bcf104a727d40f5bea6456ea20d93d97bcd9e771dabf6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FOIDdkTkLgtC.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1044
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FOIDdkTkLgtC" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB8C5.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:1384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB8C5.tmp

Filesize
1KB

MD5
2ba5bde9c5ca6e3807a8dc5f7f3a8f59

SHA1
c4c56b989b2fd61611d25a147b6d337fd51aed7d

SHA256
1b9576dedbfe9cbf6c11c636f709de097af8552267c5bc56819606201880d0e9

SHA512
c5e1a805014a4252087a2e9173ca996af684172467f6cec0574c1336e99a54b9472a0075524921231fd2fc66597fa2e7defff2fb8168bd3b4985db7c3214afa5

Download Submit
memory/1044-76-0x000000006EE20000-0x000000006F3CB000-memory.dmp

Filesize
5.7MB

Download
memory/1044-75-0x000000006EE20000-0x000000006F3CB000-memory.dmp

Filesize
5.7MB

Download
memory/1384-74-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1384-72-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1384-69-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1384-64-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1384-65-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1384-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1384-68-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1696-58-0x0000000005100000-0x000000000514E000-memory.dmp

Filesize
312KB

Download
memory/1696-63-0x0000000004EB0000-0x0000000004EC2000-memory.dmp

Filesize
72KB

Download
memory/1696-54-0x0000000000D20000-0x0000000000DB0000-memory.dmp

Filesize
576KB

Download
memory/1696-57-0x0000000000600000-0x000000000060A000-memory.dmp

Filesize
40KB

Download
memory/1696-56-0x0000000000430000-0x0000000000440000-memory.dmp

Filesize
64KB

Download
memory/1696-55-0x0000000076931000-0x0000000076933000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads