asyncrat | af32b03c1fdbc8a4dd60fdea328134b6a34946c7c77cd743600a2101a70c6630

General

Target

e16de135773985fd9ef2e0afb94f774a.exe
Size

45KB
MD5

e16de135773985fd9ef2e0afb94f774a
SHA1

84c2dd69ec6247cea480925d9ecfc728f5d04c58
SHA256

af32b03c1fdbc8a4dd60fdea328134b6a34946c7c77cd743600a2101a70c6630
SHA512

0573dbceabcef8f74d6a32d45645ad297b6f28e7f26043ce0c1a68bd24cb8a67b75158050e2ee4b1dcdd37b660da26ecc135dd3deb630dee9c10a3863e817c34
SSDEEP

768:DuwQNToEjaNLWU3zKZmo2q723YZJugbbb409ybdPIK/JjbOgX3iWS9UmozmBDZfx:DuwQNToqaS2DYosymK/pbxXSzdfx

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

sr5gsedfgwsers.freemyip.com:15420

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
tmpC723.tmp.exe
install_folder
%Temp%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1636-54-0x00000000003B0000-0x00000000003C2000-memory.dmp	asyncrat
C:\Users\Admin\AppData\Local\Temp\tmpC723.tmp.exe	asyncrat
\Users\Admin\AppData\Local\Temp\tmpC723.tmp.exe	asyncrat
C:\Users\Admin\AppData\Local\Temp\tmpC723.tmp.exe	asyncrat
behavioral1/memory/1964-65-0x0000000000AD0000-0x0000000000AE2000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

Processes:

tmpC723.tmp.exe

pid process

1964 tmpC723.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

272 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

576 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1164 timeout.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

e16de135773985fd9ef2e0afb94f774a.exe

pid process

1636 e16de135773985fd9ef2e0afb94f774a.exe

pid	process
1964	tmpC723.tmp.exe

pid	process
272	cmd.exe

pid	process
576	schtasks.exe

pid	process
1164	timeout.exe

pid	process
1636	e16de135773985fd9ef2e0afb94f774a.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

e16de135773985fd9ef2e0afb94f774a.exetmpC723.tmp.exe

description	pid	process
Token: SeDebugPrivilege	1636	e16de135773985fd9ef2e0afb94f774a.exe
Token: SeDebugPrivilege	1964	tmpC723.tmp.exe
Token: SeDebugPrivilege	1964	tmpC723.tmp.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

e16de135773985fd9ef2e0afb94f774a.execmd.execmd.exe

description	pid	process	target process
PID 1636 wrote to memory of 288	1636	e16de135773985fd9ef2e0afb94f774a.exe	cmd.exe
PID 1636 wrote to memory of 288	1636	e16de135773985fd9ef2e0afb94f774a.exe	cmd.exe
PID 1636 wrote to memory of 288	1636	e16de135773985fd9ef2e0afb94f774a.exe	cmd.exe
PID 1636 wrote to memory of 288	1636	e16de135773985fd9ef2e0afb94f774a.exe	cmd.exe
PID 1636 wrote to memory of 272	1636	e16de135773985fd9ef2e0afb94f774a.exe	cmd.exe
PID 1636 wrote to memory of 272	1636	e16de135773985fd9ef2e0afb94f774a.exe	cmd.exe
PID 1636 wrote to memory of 272	1636	e16de135773985fd9ef2e0afb94f774a.exe	cmd.exe
PID 1636 wrote to memory of 272	1636	e16de135773985fd9ef2e0afb94f774a.exe	cmd.exe
PID 288 wrote to memory of 576	288	cmd.exe	schtasks.exe
PID 288 wrote to memory of 576	288	cmd.exe	schtasks.exe
PID 288 wrote to memory of 576	288	cmd.exe	schtasks.exe
PID 288 wrote to memory of 576	288	cmd.exe	schtasks.exe
PID 272 wrote to memory of 1164	272	cmd.exe	timeout.exe
PID 272 wrote to memory of 1164	272	cmd.exe	timeout.exe
PID 272 wrote to memory of 1164	272	cmd.exe	timeout.exe
PID 272 wrote to memory of 1164	272	cmd.exe	timeout.exe
PID 272 wrote to memory of 1964	272	cmd.exe	tmpC723.tmp.exe
PID 272 wrote to memory of 1964	272	cmd.exe	tmpC723.tmp.exe
PID 272 wrote to memory of 1964	272	cmd.exe	tmpC723.tmp.exe
PID 272 wrote to memory of 1964	272	cmd.exe	tmpC723.tmp.exe

C:\Users\Admin\AppData\Local\Temp\e16de135773985fd9ef2e0afb94f774a.exe
"C:\Users\Admin\AppData\Local\Temp\e16de135773985fd9ef2e0afb94f774a.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "tmpC723.tmp" /tr '"C:\Users\Admin\AppData\Local\Temp\tmpC723.tmp.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:288

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "tmpC723.tmp" /tr '"C:\Users\Admin\AppData\Local\Temp\tmpC723.tmp.exe"'
3⤵
- Creates scheduled task(s)
PID:576

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp190D.tmp.bat""
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:272

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1164

C:\Users\Admin\AppData\Local\Temp\tmpC723.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpC723.tmp.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp190D.tmp.bat
Filesize
158B

MD5
00671d07162cdd54d464253cd419a79b

SHA1
d0e65ea1f3a2ac0eed7e403fde395a61d4238bf5

SHA256
b6b40ec955d2d2dcc3feffd51b1b4d12403258ca77deb9df614bd1b9bc85f32e

SHA512
8e1cab1449c7dce21a6aa602f3f8c1360b148e01d418ffa0bc91d0f866b9920b7455fea8e8113f0db3dfaa5882b0dcdf7f21b79b84fa8bf8dc71d8523a6b7eb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC723.tmp.exe
Filesize
45KB

MD5
e16de135773985fd9ef2e0afb94f774a

SHA1
84c2dd69ec6247cea480925d9ecfc728f5d04c58

SHA256
af32b03c1fdbc8a4dd60fdea328134b6a34946c7c77cd743600a2101a70c6630

SHA512
0573dbceabcef8f74d6a32d45645ad297b6f28e7f26043ce0c1a68bd24cb8a67b75158050e2ee4b1dcdd37b660da26ecc135dd3deb630dee9c10a3863e817c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC723.tmp.exe
Filesize
45KB

MD5
e16de135773985fd9ef2e0afb94f774a

SHA1
84c2dd69ec6247cea480925d9ecfc728f5d04c58

SHA256
af32b03c1fdbc8a4dd60fdea328134b6a34946c7c77cd743600a2101a70c6630

SHA512
0573dbceabcef8f74d6a32d45645ad297b6f28e7f26043ce0c1a68bd24cb8a67b75158050e2ee4b1dcdd37b660da26ecc135dd3deb630dee9c10a3863e817c34

Download Submit
\Users\Admin\AppData\Local\Temp\tmpC723.tmp.exe
Filesize
45KB

MD5
e16de135773985fd9ef2e0afb94f774a

SHA1
84c2dd69ec6247cea480925d9ecfc728f5d04c58

SHA256
af32b03c1fdbc8a4dd60fdea328134b6a34946c7c77cd743600a2101a70c6630

SHA512
0573dbceabcef8f74d6a32d45645ad297b6f28e7f26043ce0c1a68bd24cb8a67b75158050e2ee4b1dcdd37b660da26ecc135dd3deb630dee9c10a3863e817c34

Download Submit
memory/272-57-0x0000000000000000-mapping.dmp

Download
memory/288-56-0x0000000000000000-mapping.dmp

Download
memory/576-58-0x0000000000000000-mapping.dmp

Download
memory/1164-60-0x0000000000000000-mapping.dmp

Download
memory/1636-54-0x00000000003B0000-0x00000000003C2000-memory.dmp

Filesize
72KB

Download
memory/1636-55-0x0000000075071000-0x0000000075073000-memory.dmp

Filesize
8KB

Download
memory/1964-63-0x0000000000000000-mapping.dmp

Download
memory/1964-65-0x0000000000AD0000-0x0000000000AE2000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads