asyncrat | 4f23c0742d9a19732acdcc777b4168366d4762b7f9fa553d1dbc62b68378cc97

Analysis

max time kernel
76s
max time network
78s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02-02-2023 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bJwE.exe
Size

47KB
MD5

a19f3395e7a7f2981eccd6448d6921aa
SHA1

09c6a9dbff7f8dbd3c57946e686adedf9b9a1702
SHA256

4f23c0742d9a19732acdcc777b4168366d4762b7f9fa553d1dbc62b68378cc97
SHA512

9a8dc4c29cea92969e1f2e9974db056f5aa25f9ca46bc70b61da141e964d136ccfbb961b9113de5b984682e7cd89bb16864349075e963c2e0d47ea205161940a
SSDEEP

768:p96mxUTILWCaS+DiMtelDSN+iV08YbygePr7DlPlXWvEgK/JnZVc6KN:p96AKWMtKDs4zb1ulPlXWnkJnZVclN

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

Mutex

gkAyQRdKkCButk6TyMAZ

Attributes

delay
1
install
false
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/FcHGaN0M

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1976-54-0x0000000001110000-0x0000000001122000-memory.dmp	asyncrat
behavioral1/memory/1976-55-0x0000000000B20000-0x0000000000B84000-memory.dmp	asyncrat

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1880 cmd.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

920 timeout.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

bJwE.exe

description pid process

Token: SeDebugPrivilege 1976 bJwE.exe

pid	process
1880	cmd.exe

pid	process
920	timeout.exe

description	pid	process
Token: SeDebugPrivilege	1976	bJwE.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

bJwE.execmd.exe

description	pid	process	target process
PID 1976 wrote to memory of 1880	1976	bJwE.exe	cmd.exe
PID 1976 wrote to memory of 1880	1976	bJwE.exe	cmd.exe
PID 1976 wrote to memory of 1880	1976	bJwE.exe	cmd.exe
PID 1880 wrote to memory of 920	1880	cmd.exe	timeout.exe
PID 1880 wrote to memory of 920	1880	cmd.exe	timeout.exe
PID 1880 wrote to memory of 920	1880	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\bJwE.exe
"C:\Users\Admin\AppData\Local\Temp\bJwE.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp106E.tmp.bat""
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1880

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp106E.tmp.bat
Filesize
156B

MD5
ac3e962ddcf923f13b37007570274d7b

SHA1
757f1c4695eb505b08fb16cfb5f1802bc03b3329

SHA256
ea8d80f3131f5e8f64d840970aeab8993c6ab96ec4960da3b7965c99f2349795

SHA512
39a47c05a8a1f2e96381d734fe9927a6e50843f947cea04115edc4fcb7c2ef98f811b3ff669bba2606d95d01a7b9b58c4e4866b4d28cc6fa9c3abbb28e02b1c8

Download Submit
memory/920-58-0x0000000000000000-mapping.dmp

Download
memory/1880-56-0x0000000000000000-mapping.dmp

Download
memory/1976-54-0x0000000001110000-0x0000000001122000-memory.dmp

Filesize
72KB

Download
memory/1976-55-0x0000000000B20000-0x0000000000B84000-memory.dmp

Filesize
400KB

Download