asyncrat | 4f23c0742d9a19732acdcc777b4168366d4762b7f9fa553d1dbc62b68378cc97

Analysis

max time kernel
106s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2023 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bJwE.exe
Size

47KB
MD5

a19f3395e7a7f2981eccd6448d6921aa
SHA1

09c6a9dbff7f8dbd3c57946e686adedf9b9a1702
SHA256

4f23c0742d9a19732acdcc777b4168366d4762b7f9fa553d1dbc62b68378cc97
SHA512

9a8dc4c29cea92969e1f2e9974db056f5aa25f9ca46bc70b61da141e964d136ccfbb961b9113de5b984682e7cd89bb16864349075e963c2e0d47ea205161940a
SSDEEP

768:p96mxUTILWCaS+DiMtelDSN+iV08YbygePr7DlPlXWvEgK/JnZVc6KN:p96AKWMtKDs4zb1ulPlXWnkJnZVclN

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

Mutex

gkAyQRdKkCButk6TyMAZ

Attributes

delay
1
install
false
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/FcHGaN0M

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2324-132-0x0000000000D20000-0x0000000000D32000-memory.dmp	asyncrat

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2716 timeout.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

bJwE.exe

description pid process

Token: SeDebugPrivilege 2324 bJwE.exe

pid	process
2716	timeout.exe

description	pid	process
Token: SeDebugPrivilege	2324	bJwE.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

bJwE.execmd.exe

description	pid	process	target process
PID 2324 wrote to memory of 2152	2324	bJwE.exe	cmd.exe
PID 2324 wrote to memory of 2152	2324	bJwE.exe	cmd.exe
PID 2152 wrote to memory of 2716	2152	cmd.exe	timeout.exe
PID 2152 wrote to memory of 2716	2152	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\bJwE.exe
"C:\Users\Admin\AppData\Local\Temp\bJwE.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD30F.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:2152

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:2716

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD30F.tmp.bat
Filesize
156B

MD5
c5b4f0c5684c2377eac441e77a3a499f

SHA1
e0b499d390def47ea20cc91e71837b1811c64e89

SHA256
4230d252c22beeb13587473c62a1852ead5749a9506a1b64b702c334b0b97f31

SHA512
c64f370d350662595f2c77082d6fe2a8587f4078e42cb479e4f0cd5ccbde0b4db9bedd19167847206ca6db49f39f136ce050a9c45b0b463f83debf8c508b094e

Download Submit
memory/2152-137-0x0000000000000000-mapping.dmp

Download
memory/2324-132-0x0000000000D20000-0x0000000000D32000-memory.dmp

Filesize
72KB

Download
memory/2324-133-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download
memory/2324-134-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download
memory/2324-135-0x000000001E560000-0x000000001E5D6000-memory.dmp

Filesize
472KB

Download
memory/2324-136-0x0000000001560000-0x000000000157E000-memory.dmp

Filesize
120KB

Download
memory/2324-140-0x00007FFC52A60000-0x00007FFC53521000-memory.dmp

Filesize
10.8MB

Download
memory/2716-139-0x0000000000000000-mapping.dmp

Download