asyncrat | c40f3216652866e041fd154c38dab5f443f65da7e995e45ce473bf2662e2f7e4

Analysis

max time kernel
91s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03-02-2023 16:08

Target

bJyz.exe
Size

47KB
MD5

90631c5269980f1ea596b3c76974d262
SHA1

889a1edb9b462ed0d3a5cc8ecf0427696d6095c5
SHA256

c40f3216652866e041fd154c38dab5f443f65da7e995e45ce473bf2662e2f7e4
SHA512

c129df24c9302a9c0cae09cbe1a5c9efca3848719cc80e1801cf8ccdac9d1a714c03cb590446394e2e14ba16dc8bb8e7e6c1ae1110271dcf0896e08634cbb9cd
SSDEEP

768:dOEuILWCKi+DiBtelDSN+iV08YbygemmbbeUZvEgK/J9lZVc6KN:dOtmBtKDs4zb1CbeMnkJ3ZVclN

Score

10^/10

Family

asyncrat

Version

1.0.7

Botnet

Default

20.197.196.201:7749

Mutex

hAtBdUenfThOelUfgThs

Attributes

aes.plain

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3684-132-0x0000000000EC0000-0x0000000000ED2000-memory.dmp	asyncrat

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1468 timeout.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

bJyz.exe

description pid process

Token: SeDebugPrivilege 3684 bJyz.exe

pid	process
1468	timeout.exe

description	pid	process
Token: SeDebugPrivilege	3684	bJyz.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

bJyz.execmd.exe

description	pid	process	target process
PID 3684 wrote to memory of 2948	3684	bJyz.exe	cmd.exe
PID 3684 wrote to memory of 2948	3684	bJyz.exe	cmd.exe
PID 2948 wrote to memory of 1468	2948	cmd.exe	timeout.exe
PID 2948 wrote to memory of 1468	2948	cmd.exe	timeout.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp85BA.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:2948

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1468

C:\Users\Admin\AppData\Local\Temp\tmp85BA.tmp.bat
Filesize
156B

MD5
c00db9a67dcbe876ea655d9d00444097

SHA1
9218cf4d66cce9ba05d5916420dcf2c44851465a

SHA256
baa19fc49e7e382301fabbd0aa7cd6ce9ee5e5aa19b75779c6849674fc6b5022

SHA512
f51ea2b71680cad3c2a2c398874f72d3da8946a195164534c46af266d44430df32a33c7f6068f977296f481efb3bab936faa8828d35ce3020a62d0da54e06802

Download Submit
memory/1468-139-0x0000000000000000-mapping.dmp

Download
memory/2948-137-0x0000000000000000-mapping.dmp

Download
memory/3684-132-0x0000000000EC0000-0x0000000000ED2000-memory.dmp

Filesize
72KB

Download
memory/3684-133-0x00007FFCFF2D0000-0x00007FFCFFD91000-memory.dmp

Filesize
10.8MB

Download
memory/3684-134-0x00007FFCFF2D0000-0x00007FFCFFD91000-memory.dmp

Filesize
10.8MB

Download
memory/3684-135-0x000000001E4F0000-0x000000001E566000-memory.dmp

Filesize
472KB

Download
memory/3684-136-0x000000001E4D0000-0x000000001E4EE000-memory.dmp

Filesize
120KB

Download
memory/3684-140-0x00007FFCFF2D0000-0x00007FFCFFD91000-memory.dmp

Filesize
10.8MB

Download