asyncrat | 1aa4b89bb7f459747e5101ceb8db5f40d1417bed8250695b94c91f08863ebc12

General

Target

af32b03c1fdbc8a4dd60fdea328134b6a34946c7c77cd743600a2101a70c6630.exe
Size

45KB
MD5

e16de135773985fd9ef2e0afb94f774a
SHA1

84c2dd69ec6247cea480925d9ecfc728f5d04c58
SHA256

af32b03c1fdbc8a4dd60fdea328134b6a34946c7c77cd743600a2101a70c6630
SHA512

0573dbceabcef8f74d6a32d45645ad297b6f28e7f26043ce0c1a68bd24cb8a67b75158050e2ee4b1dcdd37b660da26ecc135dd3deb630dee9c10a3863e817c34
SSDEEP

768:DuwQNToEjaNLWU3zKZmo2q723YZJugbbb409ybdPIK/JjbOgX3iWS9UmozmBDZfx:DuwQNToqaS2DYosymK/pbxXSzdfx

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

sr5gsedfgwsers.freemyip.com:15420

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
tmpC723.tmp.exe
install_folder
%Temp%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/836-54-0x00000000003E0000-0x00000000003F2000-memory.dmp	asyncrat
\Users\Admin\AppData\Local\Temp\tmpC723.tmp.exe	asyncrat
C:\Users\Admin\AppData\Local\Temp\tmpC723.tmp.exe	asyncrat
C:\Users\Admin\AppData\Local\Temp\tmpC723.tmp.exe	asyncrat
behavioral1/memory/1872-65-0x0000000000B30000-0x0000000000B42000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

Processes:

tmpC723.tmp.exe

pid process

1872 tmpC723.tmp.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1168 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

588 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

584 timeout.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

af32b03c1fdbc8a4dd60fdea328134b6a34946c7c77cd743600a2101a70c6630.exe

pid process

836 af32b03c1fdbc8a4dd60fdea328134b6a34946c7c77cd743600a2101a70c6630.exe

pid	process
1872	tmpC723.tmp.exe

pid	process
1168	cmd.exe

pid	process
588	schtasks.exe

pid	process
584	timeout.exe

pid	process
836	af32b03c1fdbc8a4dd60fdea328134b6a34946c7c77cd743600a2101a70c6630.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

af32b03c1fdbc8a4dd60fdea328134b6a34946c7c77cd743600a2101a70c6630.exetmpC723.tmp.exe

description	pid	process
Token: SeDebugPrivilege	836	af32b03c1fdbc8a4dd60fdea328134b6a34946c7c77cd743600a2101a70c6630.exe
Token: SeDebugPrivilege	1872	tmpC723.tmp.exe
Token: SeDebugPrivilege	1872	tmpC723.tmp.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

af32b03c1fdbc8a4dd60fdea328134b6a34946c7c77cd743600a2101a70c6630.execmd.execmd.exe

description	pid	process	target process
PID 836 wrote to memory of 1412	836	af32b03c1fdbc8a4dd60fdea328134b6a34946c7c77cd743600a2101a70c6630.exe	cmd.exe
PID 836 wrote to memory of 1412	836	af32b03c1fdbc8a4dd60fdea328134b6a34946c7c77cd743600a2101a70c6630.exe	cmd.exe
PID 836 wrote to memory of 1412	836	af32b03c1fdbc8a4dd60fdea328134b6a34946c7c77cd743600a2101a70c6630.exe	cmd.exe
PID 836 wrote to memory of 1412	836	af32b03c1fdbc8a4dd60fdea328134b6a34946c7c77cd743600a2101a70c6630.exe	cmd.exe
PID 836 wrote to memory of 1168	836	af32b03c1fdbc8a4dd60fdea328134b6a34946c7c77cd743600a2101a70c6630.exe	cmd.exe
PID 836 wrote to memory of 1168	836	af32b03c1fdbc8a4dd60fdea328134b6a34946c7c77cd743600a2101a70c6630.exe	cmd.exe
PID 836 wrote to memory of 1168	836	af32b03c1fdbc8a4dd60fdea328134b6a34946c7c77cd743600a2101a70c6630.exe	cmd.exe
PID 836 wrote to memory of 1168	836	af32b03c1fdbc8a4dd60fdea328134b6a34946c7c77cd743600a2101a70c6630.exe	cmd.exe
PID 1412 wrote to memory of 588	1412	cmd.exe	schtasks.exe
PID 1412 wrote to memory of 588	1412	cmd.exe	schtasks.exe
PID 1412 wrote to memory of 588	1412	cmd.exe	schtasks.exe
PID 1412 wrote to memory of 588	1412	cmd.exe	schtasks.exe
PID 1168 wrote to memory of 584	1168	cmd.exe	timeout.exe
PID 1168 wrote to memory of 584	1168	cmd.exe	timeout.exe
PID 1168 wrote to memory of 584	1168	cmd.exe	timeout.exe
PID 1168 wrote to memory of 584	1168	cmd.exe	timeout.exe
PID 1168 wrote to memory of 1872	1168	cmd.exe	tmpC723.tmp.exe
PID 1168 wrote to memory of 1872	1168	cmd.exe	tmpC723.tmp.exe
PID 1168 wrote to memory of 1872	1168	cmd.exe	tmpC723.tmp.exe
PID 1168 wrote to memory of 1872	1168	cmd.exe	tmpC723.tmp.exe

C:\Users\Admin\AppData\Local\Temp\af32b03c1fdbc8a4dd60fdea328134b6a34946c7c77cd743600a2101a70c6630.exe
"C:\Users\Admin\AppData\Local\Temp\af32b03c1fdbc8a4dd60fdea328134b6a34946c7c77cd743600a2101a70c6630.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "tmpC723.tmp" /tr '"C:\Users\Admin\AppData\Local\Temp\tmpC723.tmp.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1412

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "tmpC723.tmp" /tr '"C:\Users\Admin\AppData\Local\Temp\tmpC723.tmp.exe"'
3⤵
- Creates scheduled task(s)
PID:588

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp117F.tmp.bat""
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:584

C:\Users\Admin\AppData\Local\Temp\tmpC723.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpC723.tmp.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1872

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp117F.tmp.bat
Filesize
158B

MD5
58ae2d752240ea0c7939476498aab6ae

SHA1
be3d76582d188060027d6a7472d7325db0364bdc

SHA256
c730ae56831aebca95640a54cfbc442e23445ba2f160d3974034b84250224983

SHA512
946b72e601c7dde19d60400bf6bd0996857a72c235df28990d12ef70a58c84f99a5daaba35ad93c35e9f9f61cd0efbd0a52f9379b94fdfa9fb2baa71d8b49ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC723.tmp.exe
Filesize
45KB

MD5
e16de135773985fd9ef2e0afb94f774a

SHA1
84c2dd69ec6247cea480925d9ecfc728f5d04c58

SHA256
af32b03c1fdbc8a4dd60fdea328134b6a34946c7c77cd743600a2101a70c6630

SHA512
0573dbceabcef8f74d6a32d45645ad297b6f28e7f26043ce0c1a68bd24cb8a67b75158050e2ee4b1dcdd37b660da26ecc135dd3deb630dee9c10a3863e817c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC723.tmp.exe
Filesize
45KB

MD5
e16de135773985fd9ef2e0afb94f774a

SHA1
84c2dd69ec6247cea480925d9ecfc728f5d04c58

SHA256
af32b03c1fdbc8a4dd60fdea328134b6a34946c7c77cd743600a2101a70c6630

SHA512
0573dbceabcef8f74d6a32d45645ad297b6f28e7f26043ce0c1a68bd24cb8a67b75158050e2ee4b1dcdd37b660da26ecc135dd3deb630dee9c10a3863e817c34

Download Submit
\Users\Admin\AppData\Local\Temp\tmpC723.tmp.exe
Filesize
45KB

MD5
e16de135773985fd9ef2e0afb94f774a

SHA1
84c2dd69ec6247cea480925d9ecfc728f5d04c58

SHA256
af32b03c1fdbc8a4dd60fdea328134b6a34946c7c77cd743600a2101a70c6630

SHA512
0573dbceabcef8f74d6a32d45645ad297b6f28e7f26043ce0c1a68bd24cb8a67b75158050e2ee4b1dcdd37b660da26ecc135dd3deb630dee9c10a3863e817c34

Download Submit
memory/584-60-0x0000000000000000-mapping.dmp

Download
memory/588-59-0x0000000000000000-mapping.dmp

Download
memory/836-54-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/836-55-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download
memory/1168-57-0x0000000000000000-mapping.dmp

Download
memory/1412-56-0x0000000000000000-mapping.dmp

Download
memory/1872-63-0x0000000000000000-mapping.dmp

Download
memory/1872-65-0x0000000000B30000-0x0000000000B42000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads