asyncrat | 9ed6b16646571c6278ffaf7e9f19a919bf7ec72c5e0a6616c2d559d8486e672c

Analysis

max time kernel
231s
max time network
264s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06-02-2023 18:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

any.exe
Size

4.0MB
MD5

1a41528e75e53780eb8371376f59b165
SHA1

fa87fafead7128fc4a52bc371f08800d68941544
SHA256

9ed6b16646571c6278ffaf7e9f19a919bf7ec72c5e0a6616c2d559d8486e672c
SHA512

323eb3ba49f255e0157aacc22eeedd806166732002b786e85f3c86e82e9063f3e3a1bdc6cad4c2f856ef69de79ce667fde0283f4ff6ba93488b1737b1f19f3df
SSDEEP

98304:iDFWG1bqjvcLIsoh5GbmkNC3dv2tthJ2/Ev6l3:i7svcsImkN4chYECl

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

Mutex

?><MKdfdsgdgregrtgrthh<LKOIJUY&^T%RFDEXcfgvhbnjuimowefinuybt

Attributes

delay
1
install
false
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/VM7TRmVa

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/116-138-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Drops startup file 2 IoCs

Processes:

any.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\any.exe	any.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\any.exe	any.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

any.exe

description pid process target process

PID 4940 set thread context of 116 4940 any.exe any.exe

description	pid	process	target process
PID 4940 set thread context of 116	4940	any.exe	any.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

any.exe

pid	process
4940	any.exe
4940	any.exe
4940	any.exe
4940	any.exe
4940	any.exe
4940	any.exe
4940	any.exe
4940	any.exe
4940	any.exe
4940	any.exe
4940	any.exe
4940	any.exe
4940	any.exe
4940	any.exe
4940	any.exe
4940	any.exe
4940	any.exe
4940	any.exe
4940	any.exe
4940	any.exe
4940	any.exe
4940	any.exe
4940	any.exe
4940	any.exe
4940	any.exe
4940	any.exe
4940	any.exe
4940	any.exe
4940	any.exe
4940	any.exe
4940	any.exe
4940	any.exe
4940	any.exe
4940	any.exe
4940	any.exe
4940	any.exe
4940	any.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

any.exeany.exe

description pid process

Token: SeDebugPrivilege 4940 any.exe
Token: SeDebugPrivilege 116 any.exe

description	pid	process
Token: SeDebugPrivilege	4940	any.exe
Token: SeDebugPrivilege	116	any.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

any.exe

description	pid	process	target process
PID 4940 wrote to memory of 116	4940	any.exe	any.exe
PID 4940 wrote to memory of 116	4940	any.exe	any.exe
PID 4940 wrote to memory of 116	4940	any.exe	any.exe
PID 4940 wrote to memory of 116	4940	any.exe	any.exe
PID 4940 wrote to memory of 116	4940	any.exe	any.exe
PID 4940 wrote to memory of 116	4940	any.exe	any.exe
PID 4940 wrote to memory of 116	4940	any.exe	any.exe
PID 4940 wrote to memory of 116	4940	any.exe	any.exe

C:\Users\Admin\AppData\Local\Temp\any.exe
"C:\Users\Admin\AppData\Local\Temp\any.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4940

C:\Users\Admin\AppData\Local\Temp\any.exe
"C:\Users\Admin\AppData\Local\Temp\any.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:116

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\any.exe.log
Filesize
1KB

MD5
f94ae3835923d0ef7775b7fc0237c8f7

SHA1
da69a9e0f7c7dff2cbbac00ed3931721f7c42094

SHA256
3ba64bb4afe0c9d554eedbed6932fe4e1ff829b681c8221a3ef4b5e68ed4d9df

SHA512
9c7bb0b1a7f137c09b3849ba87fed7d6e2fea5fad2301db453a04aea2c7235ec6d11587fb97b8770df40ac3c139719e252a4fb84e600d991ee6ecaa9262203ff

Download Submit
memory/116-137-0x0000000000000000-mapping.dmp

Download
memory/116-138-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4940-132-0x0000000000060000-0x000000000046C000-memory.dmp

Filesize
4.0MB

Download
memory/4940-133-0x0000000005200000-0x00000000057A4000-memory.dmp

Filesize
5.6MB

Download
memory/4940-134-0x0000000004D30000-0x0000000004DC2000-memory.dmp

Filesize
584KB

Download
memory/4940-135-0x0000000006390000-0x000000000642C000-memory.dmp

Filesize
624KB

Download
memory/4940-136-0x0000000006430000-0x0000000006496000-memory.dmp

Filesize
408KB

Download