asyncrat | eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585

General

Target

eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe
Size

29KB
MD5

6c701b09803ad18e93024d320c6a324d
SHA1

da096644b61ab6c6dc5544733794773a141c4b17
SHA256

eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585
SHA512

95dd75fd729aa684e14fa1e5568bb2ab3d3f730f0f0b34215ceb5a2f847dd202373358877450940ced7a074856fcfcb1242120d70b1cf38cd5082c2a94ce175c
SSDEEP

768:N2vFNP/2hkbIz0RhijkXSiegJAY93sP7nwXr:eFN3YTiegS03sDw7

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

Mutex

?><MKdfdsgdgregrtgrthh<LKOIJUY&^T%RFDEXcfgvhbnjuimowefinuybt

Attributes

delay
1
install
false
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/VM7TRmVa

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/1992-138-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe	eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe	eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1224 set thread context of 1992	1224	eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe	80

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
1224	eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe
1224	eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe
1224	eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe
1224	eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe
1224	eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe
1224	eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe
1224	eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe
1224	eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe
1224	eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe
1224	eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe
1224	eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe
1224	eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe
1224	eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe
1224	eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe
1224	eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe
1224	eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe
1224	eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe
1224	eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe
1224	eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe
1224	eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe
1224	eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe
1224	eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe
1224	eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe
1224	eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe
1224	eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe
1224	eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe
1224	eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe
1224	eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe
1224	eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe
1224	eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe
1224	eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe
1224	eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe
1224	eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe
1224	eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe
1224	eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe
1224	eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe
1224	eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1224	eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe
Token: SeDebugPrivilege	1992	eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 1992	1224	eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe	80
PID 1224 wrote to memory of 1992	1224	eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe	80
PID 1224 wrote to memory of 1992	1224	eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe	80
PID 1224 wrote to memory of 1992	1224	eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe	80
PID 1224 wrote to memory of 1992	1224	eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe	80
PID 1224 wrote to memory of 1992	1224	eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe	80
PID 1224 wrote to memory of 1992	1224	eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe	80
PID 1224 wrote to memory of 1992	1224	eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe	80

C:\Users\Admin\AppData\Local\Temp\eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe
"C:\Users\Admin\AppData\Local\Temp\eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Users\Admin\AppData\Local\Temp\eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe
  "C:\Users\Admin\AppData\Local\Temp\eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\eb205a5851de3d6f7fbce5129dea8443bffcac19ae1436e88e8e0ea4bc5d1585.exe.log

Filesize
1KB

MD5
f94ae3835923d0ef7775b7fc0237c8f7

SHA1
da69a9e0f7c7dff2cbbac00ed3931721f7c42094

SHA256
3ba64bb4afe0c9d554eedbed6932fe4e1ff829b681c8221a3ef4b5e68ed4d9df

SHA512
9c7bb0b1a7f137c09b3849ba87fed7d6e2fea5fad2301db453a04aea2c7235ec6d11587fb97b8770df40ac3c139719e252a4fb84e600d991ee6ecaa9262203ff

Download Submit
memory/1224-132-0x0000000000050000-0x000000000005C000-memory.dmp

Filesize
48KB

Download
memory/1224-133-0x0000000004F40000-0x00000000054E4000-memory.dmp

Filesize
5.6MB

Download
memory/1224-134-0x0000000004A30000-0x0000000004AC2000-memory.dmp

Filesize
584KB

Download
memory/1224-135-0x0000000005F80000-0x000000000601C000-memory.dmp

Filesize
624KB

Download
memory/1224-136-0x0000000006020000-0x0000000006086000-memory.dmp

Filesize
408KB

Download
memory/1992-138-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing