asyncrat | fe497cd48b3e42022fa45d7048b88d832c0ae76fad7dd0616170ac143bb731f3

General

Target

fe497cd48b3e42022fa45d7048b88d832c0ae76fad7dd0616170ac143bb731f3.exe
Size

45KB
MD5

b379d5f8e60203f7ac58330baf412e41
SHA1

de08737859edb749490b33a2426011e169321684
SHA256

fe497cd48b3e42022fa45d7048b88d832c0ae76fad7dd0616170ac143bb731f3
SHA512

984c4ae0bc27ad4423e92c9e4d9f0194ff0d84e613e42592977396878b78776358b773ddc40bfc5a7e9351f4f778c9f663fbca08fd8bf3cbc7e142ec2d44b0ed
SSDEEP

768:3ukzVT0kLd3WULgPdVmo2qD7KjGKG6PIyzjbFgX3i08Bobv+L4yboBDZzx:3ukzVT0Mq12KKYDy3bCXS1tSdzx

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

101.33.208.151:6606

101.33.208.151:7707

101.33.208.151:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
window.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1668-54-0x0000000000880000-0x0000000000892000-memory.dmp	asyncrat
\Users\Admin\AppData\Roaming\window.exe	asyncrat
C:\Users\Admin\AppData\Roaming\window.exe	asyncrat
C:\Users\Admin\AppData\Roaming\window.exe	asyncrat
behavioral1/memory/1824-65-0x0000000000E00000-0x0000000000E12000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

Processes:

window.exe

pid process

1824 window.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2020 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1972 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

956 timeout.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

fe497cd48b3e42022fa45d7048b88d832c0ae76fad7dd0616170ac143bb731f3.exe

pid process

1668 fe497cd48b3e42022fa45d7048b88d832c0ae76fad7dd0616170ac143bb731f3.exe

pid	process
1824	window.exe

pid	process
2020	cmd.exe

pid	process
1972	schtasks.exe

pid	process
956	timeout.exe

pid	process
1668	fe497cd48b3e42022fa45d7048b88d832c0ae76fad7dd0616170ac143bb731f3.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

fe497cd48b3e42022fa45d7048b88d832c0ae76fad7dd0616170ac143bb731f3.exewindow.exe

description	pid	process
Token: SeDebugPrivilege	1668	fe497cd48b3e42022fa45d7048b88d832c0ae76fad7dd0616170ac143bb731f3.exe
Token: SeDebugPrivilege	1824	window.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

fe497cd48b3e42022fa45d7048b88d832c0ae76fad7dd0616170ac143bb731f3.execmd.execmd.exe

description	pid	process	target process
PID 1668 wrote to memory of 1760	1668	fe497cd48b3e42022fa45d7048b88d832c0ae76fad7dd0616170ac143bb731f3.exe	cmd.exe
PID 1668 wrote to memory of 1760	1668	fe497cd48b3e42022fa45d7048b88d832c0ae76fad7dd0616170ac143bb731f3.exe	cmd.exe
PID 1668 wrote to memory of 1760	1668	fe497cd48b3e42022fa45d7048b88d832c0ae76fad7dd0616170ac143bb731f3.exe	cmd.exe
PID 1668 wrote to memory of 1760	1668	fe497cd48b3e42022fa45d7048b88d832c0ae76fad7dd0616170ac143bb731f3.exe	cmd.exe
PID 1668 wrote to memory of 2020	1668	fe497cd48b3e42022fa45d7048b88d832c0ae76fad7dd0616170ac143bb731f3.exe	cmd.exe
PID 1668 wrote to memory of 2020	1668	fe497cd48b3e42022fa45d7048b88d832c0ae76fad7dd0616170ac143bb731f3.exe	cmd.exe
PID 1668 wrote to memory of 2020	1668	fe497cd48b3e42022fa45d7048b88d832c0ae76fad7dd0616170ac143bb731f3.exe	cmd.exe
PID 1668 wrote to memory of 2020	1668	fe497cd48b3e42022fa45d7048b88d832c0ae76fad7dd0616170ac143bb731f3.exe	cmd.exe
PID 2020 wrote to memory of 956	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 956	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 956	2020	cmd.exe	timeout.exe
PID 2020 wrote to memory of 956	2020	cmd.exe	timeout.exe
PID 1760 wrote to memory of 1972	1760	cmd.exe	schtasks.exe
PID 1760 wrote to memory of 1972	1760	cmd.exe	schtasks.exe
PID 1760 wrote to memory of 1972	1760	cmd.exe	schtasks.exe
PID 1760 wrote to memory of 1972	1760	cmd.exe	schtasks.exe
PID 2020 wrote to memory of 1824	2020	cmd.exe	window.exe
PID 2020 wrote to memory of 1824	2020	cmd.exe	window.exe
PID 2020 wrote to memory of 1824	2020	cmd.exe	window.exe
PID 2020 wrote to memory of 1824	2020	cmd.exe	window.exe

C:\Users\Admin\AppData\Local\Temp\fe497cd48b3e42022fa45d7048b88d832c0ae76fad7dd0616170ac143bb731f3.exe
"C:\Users\Admin\AppData\Local\Temp\fe497cd48b3e42022fa45d7048b88d832c0ae76fad7dd0616170ac143bb731f3.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "window" /tr '"C:\Users\Admin\AppData\Roaming\window.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "window" /tr '"C:\Users\Admin\AppData\Roaming\window.exe"'
3⤵
- Creates scheduled task(s)
PID:1972

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2656.tmp.bat""
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:956

C:\Users\Admin\AppData\Roaming\window.exe
"C:\Users\Admin\AppData\Roaming\window.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1824

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp2656.tmp.bat
Filesize
150B

MD5
28e4605771ff3dd336e607756efa0cea

SHA1
7a1b9f295ffb58dc31f6b6d3c5be177c4889a30b

SHA256
29b403635c1222055b6b2256a884bc1afb9910ea3785288b67e46ee0c0538986

SHA512
5b162b0db128d05fc6778cd71d32efd36a32ea878317df43ebb520c1bec2f868e270355617faa12cbf2f5cac43104f83a8823a98306049bab2b31a35b7a626e0

Download Submit
C:\Users\Admin\AppData\Roaming\window.exe
Filesize
45KB

MD5
b379d5f8e60203f7ac58330baf412e41

SHA1
de08737859edb749490b33a2426011e169321684

SHA256
fe497cd48b3e42022fa45d7048b88d832c0ae76fad7dd0616170ac143bb731f3

SHA512
984c4ae0bc27ad4423e92c9e4d9f0194ff0d84e613e42592977396878b78776358b773ddc40bfc5a7e9351f4f778c9f663fbca08fd8bf3cbc7e142ec2d44b0ed

Download Submit
C:\Users\Admin\AppData\Roaming\window.exe
Filesize
45KB

MD5
b379d5f8e60203f7ac58330baf412e41

SHA1
de08737859edb749490b33a2426011e169321684

SHA256
fe497cd48b3e42022fa45d7048b88d832c0ae76fad7dd0616170ac143bb731f3

SHA512
984c4ae0bc27ad4423e92c9e4d9f0194ff0d84e613e42592977396878b78776358b773ddc40bfc5a7e9351f4f778c9f663fbca08fd8bf3cbc7e142ec2d44b0ed

Download Submit
\Users\Admin\AppData\Roaming\window.exe
Filesize
45KB

MD5
b379d5f8e60203f7ac58330baf412e41

SHA1
de08737859edb749490b33a2426011e169321684

SHA256
fe497cd48b3e42022fa45d7048b88d832c0ae76fad7dd0616170ac143bb731f3

SHA512
984c4ae0bc27ad4423e92c9e4d9f0194ff0d84e613e42592977396878b78776358b773ddc40bfc5a7e9351f4f778c9f663fbca08fd8bf3cbc7e142ec2d44b0ed

Download Submit
memory/956-59-0x0000000000000000-mapping.dmp

Download
memory/1668-54-0x0000000000880000-0x0000000000892000-memory.dmp

Filesize
72KB

Download
memory/1668-55-0x0000000075241000-0x0000000075243000-memory.dmp

Filesize
8KB

Download
memory/1760-56-0x0000000000000000-mapping.dmp

Download
memory/1824-63-0x0000000000000000-mapping.dmp

Download
memory/1824-65-0x0000000000E00000-0x0000000000E12000-memory.dmp

Filesize
72KB

Download
memory/1972-60-0x0000000000000000-mapping.dmp

Download
memory/2020-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads