asyncrat | fe497cd48b3e42022fa45d7048b88d832c0ae76fad7dd0616170ac143bb731f3

General

Target

fe497cd48b3e42022fa45d7048b88d832c0ae76fad7dd0616170ac143bb731f3.exe
Size

45KB
MD5

b379d5f8e60203f7ac58330baf412e41
SHA1

de08737859edb749490b33a2426011e169321684
SHA256

fe497cd48b3e42022fa45d7048b88d832c0ae76fad7dd0616170ac143bb731f3
SHA512

984c4ae0bc27ad4423e92c9e4d9f0194ff0d84e613e42592977396878b78776358b773ddc40bfc5a7e9351f4f778c9f663fbca08fd8bf3cbc7e142ec2d44b0ed
SSDEEP

768:3ukzVT0kLd3WULgPdVmo2qD7KjGKG6PIyzjbFgX3i08Bobv+L4yboBDZzx:3ukzVT0Mq12KKYDy3bCXS1tSdzx

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

101.33.208.151:6606

101.33.208.151:7707

101.33.208.151:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
window.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1948-54-0x00000000001F0000-0x0000000000202000-memory.dmp	asyncrat
\Users\Admin\AppData\Roaming\window.exe	asyncrat
C:\Users\Admin\AppData\Roaming\window.exe	asyncrat
C:\Users\Admin\AppData\Roaming\window.exe	asyncrat
behavioral1/memory/960-65-0x0000000000390000-0x00000000003A2000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

Processes:

window.exe

pid process

960 window.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1348 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1748 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1336 timeout.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

fe497cd48b3e42022fa45d7048b88d832c0ae76fad7dd0616170ac143bb731f3.exe

pid process

1948 fe497cd48b3e42022fa45d7048b88d832c0ae76fad7dd0616170ac143bb731f3.exe

pid	process
960	window.exe

pid	process
1348	cmd.exe

pid	process
1748	schtasks.exe

pid	process
1336	timeout.exe

pid	process
1948	fe497cd48b3e42022fa45d7048b88d832c0ae76fad7dd0616170ac143bb731f3.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

fe497cd48b3e42022fa45d7048b88d832c0ae76fad7dd0616170ac143bb731f3.exewindow.exe

description	pid	process
Token: SeDebugPrivilege	1948	fe497cd48b3e42022fa45d7048b88d832c0ae76fad7dd0616170ac143bb731f3.exe
Token: SeDebugPrivilege	960	window.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

fe497cd48b3e42022fa45d7048b88d832c0ae76fad7dd0616170ac143bb731f3.execmd.execmd.exe

description	pid	process	target process
PID 1948 wrote to memory of 1552	1948	fe497cd48b3e42022fa45d7048b88d832c0ae76fad7dd0616170ac143bb731f3.exe	cmd.exe
PID 1948 wrote to memory of 1552	1948	fe497cd48b3e42022fa45d7048b88d832c0ae76fad7dd0616170ac143bb731f3.exe	cmd.exe
PID 1948 wrote to memory of 1552	1948	fe497cd48b3e42022fa45d7048b88d832c0ae76fad7dd0616170ac143bb731f3.exe	cmd.exe
PID 1948 wrote to memory of 1552	1948	fe497cd48b3e42022fa45d7048b88d832c0ae76fad7dd0616170ac143bb731f3.exe	cmd.exe
PID 1948 wrote to memory of 1348	1948	fe497cd48b3e42022fa45d7048b88d832c0ae76fad7dd0616170ac143bb731f3.exe	cmd.exe
PID 1948 wrote to memory of 1348	1948	fe497cd48b3e42022fa45d7048b88d832c0ae76fad7dd0616170ac143bb731f3.exe	cmd.exe
PID 1948 wrote to memory of 1348	1948	fe497cd48b3e42022fa45d7048b88d832c0ae76fad7dd0616170ac143bb731f3.exe	cmd.exe
PID 1948 wrote to memory of 1348	1948	fe497cd48b3e42022fa45d7048b88d832c0ae76fad7dd0616170ac143bb731f3.exe	cmd.exe
PID 1552 wrote to memory of 1748	1552	cmd.exe	schtasks.exe
PID 1552 wrote to memory of 1748	1552	cmd.exe	schtasks.exe
PID 1552 wrote to memory of 1748	1552	cmd.exe	schtasks.exe
PID 1552 wrote to memory of 1748	1552	cmd.exe	schtasks.exe
PID 1348 wrote to memory of 1336	1348	cmd.exe	timeout.exe
PID 1348 wrote to memory of 1336	1348	cmd.exe	timeout.exe
PID 1348 wrote to memory of 1336	1348	cmd.exe	timeout.exe
PID 1348 wrote to memory of 1336	1348	cmd.exe	timeout.exe
PID 1348 wrote to memory of 960	1348	cmd.exe	window.exe
PID 1348 wrote to memory of 960	1348	cmd.exe	window.exe
PID 1348 wrote to memory of 960	1348	cmd.exe	window.exe
PID 1348 wrote to memory of 960	1348	cmd.exe	window.exe

C:\Users\Admin\AppData\Local\Temp\fe497cd48b3e42022fa45d7048b88d832c0ae76fad7dd0616170ac143bb731f3.exe
"C:\Users\Admin\AppData\Local\Temp\fe497cd48b3e42022fa45d7048b88d832c0ae76fad7dd0616170ac143bb731f3.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "window" /tr '"C:\Users\Admin\AppData\Roaming\window.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "window" /tr '"C:\Users\Admin\AppData\Roaming\window.exe"'
3⤵
- Creates scheduled task(s)
PID:1748

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp15C3.tmp.bat""
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1336

C:\Users\Admin\AppData\Roaming\window.exe
"C:\Users\Admin\AppData\Roaming\window.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:960

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp15C3.tmp.bat
Filesize
150B

MD5
e8e2279cff4a54c3acc50b69035681fa

SHA1
0de39ae7c3647f6514af4cc19eb9c87c516762df

SHA256
d47cb500f54173df16170f167d7c40f361d8b80239f00090ff31dcb72e0c54ee

SHA512
08e995a125b601717431e97efb5f4b97d245eadd34052933fc0e5ad52e1ba3cc64bcd961b1f9fbc79c426905bb58fa204b990da4ef77a3ca35c7a9feacc326f1

Download Submit
C:\Users\Admin\AppData\Roaming\window.exe
Filesize
45KB

MD5
b379d5f8e60203f7ac58330baf412e41

SHA1
de08737859edb749490b33a2426011e169321684

SHA256
fe497cd48b3e42022fa45d7048b88d832c0ae76fad7dd0616170ac143bb731f3

SHA512
984c4ae0bc27ad4423e92c9e4d9f0194ff0d84e613e42592977396878b78776358b773ddc40bfc5a7e9351f4f778c9f663fbca08fd8bf3cbc7e142ec2d44b0ed

Download Submit
C:\Users\Admin\AppData\Roaming\window.exe
Filesize
45KB

MD5
b379d5f8e60203f7ac58330baf412e41

SHA1
de08737859edb749490b33a2426011e169321684

SHA256
fe497cd48b3e42022fa45d7048b88d832c0ae76fad7dd0616170ac143bb731f3

SHA512
984c4ae0bc27ad4423e92c9e4d9f0194ff0d84e613e42592977396878b78776358b773ddc40bfc5a7e9351f4f778c9f663fbca08fd8bf3cbc7e142ec2d44b0ed

Download Submit
\Users\Admin\AppData\Roaming\window.exe
Filesize
45KB

MD5
b379d5f8e60203f7ac58330baf412e41

SHA1
de08737859edb749490b33a2426011e169321684

SHA256
fe497cd48b3e42022fa45d7048b88d832c0ae76fad7dd0616170ac143bb731f3

SHA512
984c4ae0bc27ad4423e92c9e4d9f0194ff0d84e613e42592977396878b78776358b773ddc40bfc5a7e9351f4f778c9f663fbca08fd8bf3cbc7e142ec2d44b0ed

Download Submit
memory/960-63-0x0000000000000000-mapping.dmp

Download
memory/960-65-0x0000000000390000-0x00000000003A2000-memory.dmp

Filesize
72KB

Download
memory/1336-60-0x0000000000000000-mapping.dmp

Download
memory/1348-57-0x0000000000000000-mapping.dmp

Download
memory/1552-56-0x0000000000000000-mapping.dmp

Download
memory/1748-58-0x0000000000000000-mapping.dmp

Download
memory/1948-54-0x00000000001F0000-0x0000000000202000-memory.dmp

Filesize
72KB

Download
memory/1948-55-0x00000000764D1000-0x00000000764D3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads