asyncrat | 398d6123b91dbc11a590bb5d4020833ae623340d3ff7649c097a1bd32dd9a771

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
16-02-2023 08:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea1ea9fd37112bd1ef9cd6693fdb2cca.exe
Size

105KB
MD5

ea1ea9fd37112bd1ef9cd6693fdb2cca
SHA1

176bfeccd1737a2e3ca961cd86edfe048b83cee7
SHA256

398d6123b91dbc11a590bb5d4020833ae623340d3ff7649c097a1bd32dd9a771
SHA512

a7c109632238c11749fee4392f4870aecf0b16579df7eeb8fe2661721094afedcf6235a3b1bcabdf672fb08aafc6c11e39a8e13eaf3f98a91863566f88cfd692
SSDEEP

1536:dFuLAm8ssJ5e2BGdWLzxPoxZD2ZQQqn7uJ04+RAnyQ+qwz1ZAmdYjuu0UOQtJMD:PBGO2qxP+ZADqn7lRAn5nwwmdYw

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

Mutex

dsasdassasaasdasd

Attributes

delay
3
install
false
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/mndrG70y

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\hmmm.exe	asyncrat
C:\Users\Admin\AppData\Local\Temp\hmmm.exe	asyncrat
C:\Users\Admin\AppData\Local\Temp\hmmm.exe	asyncrat
behavioral1/memory/1964-60-0x0000000000380000-0x0000000000392000-memory.dmp	asyncrat

Executes dropped EXE 2 IoCs

Processes:

hmmm.exeassadsad.exe

pid process

1964 hmmm.exe
596 assadsad.exe
Loads dropped DLL 6 IoCs

Processes:

ea1ea9fd37112bd1ef9cd6693fdb2cca.exeWerFault.exe

pid process

1136 ea1ea9fd37112bd1ef9cd6693fdb2cca.exe
912 WerFault.exe
912 WerFault.exe
912 WerFault.exe
912 WerFault.exe
912 WerFault.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

912 596 WerFault.exe assadsad.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2012 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

hmmm.exe

description pid process

Token: SeDebugPrivilege 1964 hmmm.exe

pid	process
1964	hmmm.exe
596	assadsad.exe

pid	process
1136	ea1ea9fd37112bd1ef9cd6693fdb2cca.exe
912	WerFault.exe
912	WerFault.exe
912	WerFault.exe
912	WerFault.exe
912	WerFault.exe

pid	pid_target	process	target process
912	596	WerFault.exe	assadsad.exe

pid	process
2012	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	1964	hmmm.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

ea1ea9fd37112bd1ef9cd6693fdb2cca.execmd.exetaskeng.exeassadsad.exe

description	pid	process	target process
PID 1136 wrote to memory of 1964	1136	ea1ea9fd37112bd1ef9cd6693fdb2cca.exe	hmmm.exe
PID 1136 wrote to memory of 1964	1136	ea1ea9fd37112bd1ef9cd6693fdb2cca.exe	hmmm.exe
PID 1136 wrote to memory of 1964	1136	ea1ea9fd37112bd1ef9cd6693fdb2cca.exe	hmmm.exe
PID 1136 wrote to memory of 1964	1136	ea1ea9fd37112bd1ef9cd6693fdb2cca.exe	hmmm.exe
PID 1136 wrote to memory of 1020	1136	ea1ea9fd37112bd1ef9cd6693fdb2cca.exe	cmd.exe
PID 1136 wrote to memory of 1020	1136	ea1ea9fd37112bd1ef9cd6693fdb2cca.exe	cmd.exe
PID 1136 wrote to memory of 1020	1136	ea1ea9fd37112bd1ef9cd6693fdb2cca.exe	cmd.exe
PID 1136 wrote to memory of 1020	1136	ea1ea9fd37112bd1ef9cd6693fdb2cca.exe	cmd.exe
PID 1136 wrote to memory of 1348	1136	ea1ea9fd37112bd1ef9cd6693fdb2cca.exe	cmd.exe
PID 1136 wrote to memory of 1348	1136	ea1ea9fd37112bd1ef9cd6693fdb2cca.exe	cmd.exe
PID 1136 wrote to memory of 1348	1136	ea1ea9fd37112bd1ef9cd6693fdb2cca.exe	cmd.exe
PID 1136 wrote to memory of 1348	1136	ea1ea9fd37112bd1ef9cd6693fdb2cca.exe	cmd.exe
PID 1136 wrote to memory of 852	1136	ea1ea9fd37112bd1ef9cd6693fdb2cca.exe	cmd.exe
PID 1136 wrote to memory of 852	1136	ea1ea9fd37112bd1ef9cd6693fdb2cca.exe	cmd.exe
PID 1136 wrote to memory of 852	1136	ea1ea9fd37112bd1ef9cd6693fdb2cca.exe	cmd.exe
PID 1136 wrote to memory of 852	1136	ea1ea9fd37112bd1ef9cd6693fdb2cca.exe	cmd.exe
PID 1348 wrote to memory of 2012	1348	cmd.exe	schtasks.exe
PID 1348 wrote to memory of 2012	1348	cmd.exe	schtasks.exe
PID 1348 wrote to memory of 2012	1348	cmd.exe	schtasks.exe
PID 1348 wrote to memory of 2012	1348	cmd.exe	schtasks.exe
PID 1512 wrote to memory of 596	1512	taskeng.exe	assadsad.exe
PID 1512 wrote to memory of 596	1512	taskeng.exe	assadsad.exe
PID 1512 wrote to memory of 596	1512	taskeng.exe	assadsad.exe
PID 1512 wrote to memory of 596	1512	taskeng.exe	assadsad.exe
PID 596 wrote to memory of 912	596	assadsad.exe	WerFault.exe
PID 596 wrote to memory of 912	596	assadsad.exe	WerFault.exe
PID 596 wrote to memory of 912	596	assadsad.exe	WerFault.exe
PID 596 wrote to memory of 912	596	assadsad.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\ea1ea9fd37112bd1ef9cd6693fdb2cca.exe
"C:\Users\Admin\AppData\Local\Temp\ea1ea9fd37112bd1ef9cd6693fdb2cca.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1136

C:\Users\Admin\AppData\Local\Temp\hmmm.exe
"C:\Users\Admin\AppData\Local\Temp\hmmm.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\assadsad"
2⤵
PID:1020

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\assadsad\assadsad.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\assadsad\assadsad.exe'" /f
3⤵
- Creates scheduled task(s)
PID:2012

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\ea1ea9fd37112bd1ef9cd6693fdb2cca.exe" "C:\Users\Admin\AppData\Roaming\assadsad\assadsad.exe"
2⤵
PID:852

C:\Windows\system32\taskeng.exe
taskeng.exe {CC57D815-ED16-4472-8927-BF9C02EECCDB} S-1-5-21-1214520366-621468234-4062160515-1000:VDWSWJJD\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1512

C:\Users\Admin\AppData\Roaming\assadsad\assadsad.exe
C:\Users\Admin\AppData\Roaming\assadsad\assadsad.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 596 -s 544
3⤵
- Loads dropped DLL
- Program crash
PID:912

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hmmm.exe
Filesize
47KB

MD5
90dd20220b13ec8971b88eede6637354

SHA1
c04bafafefe2b04fe6b06d9a4c106b2bb56ab132

SHA256
b267ce28d1cbbe768fc5a670bc85a28772f8ed9c9511a5b66a5d3cade598024c

SHA512
4f1804eccc5753b3f7ab2a42721e5af1d46ab4688d31c2798c460981b433c16aa16f5ca28468bd7943131a043c61ce97713c0e730b16d5c81fc72c8c532cc5f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\hmmm.exe
Filesize
47KB

MD5
90dd20220b13ec8971b88eede6637354

SHA1
c04bafafefe2b04fe6b06d9a4c106b2bb56ab132

SHA256
b267ce28d1cbbe768fc5a670bc85a28772f8ed9c9511a5b66a5d3cade598024c

SHA512
4f1804eccc5753b3f7ab2a42721e5af1d46ab4688d31c2798c460981b433c16aa16f5ca28468bd7943131a043c61ce97713c0e730b16d5c81fc72c8c532cc5f6

Download Submit
C:\Users\Admin\AppData\Roaming\assadsad\assadsad.exe
Filesize
105KB

MD5
ea1ea9fd37112bd1ef9cd6693fdb2cca

SHA1
176bfeccd1737a2e3ca961cd86edfe048b83cee7

SHA256
398d6123b91dbc11a590bb5d4020833ae623340d3ff7649c097a1bd32dd9a771

SHA512
a7c109632238c11749fee4392f4870aecf0b16579df7eeb8fe2661721094afedcf6235a3b1bcabdf672fb08aafc6c11e39a8e13eaf3f98a91863566f88cfd692

Download Submit
C:\Users\Admin\AppData\Roaming\assadsad\assadsad.exe
Filesize
105KB

MD5
ea1ea9fd37112bd1ef9cd6693fdb2cca

SHA1
176bfeccd1737a2e3ca961cd86edfe048b83cee7

SHA256
398d6123b91dbc11a590bb5d4020833ae623340d3ff7649c097a1bd32dd9a771

SHA512
a7c109632238c11749fee4392f4870aecf0b16579df7eeb8fe2661721094afedcf6235a3b1bcabdf672fb08aafc6c11e39a8e13eaf3f98a91863566f88cfd692

Download Submit
\Users\Admin\AppData\Local\Temp\hmmm.exe
Filesize
47KB

MD5
90dd20220b13ec8971b88eede6637354

SHA1
c04bafafefe2b04fe6b06d9a4c106b2bb56ab132

SHA256
b267ce28d1cbbe768fc5a670bc85a28772f8ed9c9511a5b66a5d3cade598024c

SHA512
4f1804eccc5753b3f7ab2a42721e5af1d46ab4688d31c2798c460981b433c16aa16f5ca28468bd7943131a043c61ce97713c0e730b16d5c81fc72c8c532cc5f6

Download Submit
\Users\Admin\AppData\Roaming\assadsad\assadsad.exe
Filesize
105KB

MD5
ea1ea9fd37112bd1ef9cd6693fdb2cca

SHA1
176bfeccd1737a2e3ca961cd86edfe048b83cee7

SHA256
398d6123b91dbc11a590bb5d4020833ae623340d3ff7649c097a1bd32dd9a771

SHA512
a7c109632238c11749fee4392f4870aecf0b16579df7eeb8fe2661721094afedcf6235a3b1bcabdf672fb08aafc6c11e39a8e13eaf3f98a91863566f88cfd692

Download Submit
\Users\Admin\AppData\Roaming\assadsad\assadsad.exe
Filesize
105KB

MD5
ea1ea9fd37112bd1ef9cd6693fdb2cca

SHA1
176bfeccd1737a2e3ca961cd86edfe048b83cee7

SHA256
398d6123b91dbc11a590bb5d4020833ae623340d3ff7649c097a1bd32dd9a771

SHA512
a7c109632238c11749fee4392f4870aecf0b16579df7eeb8fe2661721094afedcf6235a3b1bcabdf672fb08aafc6c11e39a8e13eaf3f98a91863566f88cfd692

Download Submit
\Users\Admin\AppData\Roaming\assadsad\assadsad.exe
Filesize
105KB

MD5
ea1ea9fd37112bd1ef9cd6693fdb2cca

SHA1
176bfeccd1737a2e3ca961cd86edfe048b83cee7

SHA256
398d6123b91dbc11a590bb5d4020833ae623340d3ff7649c097a1bd32dd9a771

SHA512
a7c109632238c11749fee4392f4870aecf0b16579df7eeb8fe2661721094afedcf6235a3b1bcabdf672fb08aafc6c11e39a8e13eaf3f98a91863566f88cfd692

Download Submit
\Users\Admin\AppData\Roaming\assadsad\assadsad.exe
Filesize
105KB

MD5
ea1ea9fd37112bd1ef9cd6693fdb2cca

SHA1
176bfeccd1737a2e3ca961cd86edfe048b83cee7

SHA256
398d6123b91dbc11a590bb5d4020833ae623340d3ff7649c097a1bd32dd9a771

SHA512
a7c109632238c11749fee4392f4870aecf0b16579df7eeb8fe2661721094afedcf6235a3b1bcabdf672fb08aafc6c11e39a8e13eaf3f98a91863566f88cfd692

Download Submit
\Users\Admin\AppData\Roaming\assadsad\assadsad.exe
Filesize
105KB

MD5
ea1ea9fd37112bd1ef9cd6693fdb2cca

SHA1
176bfeccd1737a2e3ca961cd86edfe048b83cee7

SHA256
398d6123b91dbc11a590bb5d4020833ae623340d3ff7649c097a1bd32dd9a771

SHA512
a7c109632238c11749fee4392f4870aecf0b16579df7eeb8fe2661721094afedcf6235a3b1bcabdf672fb08aafc6c11e39a8e13eaf3f98a91863566f88cfd692

Download Submit
memory/596-69-0x00000000010E0000-0x0000000001100000-memory.dmp

Filesize
128KB

Download
memory/596-67-0x0000000000000000-mapping.dmp

Download
memory/852-63-0x0000000000000000-mapping.dmp

Download
memory/912-70-0x0000000000000000-mapping.dmp

Download
memory/1020-61-0x0000000000000000-mapping.dmp

Download
memory/1136-54-0x0000000000810000-0x0000000000830000-memory.dmp

Filesize
128KB

Download
memory/1136-55-0x0000000075E01000-0x0000000075E03000-memory.dmp

Filesize
8KB

Download
memory/1348-62-0x0000000000000000-mapping.dmp

Download
memory/1964-60-0x0000000000380000-0x0000000000392000-memory.dmp

Filesize
72KB

Download
memory/1964-57-0x0000000000000000-mapping.dmp

Download
memory/2012-64-0x0000000000000000-mapping.dmp

Download