asyncrat | 398d6123b91dbc11a590bb5d4020833ae623340d3ff7649c097a1bd32dd9a771

General

Target

ea1ea9fd37112bd1ef9cd6693fdb2cca.exe
Size

105KB
MD5

ea1ea9fd37112bd1ef9cd6693fdb2cca
SHA1

176bfeccd1737a2e3ca961cd86edfe048b83cee7
SHA256

398d6123b91dbc11a590bb5d4020833ae623340d3ff7649c097a1bd32dd9a771
SHA512

a7c109632238c11749fee4392f4870aecf0b16579df7eeb8fe2661721094afedcf6235a3b1bcabdf672fb08aafc6c11e39a8e13eaf3f98a91863566f88cfd692
SSDEEP

1536:dFuLAm8ssJ5e2BGdWLzxPoxZD2ZQQqn7uJ04+RAnyQ+qwz1ZAmdYjuu0UOQtJMD:PBGO2qxP+ZADqn7lRAn5nwwmdYw

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

Mutex

dsasdassasaasdasd

Attributes

delay
3
install
false
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/mndrG70y

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 3 IoCs

rat

resource	yara_rule
behavioral2/files/0x000300000000071d-138.dat	asyncrat
behavioral2/files/0x000300000000071d-139.dat	asyncrat
behavioral2/memory/2372-141-0x00000000000B0000-0x00000000000C2000-memory.dmp	asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	ea1ea9fd37112bd1ef9cd6693fdb2cca.exe

Executes dropped EXE 3 IoCs

pid	Process
2372	hmmm.exe
988	assadsad.exe
2388	assadsad.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3084	988	WerFault.exe	96
1720	2388	WerFault.exe	100

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4988	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2372	hmmm.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2372	2380	ea1ea9fd37112bd1ef9cd6693fdb2cca.exe	81
PID 2380 wrote to memory of 2372	2380	ea1ea9fd37112bd1ef9cd6693fdb2cca.exe	81
PID 2380 wrote to memory of 2372	2380	ea1ea9fd37112bd1ef9cd6693fdb2cca.exe	81
PID 2380 wrote to memory of 3752	2380	ea1ea9fd37112bd1ef9cd6693fdb2cca.exe	82
PID 2380 wrote to memory of 3752	2380	ea1ea9fd37112bd1ef9cd6693fdb2cca.exe	82
PID 2380 wrote to memory of 3752	2380	ea1ea9fd37112bd1ef9cd6693fdb2cca.exe	82
PID 2380 wrote to memory of 804	2380	ea1ea9fd37112bd1ef9cd6693fdb2cca.exe	84
PID 2380 wrote to memory of 804	2380	ea1ea9fd37112bd1ef9cd6693fdb2cca.exe	84
PID 2380 wrote to memory of 804	2380	ea1ea9fd37112bd1ef9cd6693fdb2cca.exe	84
PID 2380 wrote to memory of 2720	2380	ea1ea9fd37112bd1ef9cd6693fdb2cca.exe	86
PID 2380 wrote to memory of 2720	2380	ea1ea9fd37112bd1ef9cd6693fdb2cca.exe	86
PID 2380 wrote to memory of 2720	2380	ea1ea9fd37112bd1ef9cd6693fdb2cca.exe	86
PID 804 wrote to memory of 4988	804	cmd.exe	88
PID 804 wrote to memory of 4988	804	cmd.exe	88
PID 804 wrote to memory of 4988	804	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\ea1ea9fd37112bd1ef9cd6693fdb2cca.exe
"C:\Users\Admin\AppData\Local\Temp\ea1ea9fd37112bd1ef9cd6693fdb2cca.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\hmmm.exe
  "C:\Users\Admin\AppData\Local\Temp\hmmm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2372
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\assadsad"
  2⤵
  PID:3752
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\assadsad\assadsad.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:804
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\assadsad\assadsad.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:4988
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\ea1ea9fd37112bd1ef9cd6693fdb2cca.exe" "C:\Users\Admin\AppData\Roaming\assadsad\assadsad.exe"
  2⤵
  PID:2720

C:\Users\Admin\AppData\Roaming\assadsad\assadsad.exe
C:\Users\Admin\AppData\Roaming\assadsad\assadsad.exe
1⤵
- Executes dropped EXE
PID:988
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 868
  2⤵
  - Program crash
  PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 988 -ip 988
1⤵
PID:2304

C:\Users\Admin\AppData\Roaming\assadsad\assadsad.exe
C:\Users\Admin\AppData\Roaming\assadsad\assadsad.exe
1⤵
- Executes dropped EXE
PID:2388
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 836
  2⤵
  - Program crash
  PID:1720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2388 -ip 2388
1⤵
PID:2980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Web Service

1

T1102

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hmmm.exe

Filesize
47KB

MD5
90dd20220b13ec8971b88eede6637354

SHA1
c04bafafefe2b04fe6b06d9a4c106b2bb56ab132

SHA256
b267ce28d1cbbe768fc5a670bc85a28772f8ed9c9511a5b66a5d3cade598024c

SHA512
4f1804eccc5753b3f7ab2a42721e5af1d46ab4688d31c2798c460981b433c16aa16f5ca28468bd7943131a043c61ce97713c0e730b16d5c81fc72c8c532cc5f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\hmmm.exe

Filesize
47KB

MD5
90dd20220b13ec8971b88eede6637354

SHA1
c04bafafefe2b04fe6b06d9a4c106b2bb56ab132

SHA256
b267ce28d1cbbe768fc5a670bc85a28772f8ed9c9511a5b66a5d3cade598024c

SHA512
4f1804eccc5753b3f7ab2a42721e5af1d46ab4688d31c2798c460981b433c16aa16f5ca28468bd7943131a043c61ce97713c0e730b16d5c81fc72c8c532cc5f6

Download Submit
C:\Users\Admin\AppData\Roaming\assadsad\assadsad.exe

Filesize
105KB

MD5
ea1ea9fd37112bd1ef9cd6693fdb2cca

SHA1
176bfeccd1737a2e3ca961cd86edfe048b83cee7

SHA256
398d6123b91dbc11a590bb5d4020833ae623340d3ff7649c097a1bd32dd9a771

SHA512
a7c109632238c11749fee4392f4870aecf0b16579df7eeb8fe2661721094afedcf6235a3b1bcabdf672fb08aafc6c11e39a8e13eaf3f98a91863566f88cfd692

Download Submit
C:\Users\Admin\AppData\Roaming\assadsad\assadsad.exe

Filesize
105KB

MD5
ea1ea9fd37112bd1ef9cd6693fdb2cca

SHA1
176bfeccd1737a2e3ca961cd86edfe048b83cee7

SHA256
398d6123b91dbc11a590bb5d4020833ae623340d3ff7649c097a1bd32dd9a771

SHA512
a7c109632238c11749fee4392f4870aecf0b16579df7eeb8fe2661721094afedcf6235a3b1bcabdf672fb08aafc6c11e39a8e13eaf3f98a91863566f88cfd692

Download Submit
C:\Users\Admin\AppData\Roaming\assadsad\assadsad.exe

Filesize
105KB

MD5
ea1ea9fd37112bd1ef9cd6693fdb2cca

SHA1
176bfeccd1737a2e3ca961cd86edfe048b83cee7

SHA256
398d6123b91dbc11a590bb5d4020833ae623340d3ff7649c097a1bd32dd9a771

SHA512
a7c109632238c11749fee4392f4870aecf0b16579df7eeb8fe2661721094afedcf6235a3b1bcabdf672fb08aafc6c11e39a8e13eaf3f98a91863566f88cfd692

Download Submit
memory/2372-141-0x00000000000B0000-0x00000000000C2000-memory.dmp

Filesize
72KB

Download
memory/2380-136-0x0000000004D20000-0x0000000004D86000-memory.dmp

Filesize
408KB

Download
memory/2380-135-0x0000000000380000-0x00000000003A0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads