asyncrat | 398d6123b91dbc11a590bb5d4020833ae623340d3ff7649c097a1bd32dd9a771

General

Target

ea1ea9fd37112bd1ef9cd6693fdb2cca.exe
Size

105KB
MD5

ea1ea9fd37112bd1ef9cd6693fdb2cca
SHA1

176bfeccd1737a2e3ca961cd86edfe048b83cee7
SHA256

398d6123b91dbc11a590bb5d4020833ae623340d3ff7649c097a1bd32dd9a771
SHA512

a7c109632238c11749fee4392f4870aecf0b16579df7eeb8fe2661721094afedcf6235a3b1bcabdf672fb08aafc6c11e39a8e13eaf3f98a91863566f88cfd692
SSDEEP

1536:dFuLAm8ssJ5e2BGdWLzxPoxZD2ZQQqn7uJ04+RAnyQ+qwz1ZAmdYjuu0UOQtJMD:PBGO2qxP+ZADqn7lRAn5nwwmdYw

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

Mutex

dsasdassasaasdasd

Attributes

delay
3
install
false
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/mndrG70y

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\hmmm.exe	asyncrat
C:\Users\Admin\AppData\Local\Temp\hmmm.exe	asyncrat
behavioral2/memory/2372-141-0x00000000000B0000-0x00000000000C2000-memory.dmp	asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ea1ea9fd37112bd1ef9cd6693fdb2cca.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	ea1ea9fd37112bd1ef9cd6693fdb2cca.exe

Executes dropped EXE 3 IoCs

Processes:

hmmm.exeassadsad.exeassadsad.exe

pid process

2372 hmmm.exe
988 assadsad.exe
2388 assadsad.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3084 988 WerFault.exe assadsad.exe
1720 2388 WerFault.exe assadsad.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4988 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

hmmm.exe

description pid process

Token: SeDebugPrivilege 2372 hmmm.exe

pid	process
2372	hmmm.exe
988	assadsad.exe
2388	assadsad.exe

pid	pid_target	process	target process
3084	988	WerFault.exe	assadsad.exe
1720	2388	WerFault.exe	assadsad.exe

pid	process
4988	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	2372	hmmm.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

ea1ea9fd37112bd1ef9cd6693fdb2cca.execmd.exe

description	pid	process	target process
PID 2380 wrote to memory of 2372	2380	ea1ea9fd37112bd1ef9cd6693fdb2cca.exe	hmmm.exe
PID 2380 wrote to memory of 2372	2380	ea1ea9fd37112bd1ef9cd6693fdb2cca.exe	hmmm.exe
PID 2380 wrote to memory of 2372	2380	ea1ea9fd37112bd1ef9cd6693fdb2cca.exe	hmmm.exe
PID 2380 wrote to memory of 3752	2380	ea1ea9fd37112bd1ef9cd6693fdb2cca.exe	cmd.exe
PID 2380 wrote to memory of 3752	2380	ea1ea9fd37112bd1ef9cd6693fdb2cca.exe	cmd.exe
PID 2380 wrote to memory of 3752	2380	ea1ea9fd37112bd1ef9cd6693fdb2cca.exe	cmd.exe
PID 2380 wrote to memory of 804	2380	ea1ea9fd37112bd1ef9cd6693fdb2cca.exe	cmd.exe
PID 2380 wrote to memory of 804	2380	ea1ea9fd37112bd1ef9cd6693fdb2cca.exe	cmd.exe
PID 2380 wrote to memory of 804	2380	ea1ea9fd37112bd1ef9cd6693fdb2cca.exe	cmd.exe
PID 2380 wrote to memory of 2720	2380	ea1ea9fd37112bd1ef9cd6693fdb2cca.exe	cmd.exe
PID 2380 wrote to memory of 2720	2380	ea1ea9fd37112bd1ef9cd6693fdb2cca.exe	cmd.exe
PID 2380 wrote to memory of 2720	2380	ea1ea9fd37112bd1ef9cd6693fdb2cca.exe	cmd.exe
PID 804 wrote to memory of 4988	804	cmd.exe	schtasks.exe
PID 804 wrote to memory of 4988	804	cmd.exe	schtasks.exe
PID 804 wrote to memory of 4988	804	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\ea1ea9fd37112bd1ef9cd6693fdb2cca.exe
"C:\Users\Admin\AppData\Local\Temp\ea1ea9fd37112bd1ef9cd6693fdb2cca.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2380

C:\Users\Admin\AppData\Local\Temp\hmmm.exe
"C:\Users\Admin\AppData\Local\Temp\hmmm.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\assadsad"
2⤵
PID:3752

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\assadsad\assadsad.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:804

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\assadsad\assadsad.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4988

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\ea1ea9fd37112bd1ef9cd6693fdb2cca.exe" "C:\Users\Admin\AppData\Roaming\assadsad\assadsad.exe"
2⤵
PID:2720

C:\Users\Admin\AppData\Roaming\assadsad\assadsad.exe
C:\Users\Admin\AppData\Roaming\assadsad\assadsad.exe
1⤵
- Executes dropped EXE
PID:988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 988 -s 868
2⤵
- Program crash
PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 988 -ip 988
1⤵
PID:2304

C:\Users\Admin\AppData\Roaming\assadsad\assadsad.exe
C:\Users\Admin\AppData\Roaming\assadsad\assadsad.exe
1⤵
- Executes dropped EXE
PID:2388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 836
2⤵
- Program crash
PID:1720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2388 -ip 2388
1⤵
PID:2980

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\hmmm.exe
Filesize
47KB

MD5
90dd20220b13ec8971b88eede6637354

SHA1
c04bafafefe2b04fe6b06d9a4c106b2bb56ab132

SHA256
b267ce28d1cbbe768fc5a670bc85a28772f8ed9c9511a5b66a5d3cade598024c

SHA512
4f1804eccc5753b3f7ab2a42721e5af1d46ab4688d31c2798c460981b433c16aa16f5ca28468bd7943131a043c61ce97713c0e730b16d5c81fc72c8c532cc5f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\hmmm.exe
Filesize
47KB

MD5
90dd20220b13ec8971b88eede6637354

SHA1
c04bafafefe2b04fe6b06d9a4c106b2bb56ab132

SHA256
b267ce28d1cbbe768fc5a670bc85a28772f8ed9c9511a5b66a5d3cade598024c

SHA512
4f1804eccc5753b3f7ab2a42721e5af1d46ab4688d31c2798c460981b433c16aa16f5ca28468bd7943131a043c61ce97713c0e730b16d5c81fc72c8c532cc5f6

Download Submit
C:\Users\Admin\AppData\Roaming\assadsad\assadsad.exe
Filesize
105KB

MD5
ea1ea9fd37112bd1ef9cd6693fdb2cca

SHA1
176bfeccd1737a2e3ca961cd86edfe048b83cee7

SHA256
398d6123b91dbc11a590bb5d4020833ae623340d3ff7649c097a1bd32dd9a771

SHA512
a7c109632238c11749fee4392f4870aecf0b16579df7eeb8fe2661721094afedcf6235a3b1bcabdf672fb08aafc6c11e39a8e13eaf3f98a91863566f88cfd692

Download Submit
C:\Users\Admin\AppData\Roaming\assadsad\assadsad.exe
Filesize
105KB

MD5
ea1ea9fd37112bd1ef9cd6693fdb2cca

SHA1
176bfeccd1737a2e3ca961cd86edfe048b83cee7

SHA256
398d6123b91dbc11a590bb5d4020833ae623340d3ff7649c097a1bd32dd9a771

SHA512
a7c109632238c11749fee4392f4870aecf0b16579df7eeb8fe2661721094afedcf6235a3b1bcabdf672fb08aafc6c11e39a8e13eaf3f98a91863566f88cfd692

Download Submit
C:\Users\Admin\AppData\Roaming\assadsad\assadsad.exe
Filesize
105KB

MD5
ea1ea9fd37112bd1ef9cd6693fdb2cca

SHA1
176bfeccd1737a2e3ca961cd86edfe048b83cee7

SHA256
398d6123b91dbc11a590bb5d4020833ae623340d3ff7649c097a1bd32dd9a771

SHA512
a7c109632238c11749fee4392f4870aecf0b16579df7eeb8fe2661721094afedcf6235a3b1bcabdf672fb08aafc6c11e39a8e13eaf3f98a91863566f88cfd692

Download Submit
memory/804-142-0x0000000000000000-mapping.dmp

Download
memory/2372-137-0x0000000000000000-mapping.dmp

Download
memory/2372-141-0x00000000000B0000-0x00000000000C2000-memory.dmp

Filesize
72KB

Download
memory/2380-136-0x0000000004D20000-0x0000000004D86000-memory.dmp

Filesize
408KB

Download
memory/2380-135-0x0000000000380000-0x00000000003A0000-memory.dmp

Filesize
128KB

Download
memory/2720-143-0x0000000000000000-mapping.dmp

Download
memory/3752-140-0x0000000000000000-mapping.dmp

Download
memory/4988-144-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads