asyncrat | 785ebeb84c2bc65d0b0a55691f18631c110531b132f60535b8462684d2492b81

General

Target

SecuriteInfo.com.Trojan.GenericKDZ.97497.29505.12657.exe
Size

621KB
MD5

45f42e17dd7229140a940f3346ddf3a9
SHA1

dbf51050b80bd2932bfed81fc867495bbd856ca6
SHA256

785ebeb84c2bc65d0b0a55691f18631c110531b132f60535b8462684d2492b81
SHA512

3a1c2a3ee5382c61759e1a2664f2871eb49c567de6dec8ad70e797d4698f7950ec78eb567aba3ad286723bae926856509e880777d4165a75cc2463fcb4fbc7ef
SSDEEP

12288:NeHlPTZh6q6/TKPzG7rjkKzG9DP+ogIGdjPETxpj:NeHllY/TKPzG7+B+TIOjPWxF

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

192.3.193.136:2023

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1640-72-0x0000000000400000-0x000000000041E000-memory.dmp	asyncrat
behavioral1/memory/1640-74-0x0000000000400000-0x000000000041E000-memory.dmp	asyncrat
behavioral1/memory/1640-75-0x0000000000400000-0x000000000041E000-memory.dmp	asyncrat
behavioral1/memory/1640-76-0x000000000040C6FE-mapping.dmp	asyncrat
behavioral1/memory/1640-78-0x0000000000400000-0x000000000041E000-memory.dmp	asyncrat
behavioral1/memory/1640-80-0x0000000000400000-0x000000000041E000-memory.dmp	asyncrat

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Trojan.GenericKDZ.97497.29505.12657.exe

description pid process target process

PID 1724 set thread context of 1640 1724 SecuriteInfo.com.Trojan.GenericKDZ.97497.29505.12657.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

992 schtasks.exe

description	pid	process	target process
PID 1724 set thread context of 1640	1724	SecuriteInfo.com.Trojan.GenericKDZ.97497.29505.12657.exe	RegSvcs.exe

pid	process
992	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

SecuriteInfo.com.Trojan.GenericKDZ.97497.29505.12657.exepowershell.exepowershell.exe

pid	process
1724	SecuriteInfo.com.Trojan.GenericKDZ.97497.29505.12657.exe
1724	SecuriteInfo.com.Trojan.GenericKDZ.97497.29505.12657.exe
1384	powershell.exe
1380	powershell.exe
1724	SecuriteInfo.com.Trojan.GenericKDZ.97497.29505.12657.exe
1724	SecuriteInfo.com.Trojan.GenericKDZ.97497.29505.12657.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

SecuriteInfo.com.Trojan.GenericKDZ.97497.29505.12657.exepowershell.exepowershell.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1724	SecuriteInfo.com.Trojan.GenericKDZ.97497.29505.12657.exe
Token: SeDebugPrivilege	1384	powershell.exe
Token: SeDebugPrivilege	1380	powershell.exe
Token: SeDebugPrivilege	1640	RegSvcs.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

SecuriteInfo.com.Trojan.GenericKDZ.97497.29505.12657.exe

description	pid	process	target process
PID 1724 wrote to memory of 1380	1724	SecuriteInfo.com.Trojan.GenericKDZ.97497.29505.12657.exe	powershell.exe
PID 1724 wrote to memory of 1380	1724	SecuriteInfo.com.Trojan.GenericKDZ.97497.29505.12657.exe	powershell.exe
PID 1724 wrote to memory of 1380	1724	SecuriteInfo.com.Trojan.GenericKDZ.97497.29505.12657.exe	powershell.exe
PID 1724 wrote to memory of 1380	1724	SecuriteInfo.com.Trojan.GenericKDZ.97497.29505.12657.exe	powershell.exe
PID 1724 wrote to memory of 1384	1724	SecuriteInfo.com.Trojan.GenericKDZ.97497.29505.12657.exe	powershell.exe
PID 1724 wrote to memory of 1384	1724	SecuriteInfo.com.Trojan.GenericKDZ.97497.29505.12657.exe	powershell.exe
PID 1724 wrote to memory of 1384	1724	SecuriteInfo.com.Trojan.GenericKDZ.97497.29505.12657.exe	powershell.exe
PID 1724 wrote to memory of 1384	1724	SecuriteInfo.com.Trojan.GenericKDZ.97497.29505.12657.exe	powershell.exe
PID 1724 wrote to memory of 992	1724	SecuriteInfo.com.Trojan.GenericKDZ.97497.29505.12657.exe	schtasks.exe
PID 1724 wrote to memory of 992	1724	SecuriteInfo.com.Trojan.GenericKDZ.97497.29505.12657.exe	schtasks.exe
PID 1724 wrote to memory of 992	1724	SecuriteInfo.com.Trojan.GenericKDZ.97497.29505.12657.exe	schtasks.exe
PID 1724 wrote to memory of 992	1724	SecuriteInfo.com.Trojan.GenericKDZ.97497.29505.12657.exe	schtasks.exe
PID 1724 wrote to memory of 1640	1724	SecuriteInfo.com.Trojan.GenericKDZ.97497.29505.12657.exe	RegSvcs.exe
PID 1724 wrote to memory of 1640	1724	SecuriteInfo.com.Trojan.GenericKDZ.97497.29505.12657.exe	RegSvcs.exe
PID 1724 wrote to memory of 1640	1724	SecuriteInfo.com.Trojan.GenericKDZ.97497.29505.12657.exe	RegSvcs.exe
PID 1724 wrote to memory of 1640	1724	SecuriteInfo.com.Trojan.GenericKDZ.97497.29505.12657.exe	RegSvcs.exe
PID 1724 wrote to memory of 1640	1724	SecuriteInfo.com.Trojan.GenericKDZ.97497.29505.12657.exe	RegSvcs.exe
PID 1724 wrote to memory of 1640	1724	SecuriteInfo.com.Trojan.GenericKDZ.97497.29505.12657.exe	RegSvcs.exe
PID 1724 wrote to memory of 1640	1724	SecuriteInfo.com.Trojan.GenericKDZ.97497.29505.12657.exe	RegSvcs.exe
PID 1724 wrote to memory of 1640	1724	SecuriteInfo.com.Trojan.GenericKDZ.97497.29505.12657.exe	RegSvcs.exe
PID 1724 wrote to memory of 1640	1724	SecuriteInfo.com.Trojan.GenericKDZ.97497.29505.12657.exe	RegSvcs.exe
PID 1724 wrote to memory of 1640	1724	SecuriteInfo.com.Trojan.GenericKDZ.97497.29505.12657.exe	RegSvcs.exe
PID 1724 wrote to memory of 1640	1724	SecuriteInfo.com.Trojan.GenericKDZ.97497.29505.12657.exe	RegSvcs.exe
PID 1724 wrote to memory of 1640	1724	SecuriteInfo.com.Trojan.GenericKDZ.97497.29505.12657.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKDZ.97497.29505.12657.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKDZ.97497.29505.12657.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKDZ.97497.29505.12657.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1380

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rTYeHpkLYAzXn.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rTYeHpkLYAzXn" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD95F.tmp"
2⤵
- Creates scheduled task(s)
PID:992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1640

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD95F.tmp
Filesize
1KB

MD5
445f5cd4fff9b3c8b192ea376081d9f8

SHA1
6f817a7b0be4585134f779d23c9b47210e96c89e

SHA256
9fb911d8f559e0367815bfb652609c1879d6421b17b7496e8fe0403f48b37e17

SHA512
ccf5886654c66bff16add324b1f2c6828b0619b251a79223ed1fa78969aa0ae74be13c5ed23b74cfebe62a47726c460a8f181d4c6c497026aa78df160a08a4ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
1befcd9b839afeafa7f83930a04bd9de

SHA1
19880f44e122d4acbd86f64712cfda148679099e

SHA256
430274dc352667264854b255514ae16980e0dca40a08957c64a3dcaa42f06f7e

SHA512
c9242461ebfbfd91d3f8469852dc64867ab2f6e796f1ae7ca645018ec78d31507d6be5722da991622cab0f3897cba27bfa998328e10e1d8e79caa6fbf2778038

Download Submit
memory/992-62-0x0000000000000000-mapping.dmp

Download
memory/1380-81-0x000000006E5A0000-0x000000006EB4B000-memory.dmp

Filesize
5.7MB

Download
memory/1380-67-0x000000006E5A0000-0x000000006EB4B000-memory.dmp

Filesize
5.7MB

Download
memory/1380-59-0x0000000000000000-mapping.dmp

Download
memory/1384-82-0x000000006E5A0000-0x000000006EB4B000-memory.dmp

Filesize
5.7MB

Download
memory/1384-68-0x000000006E5A0000-0x000000006EB4B000-memory.dmp

Filesize
5.7MB

Download
memory/1384-61-0x0000000000000000-mapping.dmp

Download
memory/1640-70-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1640-74-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1640-80-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1640-78-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1640-69-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1640-72-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1640-76-0x000000000040C6FE-mapping.dmp

Download
memory/1640-75-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1724-66-0x0000000004F50000-0x0000000004F72000-memory.dmp

Filesize
136KB

Download
memory/1724-54-0x0000000000270000-0x0000000000312000-memory.dmp

Filesize
648KB

Download
memory/1724-57-0x0000000000700000-0x000000000070C000-memory.dmp

Filesize
48KB

Download
memory/1724-58-0x0000000005140000-0x00000000051B0000-memory.dmp

Filesize
448KB

Download
memory/1724-56-0x00000000006E0000-0x00000000006F4000-memory.dmp

Filesize
80KB

Download
memory/1724-55-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads