asyncrat | d50074d48914764b355b89e387636cfbc2d5f5daf17b8afee1490c176afccfbf

General

Target

AS000456879.exe
Size

461KB
MD5

4101ca6880258f103df2c744efda4cde
SHA1

90aed0f7474acd6321af277d6f9f81cf0674405d
SHA256

d50074d48914764b355b89e387636cfbc2d5f5daf17b8afee1490c176afccfbf
SHA512

0668bf6b23e2fde4e6f5db97cf36a05c4819c5f12744f86e6cb0f799a0fad4ceaff43d0f15fe0b3bb417fa5143ce4b25c2b71a20d1102964606ae9182a77d049
SSDEEP

3072:IfY/TU9fE9PEtuoRbtv9BAthLEMw5m4i9zgngzRtunMK1L4PQw/ihbceYSgOt:+Ya64D1Mw5mZgnqiEPv/somt

Score

10^/10

asyncrat persistence rat spyware stealer

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1468-142-0x0000000000400000-0x0000000000423000-memory.dmp	asyncrat
behavioral2/memory/1468-144-0x0000000000400000-0x0000000000423000-memory.dmp	asyncrat
behavioral2/memory/1468-145-0x0000000000400000-0x0000000000423000-memory.dmp	asyncrat
behavioral2/memory/1468-147-0x0000000000400000-0x0000000000423000-memory.dmp	asyncrat
behavioral2/memory/1468-149-0x0000000004A60000-0x0000000004A70000-memory.dmp	asyncrat

Executes dropped EXE 2 IoCs

Processes:

vubdwujj.exevubdwujj.exe

pid process

2768 vubdwujj.exe
1468 vubdwujj.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2768	vubdwujj.exe
1468	vubdwujj.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vubdwujj.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jfoktdyh = "C:\\Users\\Admin\\AppData\\Roaming\\pyudmirbwg\\cluqa.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\vubdwujj.exe\" C:\\Users\\Admin\\AppData\\Local\\"	vubdwujj.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

vubdwujj.exe

description pid process target process

PID 2768 set thread context of 1468 2768 vubdwujj.exe vubdwujj.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

vubdwujj.exe

pid process

2768 vubdwujj.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

vubdwujj.exe

description pid process

Token: SeDebugPrivilege 1468 vubdwujj.exe

description	pid	process	target process
PID 2768 set thread context of 1468	2768	vubdwujj.exe	vubdwujj.exe

pid	process
2768	vubdwujj.exe

description	pid	process
Token: SeDebugPrivilege	1468	vubdwujj.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

AS000456879.exevubdwujj.exe

description	pid	process	target process
PID 4380 wrote to memory of 2768	4380	AS000456879.exe	vubdwujj.exe
PID 4380 wrote to memory of 2768	4380	AS000456879.exe	vubdwujj.exe
PID 4380 wrote to memory of 2768	4380	AS000456879.exe	vubdwujj.exe
PID 2768 wrote to memory of 1468	2768	vubdwujj.exe	vubdwujj.exe
PID 2768 wrote to memory of 1468	2768	vubdwujj.exe	vubdwujj.exe
PID 2768 wrote to memory of 1468	2768	vubdwujj.exe	vubdwujj.exe
PID 2768 wrote to memory of 1468	2768	vubdwujj.exe	vubdwujj.exe

C:\Users\Admin\AppData\Local\Temp\AS000456879.exe
"C:\Users\Admin\AppData\Local\Temp\AS000456879.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4380

C:\Users\Admin\AppData\Local\Temp\vubdwujj.exe
"C:\Users\Admin\AppData\Local\Temp\vubdwujj.exe" C:\Users\Admin\AppData\Local\Temp\uszcl.zps
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2768

C:\Users\Admin\AppData\Local\Temp\vubdwujj.exe
"C:\Users\Admin\AppData\Local\Temp\vubdwujj.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fobmxw.vq
Filesize
143KB

MD5
2507ba304a6d9308621410c2d36296a7

SHA1
e25523ae784746d60c47cf06eae60cf61e988050

SHA256
aab883c874ded8ea1c747f001eca69bc9a8f8349ae7ee2dfd5e910f54bfe72f8

SHA512
9ac7f6f5baf5715001faa34ec8cc655f1af87a2515ff7f93b131d965d8f93921b34abd5874a99b7a8ba064f783cd219652913724259fae846783a1a33ef016dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\uszcl.zps
Filesize
7KB

MD5
0af0a947a024be23f1ca48d932eacd1e

SHA1
747ec7d3e0879017c45b911d20b90d9e7257e90d

SHA256
429576f6e3310e8f0a0033207e8c11c565c545846dc292048feec5df38a1eca2

SHA512
b9c6cdbfc1232fb290231217dea23bca16eb1db7658f19af4fad29f72b13c033f902487df8ca27d554b5f1c3f302a2bc9ef030870b5e71a80eaa1f78aa36e5dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\vubdwujj.exe
Filesize
4KB

MD5
adba09c1a1bae1fca7a24748a8088b28

SHA1
1657b9e782e90e3ea7c97a0da9efde1568089d56

SHA256
9fafdf42926181bee4b0e814907d060568e9578a9ac834069638c699757f2e4b

SHA512
c4b8f329eb42bd4a6ec931366a9cf44be97f406570adf4c4e328da8e032b0b5c00f1ff638760b3183607207f4297b2dc0a818c959187040c229c716a1ee74492

Download Submit
C:\Users\Admin\AppData\Local\Temp\vubdwujj.exe
Filesize
4KB

MD5
adba09c1a1bae1fca7a24748a8088b28

SHA1
1657b9e782e90e3ea7c97a0da9efde1568089d56

SHA256
9fafdf42926181bee4b0e814907d060568e9578a9ac834069638c699757f2e4b

SHA512
c4b8f329eb42bd4a6ec931366a9cf44be97f406570adf4c4e328da8e032b0b5c00f1ff638760b3183607207f4297b2dc0a818c959187040c229c716a1ee74492

Download Submit
C:\Users\Admin\AppData\Local\Temp\vubdwujj.exe
Filesize
4KB

MD5
adba09c1a1bae1fca7a24748a8088b28

SHA1
1657b9e782e90e3ea7c97a0da9efde1568089d56

SHA256
9fafdf42926181bee4b0e814907d060568e9578a9ac834069638c699757f2e4b

SHA512
c4b8f329eb42bd4a6ec931366a9cf44be97f406570adf4c4e328da8e032b0b5c00f1ff638760b3183607207f4297b2dc0a818c959187040c229c716a1ee74492

Download Submit
memory/1468-149-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/1468-151-0x0000000004EF0000-0x0000000004F8C000-memory.dmp

Filesize
624KB

Download
memory/1468-145-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1468-147-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1468-148-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/1468-142-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1468-150-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/1468-144-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1468-152-0x0000000004F90000-0x0000000005534000-memory.dmp

Filesize
5.6MB

Download
memory/1468-153-0x0000000005580000-0x00000000055E6000-memory.dmp

Filesize
408KB

Download
memory/1468-157-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/1468-156-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/1468-155-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/1468-158-0x0000000006170000-0x00000000061E6000-memory.dmp

Filesize
472KB

Download
memory/1468-159-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/1468-160-0x0000000006260000-0x000000000627E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads