asyncrat | 38ea07deea1266829ec35c3e8c5cac83686e5efac1727405dd2c7361ae47e612

General

Target

38ea07deea1266829ec35c3e8c5cac83686e5efac1727405dd2c7361ae47e612.exe
Size

519KB
MD5

99d1d1a753ded2c46de75059bc9f27ce
SHA1

6b71e8875664df78b52d741756671549993cc79c
SHA256

38ea07deea1266829ec35c3e8c5cac83686e5efac1727405dd2c7361ae47e612
SHA512

15c58058a531460712aa00e684d1025f3f86084719e85a331d824229cf059fc55ef972e24a9c391a1193d123cacab3fd92c59c934d070a0c8525d44b0e784409
SSDEEP

12288:2ToPWBv/cpGrU3yVtX+t4VjxjCY0RNdA4k5TuuxrGn:2TbBv5rUyXVj10/dAN5KudO

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.6

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

eiviqnxpqs

Attributes

delay
5
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX1\tamer.exe	asyncrat
C:\Users\Admin\AppData\Local\Temp\RarSFX1\tamer.exe	asyncrat
C:\Users\Admin\AppData\Local\Temp\RarSFX1\tamer.exe	asyncrat
behavioral2/memory/4952-156-0x0000000000CE0000-0x0000000000CF2000-memory.dmp	asyncrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

38ea07deea1266829ec35c3e8c5cac83686e5efac1727405dd2c7361ae47e612.exetamer.sfx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	38ea07deea1266829ec35c3e8c5cac83686e5efac1727405dd2c7361ae47e612.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	tamer.sfx.exe

Executes dropped EXE 2 IoCs

Processes:

tamer.sfx.exetamer.exe

pid process

2700 tamer.sfx.exe
4952 tamer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

tamer.exe

pid process

4952 tamer.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

tamer.exe

description pid process

Token: SeDebugPrivilege 4952 tamer.exe

pid	process
2700	tamer.sfx.exe
4952	tamer.exe

pid	process
4952	tamer.exe

description	pid	process
Token: SeDebugPrivilege	4952	tamer.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

38ea07deea1266829ec35c3e8c5cac83686e5efac1727405dd2c7361ae47e612.exetamer.sfx.exe

description	pid	process	target process
PID 2220 wrote to memory of 2700	2220	38ea07deea1266829ec35c3e8c5cac83686e5efac1727405dd2c7361ae47e612.exe	tamer.sfx.exe
PID 2220 wrote to memory of 2700	2220	38ea07deea1266829ec35c3e8c5cac83686e5efac1727405dd2c7361ae47e612.exe	tamer.sfx.exe
PID 2220 wrote to memory of 2700	2220	38ea07deea1266829ec35c3e8c5cac83686e5efac1727405dd2c7361ae47e612.exe	tamer.sfx.exe
PID 2700 wrote to memory of 4952	2700	tamer.sfx.exe	tamer.exe
PID 2700 wrote to memory of 4952	2700	tamer.sfx.exe	tamer.exe

C:\Users\Admin\AppData\Local\Temp\38ea07deea1266829ec35c3e8c5cac83686e5efac1727405dd2c7361ae47e612.exe
"C:\Users\Admin\AppData\Local\Temp\38ea07deea1266829ec35c3e8c5cac83686e5efac1727405dd2c7361ae47e612.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2220

C:\Users\Admin\AppData\Local\Temp\RarSFX0\tamer.sfx.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\tamer.sfx.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700

C:\Users\Admin\AppData\Local\Temp\RarSFX1\tamer.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\tamer.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4952

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\tamer.sfx.exe
Filesize
349KB

MD5
6f037981df7ed239e5f6b138a14ecbb3

SHA1
d97bc2f25642e576b464f732e6518563b44fea1d

SHA256
8ec5ba9c65b748ba6ccdcbc63286f2a54c5bc3de241a7d3ab1b32d6664b01899

SHA512
35384d7a6e7056aa6569134756e927322cb9806ba1e3613cc97e75f50b84ad27fa1bbb2251390188e5525436d083b1d239712fac8fd1491863967c7857770198

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\tamer.sfx.exe
Filesize
349KB

MD5
6f037981df7ed239e5f6b138a14ecbb3

SHA1
d97bc2f25642e576b464f732e6518563b44fea1d

SHA256
8ec5ba9c65b748ba6ccdcbc63286f2a54c5bc3de241a7d3ab1b32d6664b01899

SHA512
35384d7a6e7056aa6569134756e927322cb9806ba1e3613cc97e75f50b84ad27fa1bbb2251390188e5525436d083b1d239712fac8fd1491863967c7857770198

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\tamer.sfx.exe
Filesize
349KB

MD5
6f037981df7ed239e5f6b138a14ecbb3

SHA1
d97bc2f25642e576b464f732e6518563b44fea1d

SHA256
8ec5ba9c65b748ba6ccdcbc63286f2a54c5bc3de241a7d3ab1b32d6664b01899

SHA512
35384d7a6e7056aa6569134756e927322cb9806ba1e3613cc97e75f50b84ad27fa1bbb2251390188e5525436d083b1d239712fac8fd1491863967c7857770198

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\tamer.exe
Filesize
46KB

MD5
a89bf20ec8b14beced21c9795063ff5d

SHA1
7fa675d4e3d120039a8325367c5935f3727aeddf

SHA256
c09e0e10bc6053236b158d615f387447f6af4a8658bcd25a8bf37f56b5d9a2ae

SHA512
f2b6441232352bc796a0d56e1d88db24cfe9afaef1d0a39c311991f4ee5d3a17283c41b6bf1cda2b4d395d045fa5e518a447eb660f2fe6005d15ab00c80c5142

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\tamer.exe
Filesize
46KB

MD5
a89bf20ec8b14beced21c9795063ff5d

SHA1
7fa675d4e3d120039a8325367c5935f3727aeddf

SHA256
c09e0e10bc6053236b158d615f387447f6af4a8658bcd25a8bf37f56b5d9a2ae

SHA512
f2b6441232352bc796a0d56e1d88db24cfe9afaef1d0a39c311991f4ee5d3a17283c41b6bf1cda2b4d395d045fa5e518a447eb660f2fe6005d15ab00c80c5142

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\tamer.exe
Filesize
46KB

MD5
a89bf20ec8b14beced21c9795063ff5d

SHA1
7fa675d4e3d120039a8325367c5935f3727aeddf

SHA256
c09e0e10bc6053236b158d615f387447f6af4a8658bcd25a8bf37f56b5d9a2ae

SHA512
f2b6441232352bc796a0d56e1d88db24cfe9afaef1d0a39c311991f4ee5d3a17283c41b6bf1cda2b4d395d045fa5e518a447eb660f2fe6005d15ab00c80c5142

Download Submit
memory/4952-156-0x0000000000CE0000-0x0000000000CF2000-memory.dmp

Filesize
72KB

Download
memory/4952-157-0x000000001C630000-0x000000001C640000-memory.dmp

Filesize
64KB

Download
memory/4952-158-0x000000001C630000-0x000000001C640000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads