asyncrat | 2930da605db0ec3fcc6ddfe2b54808fdc417ccedfe1faa9dc3c1d2c69d401a0b

General

Target

0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777.exe
Size

45KB
MD5

3b7f9dcb3b83acf40f32d5f7c500fefb
SHA1

08195d91e8e187c4edfb03e3fa6784524481802a
SHA256

0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777
SHA512

daa05b7159d649dcb9e7c07c010b777daee79df18c0fb0d60364e942282dc1f1d63b9c0b1929f8217000e63c3526b7464133c08e42e21be392337e4c3724fad1
SSDEEP

768:vuK49TH4EjZWUR+ejmo2qrL/ot3APIPzjbogX3a7bsaN3KnVABDZXx:vuK49THf520s3lP3b/XKUaN3CWdXx

Score

10^/10

asyncrat christ2 rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Christ2

C2

dlusercontent.net:4444

Mutex

3048tui grwj0grw08

Attributes

delay
3
install
true
install_file
windllx.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 5 IoCs

rat

resource	yara_rule
behavioral1/memory/1232-54-0x00000000002D0000-0x00000000002E2000-memory.dmp	asyncrat
behavioral1/files/0x000a0000000122f9-65.dat	asyncrat
behavioral1/files/0x000a0000000122f9-66.dat	asyncrat
behavioral1/files/0x000a0000000122f9-67.dat	asyncrat
behavioral1/memory/616-68-0x0000000001220000-0x0000000001232000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

pid	Process
616	windllx.exe

Loads dropped DLL 1 IoCs

pid	Process
284	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1148	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1456	timeout.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1232	0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1232	0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777.exe
Token: SeDebugPrivilege	616	windllx.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 920	1232	0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777.exe	28
PID 1232 wrote to memory of 920	1232	0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777.exe	28
PID 1232 wrote to memory of 920	1232	0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777.exe	28
PID 1232 wrote to memory of 920	1232	0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777.exe	28
PID 1232 wrote to memory of 284	1232	0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777.exe	30
PID 1232 wrote to memory of 284	1232	0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777.exe	30
PID 1232 wrote to memory of 284	1232	0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777.exe	30
PID 1232 wrote to memory of 284	1232	0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777.exe	30
PID 284 wrote to memory of 1456	284	cmd.exe	32
PID 284 wrote to memory of 1456	284	cmd.exe	32
PID 284 wrote to memory of 1456	284	cmd.exe	32
PID 284 wrote to memory of 1456	284	cmd.exe	32
PID 920 wrote to memory of 1148	920	cmd.exe	33
PID 920 wrote to memory of 1148	920	cmd.exe	33
PID 920 wrote to memory of 1148	920	cmd.exe	33
PID 920 wrote to memory of 1148	920	cmd.exe	33
PID 284 wrote to memory of 616	284	cmd.exe	34
PID 284 wrote to memory of 616	284	cmd.exe	34
PID 284 wrote to memory of 616	284	cmd.exe	34
PID 284 wrote to memory of 616	284	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777.exe
"C:\Users\Admin\AppData\Local\Temp\0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "windllx" /tr '"C:\Users\Admin\AppData\Roaming\windllx.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:920
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "windllx" /tr '"C:\Users\Admin\AppData\Roaming\windllx.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:1148
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1B10.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:284
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1456
- - C:\Users\Admin\AppData\Roaming\windllx.exe
    "C:\Users\Admin\AppData\Roaming\windllx.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1B10.tmp.bat

Filesize
151B

MD5
a98d396028d454cb79ae47ee95195bab

SHA1
64e0644f6d39a4b51617b969cfee3dda8505cae7

SHA256
c7f697a0acdb12fb77a7de1c1b821a4fd02f08006c091bbacb3a3f3f5edab6a3

SHA512
aa86de826566d15f1f11445de08e12e3a0c5eda141b98112874881af29194c29e088eb68b787336ce9aecf0e6c34a8911d4861ba5b992371f56cedb4d32aac7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1B10.tmp.bat

Filesize
151B

MD5
a98d396028d454cb79ae47ee95195bab

SHA1
64e0644f6d39a4b51617b969cfee3dda8505cae7

SHA256
c7f697a0acdb12fb77a7de1c1b821a4fd02f08006c091bbacb3a3f3f5edab6a3

SHA512
aa86de826566d15f1f11445de08e12e3a0c5eda141b98112874881af29194c29e088eb68b787336ce9aecf0e6c34a8911d4861ba5b992371f56cedb4d32aac7c

Download Submit
C:\Users\Admin\AppData\Roaming\windllx.exe

Filesize
45KB

MD5
3b7f9dcb3b83acf40f32d5f7c500fefb

SHA1
08195d91e8e187c4edfb03e3fa6784524481802a

SHA256
0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777

SHA512
daa05b7159d649dcb9e7c07c010b777daee79df18c0fb0d60364e942282dc1f1d63b9c0b1929f8217000e63c3526b7464133c08e42e21be392337e4c3724fad1

Download Submit
C:\Users\Admin\AppData\Roaming\windllx.exe

Filesize
45KB

MD5
3b7f9dcb3b83acf40f32d5f7c500fefb

SHA1
08195d91e8e187c4edfb03e3fa6784524481802a

SHA256
0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777

SHA512
daa05b7159d649dcb9e7c07c010b777daee79df18c0fb0d60364e942282dc1f1d63b9c0b1929f8217000e63c3526b7464133c08e42e21be392337e4c3724fad1

Download Submit
\Users\Admin\AppData\Roaming\windllx.exe

Filesize
45KB

MD5
3b7f9dcb3b83acf40f32d5f7c500fefb

SHA1
08195d91e8e187c4edfb03e3fa6784524481802a

SHA256
0c6b9d6c37b17c04112ce5b33b8b7770c483cb70b1e28f66d06d1bbf8384c777

SHA512
daa05b7159d649dcb9e7c07c010b777daee79df18c0fb0d60364e942282dc1f1d63b9c0b1929f8217000e63c3526b7464133c08e42e21be392337e4c3724fad1

Download Submit
memory/616-68-0x0000000001220000-0x0000000001232000-memory.dmp

Filesize
72KB

Download
memory/616-69-0x00000000003F0000-0x0000000000430000-memory.dmp

Filesize
256KB

Download
memory/616-70-0x00000000003F0000-0x0000000000430000-memory.dmp

Filesize
256KB

Download
memory/1232-54-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/1232-55-0x0000000004930000-0x0000000004970000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads