asyncrat | 48c368d7fdacb97f86acb10aee2115276ad56c7e8b470875f641cfdf0303a5fa

General

Target

c90ba430608e000e7b270f5b5157111ee4760fce3269084b5f2b46efd48cf577.exe
Size

1.9MB
MD5

171da24c24a495819291b45e99f2cb0e
SHA1

6483d9c80da93eea0e84516e371c91336eaef681
SHA256

48c368d7fdacb97f86acb10aee2115276ad56c7e8b470875f641cfdf0303a5fa
SHA512

33779da0ecea8bfe19b7ec610b6297aed5e58e41ab367e54994d23a02d8ddb15d184a9535b4c20a0291f72252a60a60d8d4c8811ab37c0f5c84b85ec48961365
SSDEEP

49152:qbIkVpX0sZ2XrYKSGsWm8JCdybPsaDGlI1f+ROJEnJoi36HNqbeqxq:xNqbJxq

Score

10^/10

asyncrat game rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Game

C2

84.54.50.51:8848

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1412-151-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

printui.exe

pid process

5108 printui.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
5108	printui.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

c90ba430608e000e7b270f5b5157111ee4760fce3269084b5f2b46efd48cf577.exe

description	pid	process	target process
PID 2744 set thread context of 1412	2744	c90ba430608e000e7b270f5b5157111ee4760fce3269084b5f2b46efd48cf577.exe	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 1412 RegSvcs.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

c90ba430608e000e7b270f5b5157111ee4760fce3269084b5f2b46efd48cf577.exe

pid process

2744 c90ba430608e000e7b270f5b5157111ee4760fce3269084b5f2b46efd48cf577.exe

description	pid	process
Token: SeDebugPrivilege	1412	RegSvcs.exe

pid	process
2744	c90ba430608e000e7b270f5b5157111ee4760fce3269084b5f2b46efd48cf577.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

c90ba430608e000e7b270f5b5157111ee4760fce3269084b5f2b46efd48cf577.execmd.exe

description	pid	process	target process
PID 2744 wrote to memory of 3816	2744	c90ba430608e000e7b270f5b5157111ee4760fce3269084b5f2b46efd48cf577.exe	cmd.exe
PID 2744 wrote to memory of 3816	2744	c90ba430608e000e7b270f5b5157111ee4760fce3269084b5f2b46efd48cf577.exe	cmd.exe
PID 2744 wrote to memory of 3816	2744	c90ba430608e000e7b270f5b5157111ee4760fce3269084b5f2b46efd48cf577.exe	cmd.exe
PID 3816 wrote to memory of 5108	3816	cmd.exe	printui.exe
PID 3816 wrote to memory of 5108	3816	cmd.exe	printui.exe
PID 2744 wrote to memory of 1412	2744	c90ba430608e000e7b270f5b5157111ee4760fce3269084b5f2b46efd48cf577.exe	RegSvcs.exe
PID 2744 wrote to memory of 1412	2744	c90ba430608e000e7b270f5b5157111ee4760fce3269084b5f2b46efd48cf577.exe	RegSvcs.exe
PID 2744 wrote to memory of 1412	2744	c90ba430608e000e7b270f5b5157111ee4760fce3269084b5f2b46efd48cf577.exe	RegSvcs.exe
PID 2744 wrote to memory of 1412	2744	c90ba430608e000e7b270f5b5157111ee4760fce3269084b5f2b46efd48cf577.exe	RegSvcs.exe
PID 2744 wrote to memory of 1412	2744	c90ba430608e000e7b270f5b5157111ee4760fce3269084b5f2b46efd48cf577.exe	RegSvcs.exe
PID 2744 wrote to memory of 1412	2744	c90ba430608e000e7b270f5b5157111ee4760fce3269084b5f2b46efd48cf577.exe	RegSvcs.exe
PID 2744 wrote to memory of 1412	2744	c90ba430608e000e7b270f5b5157111ee4760fce3269084b5f2b46efd48cf577.exe	RegSvcs.exe
PID 2744 wrote to memory of 1412	2744	c90ba430608e000e7b270f5b5157111ee4760fce3269084b5f2b46efd48cf577.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\c90ba430608e000e7b270f5b5157111ee4760fce3269084b5f2b46efd48cf577.exe
"C:\Users\Admin\AppData\Local\Temp\c90ba430608e000e7b270f5b5157111ee4760fce3269084b5f2b46efd48cf577.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows \System32\ex.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:3816

C:\Windows \System32\printui.exe
"C:\Windows \System32\printui.exe"
3⤵
- Executes dropped EXE
PID:5108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

1

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows \System32\ex.bat
Filesize
49B

MD5
544314fad7b74a93139a263de3a250d8

SHA1
79e2b93d4f847f61ccd4831df1dcd3d2a1b4ef0a

SHA256
b74d0dc9c867a70c050b2e23758b197c613c588a6403f7410fe87b30f37eb436

SHA512
458bb62f3ce779a963925b7beaba78c025c87ca801b84315680fb99ea23e6bdba12564ae7015baeda7eca14757a7c4bf290dd369735faa8f42d3b54cbb4b6fa0

Download Submit
C:\Windows \System32\printui.dll
Filesize
273B

MD5
155988aa2458161ea2bd16dff43b2adf

SHA1
ff1393e60f1cceba93809e3e406d5114ca42c5a1

SHA256
66b2d583001907dd0ef0f636e06dc9102c1306595c2d2af50e674bad9f6616da

SHA512
56a1a8c747d109aab5582027368d01590613b564e8e8eddc49f6d76b3f37bfdcf171ba5c7eaa7b8b4b24634afa85adec998df059bfc9fb9e49133fa6af49b378

Download Submit
C:\Windows \System32\printui.exe
Filesize
62KB

MD5
2fc3530f3e05667f8240fc77f7486e7e

SHA1
c52cc219886f29e5076ced98d6483e28fc5cc3e0

SHA256
ac75af591c08442ea453eb92f6344e930585d912894e9323db922bcd9edf4cd1

SHA512
ef78de6a114885b55806323f09d8bc24609966d29a31c2a5ae6ad93d1f0d584d29418ba76ca2f235ed30ad8ae2c91f552c15487c559e0411e978d397c82f7046

Download Submit
memory/1412-151-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1412-152-0x00000000057C0000-0x00000000057D0000-memory.dmp

Filesize
64KB

Download
memory/1412-153-0x0000000005CF0000-0x0000000005D8C000-memory.dmp

Filesize
624KB

Download
memory/1412-154-0x0000000006340000-0x00000000068E4000-memory.dmp

Filesize
5.6MB

Download
memory/1412-155-0x0000000005E00000-0x0000000005E66000-memory.dmp

Filesize
408KB

Download
memory/1412-156-0x00000000057C0000-0x00000000057D0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads