Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
26/04/2023, 17:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
AsyncRat.exe
Resource
win7-20230220-en
7 signatures
150 seconds
General
-
Target
AsyncRat.exe
-
Size
2.6MB
-
MD5
c210607e74baffc542110c60378fb034
-
SHA1
73aa5dfa9a796fc8adc83ddb82375e17ccab28c0
-
SHA256
95bab70aa35fa3b403de445c883dcaa84998690ffb54d3a8f9d25a19e5e36f42
-
SHA512
6d5c9019728af047a0e904c7d12a7db8af34b00ac289a279af937be47aa38fab077571315b15ae13bc68f8e17bfcd6ae5d779bb988e5887fe8cbbde0e9c50376
-
SSDEEP
24576:HUIog50eJ8FmTPCeZ6FW0dHnulKtu1Dze6HDpLtllJz8+iTODtMm8VyRbNvvLDAi:H3b8FmTGmd2OxSHxoZdMK7ajwVwg
Malware Config
Extracted
Family
asyncrat
Version
0.5.7B
Botnet
Default
C2
15.235.130.74:6606
15.235.130.74:7707
15.235.130.74:8808
Mutex
AsyncMutex_6SI8OkPnk
Attributes
-
delay
3
-
install
false
-
install_folder
%AppData%
aes.plain
Signatures
-
Async RAT payload 7 IoCs
resource yara_rule behavioral1/memory/1428-67-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1428-66-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1428-69-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1428-71-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1428-73-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1428-74-0x0000000004F90000-0x0000000004FD0000-memory.dmp asyncrat behavioral1/memory/1428-75-0x0000000004F90000-0x0000000004FD0000-memory.dmp asyncrat -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1148 set thread context of 1428 1148 AsyncRat.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 868 powershell.exe 1148 AsyncRat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 868 powershell.exe Token: SeDebugPrivilege 1148 AsyncRat.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1148 wrote to memory of 868 1148 AsyncRat.exe 28 PID 1148 wrote to memory of 868 1148 AsyncRat.exe 28 PID 1148 wrote to memory of 868 1148 AsyncRat.exe 28 PID 1148 wrote to memory of 868 1148 AsyncRat.exe 28 PID 1148 wrote to memory of 520 1148 AsyncRat.exe 30 PID 1148 wrote to memory of 520 1148 AsyncRat.exe 30 PID 1148 wrote to memory of 520 1148 AsyncRat.exe 30 PID 1148 wrote to memory of 520 1148 AsyncRat.exe 30 PID 1148 wrote to memory of 1428 1148 AsyncRat.exe 31 PID 1148 wrote to memory of 1428 1148 AsyncRat.exe 31 PID 1148 wrote to memory of 1428 1148 AsyncRat.exe 31 PID 1148 wrote to memory of 1428 1148 AsyncRat.exe 31 PID 1148 wrote to memory of 1428 1148 AsyncRat.exe 31 PID 1148 wrote to memory of 1428 1148 AsyncRat.exe 31 PID 1148 wrote to memory of 1428 1148 AsyncRat.exe 31 PID 1148 wrote to memory of 1428 1148 AsyncRat.exe 31 PID 1148 wrote to memory of 1428 1148 AsyncRat.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\AsyncRat.exe"C:\Users\Admin\AppData\Local\Temp\AsyncRat.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:868
-
-
C:\Users\Admin\AppData\Local\Temp\AsyncRat.exeC:\Users\Admin\AppData\Local\Temp\AsyncRat.exe2⤵PID:520
-
-
C:\Users\Admin\AppData\Local\Temp\AsyncRat.exeC:\Users\Admin\AppData\Local\Temp\AsyncRat.exe2⤵PID:1428
-