Analysis

  • max time kernel
    143s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/04/2023, 17:25

General

  • Target

    AsyncRat.exe

  • Size

    2.6MB

  • MD5

    c210607e74baffc542110c60378fb034

  • SHA1

    73aa5dfa9a796fc8adc83ddb82375e17ccab28c0

  • SHA256

    95bab70aa35fa3b403de445c883dcaa84998690ffb54d3a8f9d25a19e5e36f42

  • SHA512

    6d5c9019728af047a0e904c7d12a7db8af34b00ac289a279af937be47aa38fab077571315b15ae13bc68f8e17bfcd6ae5d779bb988e5887fe8cbbde0e9c50376

  • SSDEEP

    24576:HUIog50eJ8FmTPCeZ6FW0dHnulKtu1Dze6HDpLtllJz8+iTODtMm8VyRbNvvLDAi:H3b8FmTGmd2OxSHxoZdMK7ajwVwg

Score
10/10

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

15.235.130.74:6606

15.235.130.74:7707

15.235.130.74:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Async RAT payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AsyncRat.exe
    "C:\Users\Admin\AppData\Local\Temp\AsyncRat.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5040
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1556
    • C:\Users\Admin\AppData\Local\Temp\AsyncRat.exe
      C:\Users\Admin\AppData\Local\Temp\AsyncRat.exe
      2⤵
        PID:4944
      • C:\Users\Admin\AppData\Local\Temp\AsyncRat.exe
        C:\Users\Admin\AppData\Local\Temp\AsyncRat.exe
        2⤵
          PID:1320
        • C:\Users\Admin\AppData\Local\Temp\AsyncRat.exe
          C:\Users\Admin\AppData\Local\Temp\AsyncRat.exe
          2⤵
            PID:4864

        Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AsyncRat.exe.log

                Filesize

                1KB

                MD5

                07dff301593b27ca4a2f0aedecd8eab8

                SHA1

                443544108040876b5c291090d6f9a5ff231b8180

                SHA256

                99e3f1c991f3d56f3d3d504ac80f0a1c995ef7a983a425b6701e743f455cf83c

                SHA512

                45bbd2963b6855e8840e43b66f0fc7ea91216c5bd7652a90b0c3db31bded2cdb23713a079231170464b1cd02252f3dd7633efc703e1a2b42e1e2bb4f8102c052

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u4ywawbd.yjz.ps1

                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              • memory/1556-151-0x0000000005CE0000-0x0000000005CFE000-memory.dmp

                Filesize

                120KB

              • memory/1556-152-0x0000000004A30000-0x0000000004A40000-memory.dmp

                Filesize

                64KB

              • memory/1556-137-0x0000000005070000-0x0000000005698000-memory.dmp

                Filesize

                6.2MB

              • memory/1556-138-0x0000000004A30000-0x0000000004A40000-memory.dmp

                Filesize

                64KB

              • memory/1556-139-0x0000000004A30000-0x0000000004A40000-memory.dmp

                Filesize

                64KB

              • memory/1556-140-0x0000000004FB0000-0x0000000005016000-memory.dmp

                Filesize

                408KB

              • memory/1556-141-0x0000000005710000-0x0000000005776000-memory.dmp

                Filesize

                408KB

              • memory/1556-158-0x0000000004A30000-0x0000000004A40000-memory.dmp

                Filesize

                64KB

              • memory/1556-157-0x0000000004A30000-0x0000000004A40000-memory.dmp

                Filesize

                64KB

              • memory/1556-136-0x00000000023E0000-0x0000000002416000-memory.dmp

                Filesize

                216KB

              • memory/1556-153-0x0000000007320000-0x000000000799A000-memory.dmp

                Filesize

                6.5MB

              • memory/1556-154-0x00000000061E0000-0x00000000061FA000-memory.dmp

                Filesize

                104KB

              • memory/1556-156-0x0000000004A30000-0x0000000004A40000-memory.dmp

                Filesize

                64KB

              • memory/4864-162-0x0000000000400000-0x0000000000412000-memory.dmp

                Filesize

                72KB

              • memory/4864-165-0x0000000005160000-0x0000000005170000-memory.dmp

                Filesize

                64KB

              • memory/4864-166-0x0000000005160000-0x0000000005170000-memory.dmp

                Filesize

                64KB

              • memory/5040-155-0x00000000029F0000-0x0000000002A00000-memory.dmp

                Filesize

                64KB

              • memory/5040-133-0x0000000000310000-0x00000000005BC000-memory.dmp

                Filesize

                2.7MB

              • memory/5040-135-0x0000000005730000-0x0000000005752000-memory.dmp

                Filesize

                136KB

              • memory/5040-134-0x00000000029F0000-0x0000000002A00000-memory.dmp

                Filesize

                64KB