asyncrat | e09a35ac6c37f4807daf1dcfeb8e2f1fa78003cf1b48b942152ad54152ed2ae6

Analysis

max time kernel
190s
max time network
228s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2023 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e51beeef2a2539ff8ef9e4bf7ffdf002.exe
Size

19.8MB
MD5

e51beeef2a2539ff8ef9e4bf7ffdf002
SHA1

fb7435fcbe78d1e50364db3bc527a7e394a3cc71
SHA256

e09a35ac6c37f4807daf1dcfeb8e2f1fa78003cf1b48b942152ad54152ed2ae6
SHA512

363417b1fb3a4fd12267190cde711366b287def6d00a9ceda33f0f71c88c3500ed57553772f10880edef23eb4733c36c009d07fcf1eb775a5a684ce3f6c47d4b
SSDEEP

6144:7fQTkfGlJz/us5e2jKFFRavrXQ1SHbboDr21dP:7fQTkfsJL9aS7sfu

Score

10^/10

asyncrat munabc rat

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

MunaBC

piddix.duckdns.org:4449

Mutex

muna123456789

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/3720-139-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat

Executes dropped EXE 2 IoCs

pid	Process
3880	teamviewer.exe
3788	teamviewer.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3580 set thread context of 3720	3580	e51beeef2a2539ff8ef9e4bf7ffdf002.exe	81
PID 3880 set thread context of 1576	3880	teamviewer.exe	93
PID 3788 set thread context of 3468	3788	teamviewer.exe	105

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4048	schtasks.exe
4140	schtasks.exe
4888	schtasks.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3720	AppLaunch.exe
Token: SeDebugPrivilege	1576	AppLaunch.exe
Token: SeDebugPrivilege	3468	AppLaunch.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 3580 wrote to memory of 3720	3580	e51beeef2a2539ff8ef9e4bf7ffdf002.exe	81
PID 3580 wrote to memory of 3720	3580	e51beeef2a2539ff8ef9e4bf7ffdf002.exe	81
PID 3580 wrote to memory of 3720	3580	e51beeef2a2539ff8ef9e4bf7ffdf002.exe	81
PID 3580 wrote to memory of 3720	3580	e51beeef2a2539ff8ef9e4bf7ffdf002.exe	81
PID 3580 wrote to memory of 3720	3580	e51beeef2a2539ff8ef9e4bf7ffdf002.exe	81
PID 3580 wrote to memory of 3720	3580	e51beeef2a2539ff8ef9e4bf7ffdf002.exe	81
PID 3580 wrote to memory of 3720	3580	e51beeef2a2539ff8ef9e4bf7ffdf002.exe	81
PID 3580 wrote to memory of 3720	3580	e51beeef2a2539ff8ef9e4bf7ffdf002.exe	81
PID 3580 wrote to memory of 2316	3580	e51beeef2a2539ff8ef9e4bf7ffdf002.exe	82
PID 3580 wrote to memory of 2316	3580	e51beeef2a2539ff8ef9e4bf7ffdf002.exe	82
PID 3580 wrote to memory of 2316	3580	e51beeef2a2539ff8ef9e4bf7ffdf002.exe	82
PID 3580 wrote to memory of 4928	3580	e51beeef2a2539ff8ef9e4bf7ffdf002.exe	84
PID 3580 wrote to memory of 4928	3580	e51beeef2a2539ff8ef9e4bf7ffdf002.exe	84
PID 3580 wrote to memory of 4928	3580	e51beeef2a2539ff8ef9e4bf7ffdf002.exe	84
PID 3580 wrote to memory of 1180	3580	e51beeef2a2539ff8ef9e4bf7ffdf002.exe	86
PID 3580 wrote to memory of 1180	3580	e51beeef2a2539ff8ef9e4bf7ffdf002.exe	86
PID 3580 wrote to memory of 1180	3580	e51beeef2a2539ff8ef9e4bf7ffdf002.exe	86
PID 4928 wrote to memory of 4048	4928	cmd.exe	88
PID 4928 wrote to memory of 4048	4928	cmd.exe	88
PID 4928 wrote to memory of 4048	4928	cmd.exe	88
PID 3880 wrote to memory of 1576	3880	teamviewer.exe	93
PID 3880 wrote to memory of 1576	3880	teamviewer.exe	93
PID 3880 wrote to memory of 1576	3880	teamviewer.exe	93
PID 3880 wrote to memory of 1576	3880	teamviewer.exe	93
PID 3880 wrote to memory of 1576	3880	teamviewer.exe	93
PID 3880 wrote to memory of 1576	3880	teamviewer.exe	93
PID 3880 wrote to memory of 1576	3880	teamviewer.exe	93
PID 3880 wrote to memory of 1576	3880	teamviewer.exe	93
PID 3880 wrote to memory of 4100	3880	teamviewer.exe	92
PID 3880 wrote to memory of 4100	3880	teamviewer.exe	92
PID 3880 wrote to memory of 4100	3880	teamviewer.exe	92
PID 3880 wrote to memory of 4276	3880	teamviewer.exe	94
PID 3880 wrote to memory of 4276	3880	teamviewer.exe	94
PID 3880 wrote to memory of 4276	3880	teamviewer.exe	94
PID 3880 wrote to memory of 1320	3880	teamviewer.exe	95
PID 3880 wrote to memory of 1320	3880	teamviewer.exe	95
PID 3880 wrote to memory of 1320	3880	teamviewer.exe	95
PID 4276 wrote to memory of 4140	4276	cmd.exe	100
PID 4276 wrote to memory of 4140	4276	cmd.exe	100
PID 4276 wrote to memory of 4140	4276	cmd.exe	100
PID 3788 wrote to memory of 3468	3788	teamviewer.exe	105
PID 3788 wrote to memory of 3468	3788	teamviewer.exe	105
PID 3788 wrote to memory of 3468	3788	teamviewer.exe	105
PID 3788 wrote to memory of 3468	3788	teamviewer.exe	105
PID 3788 wrote to memory of 3468	3788	teamviewer.exe	105
PID 3788 wrote to memory of 3468	3788	teamviewer.exe	105
PID 3788 wrote to memory of 3468	3788	teamviewer.exe	105
PID 3788 wrote to memory of 3468	3788	teamviewer.exe	105
PID 3788 wrote to memory of 4916	3788	teamviewer.exe	106
PID 3788 wrote to memory of 4916	3788	teamviewer.exe	106
PID 3788 wrote to memory of 4916	3788	teamviewer.exe	106
PID 3788 wrote to memory of 2324	3788	teamviewer.exe	107
PID 3788 wrote to memory of 2324	3788	teamviewer.exe	107
PID 3788 wrote to memory of 2324	3788	teamviewer.exe	107
PID 3788 wrote to memory of 2272	3788	teamviewer.exe	109
PID 3788 wrote to memory of 2272	3788	teamviewer.exe	109
PID 3788 wrote to memory of 2272	3788	teamviewer.exe	109
PID 2324 wrote to memory of 4888	2324	cmd.exe	112
PID 2324 wrote to memory of 4888	2324	cmd.exe	112
PID 2324 wrote to memory of 4888	2324	cmd.exe	112

C:\Users\Admin\AppData\Local\Temp\e51beeef2a2539ff8ef9e4bf7ffdf002.exe
"C:\Users\Admin\AppData\Local\Temp\e51beeef2a2539ff8ef9e4bf7ffdf002.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3720
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\teamviewer"
  2⤵
  PID:2316
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\teamviewer\teamviewer.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4928
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\teamviewer\teamviewer.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:4048
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\e51beeef2a2539ff8ef9e4bf7ffdf002.exe" "C:\Users\Admin\AppData\Roaming\teamviewer\teamviewer.exe"
  2⤵
  PID:1180

C:\Users\Admin\AppData\Roaming\teamviewer\teamviewer.exe
C:\Users\Admin\AppData\Roaming\teamviewer\teamviewer.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3880
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\teamviewer"
  2⤵
  PID:4100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1576
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\teamviewer\teamviewer.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4276
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\teamviewer\teamviewer.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:4140
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Roaming\teamviewer\teamviewer.exe" "C:\Users\Admin\AppData\Roaming\teamviewer\teamviewer.exe"
  2⤵
  PID:1320

C:\Users\Admin\AppData\Roaming\teamviewer\teamviewer.exe
C:\Users\Admin\AppData\Roaming\teamviewer\teamviewer.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3468
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\teamviewer"
  2⤵
  PID:4916
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\teamviewer\teamviewer.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\teamviewer\teamviewer.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:4888
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Roaming\teamviewer\teamviewer.exe" "C:\Users\Admin\AppData\Roaming\teamviewer\teamviewer.exe"
  2⤵
  PID:2272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\teamviewer.exe.log

Filesize
897B

MD5
92f4b6f7507c9eb3dbe9607784be9c61

SHA1
57384ce9fa9a49439e167d30bef026723cb4b0ea

SHA256
e7f5401d055e47d8f8e2ade1f1040f7a4c432a5ec7744998def48f7b737f8fad

SHA512
3653ae4c5ecb219756af2accb58a3b414a688e63f421695abe2d4cc9893ee66b657bc554e0b3d62e7b7663262875124aa30d24e067f2d9f232ae1877dd199a52

Download Submit
C:\Users\Admin\AppData\Roaming\teamviewer\teamviewer.exe

Filesize
19.8MB

MD5
e51beeef2a2539ff8ef9e4bf7ffdf002

SHA1
fb7435fcbe78d1e50364db3bc527a7e394a3cc71

SHA256
e09a35ac6c37f4807daf1dcfeb8e2f1fa78003cf1b48b942152ad54152ed2ae6

SHA512
363417b1fb3a4fd12267190cde711366b287def6d00a9ceda33f0f71c88c3500ed57553772f10880edef23eb4733c36c009d07fcf1eb775a5a684ce3f6c47d4b

Download Submit
C:\Users\Admin\AppData\Roaming\teamviewer\teamviewer.exe

Filesize
19.8MB

MD5
e51beeef2a2539ff8ef9e4bf7ffdf002

SHA1
fb7435fcbe78d1e50364db3bc527a7e394a3cc71

SHA256
e09a35ac6c37f4807daf1dcfeb8e2f1fa78003cf1b48b942152ad54152ed2ae6

SHA512
363417b1fb3a4fd12267190cde711366b287def6d00a9ceda33f0f71c88c3500ed57553772f10880edef23eb4733c36c009d07fcf1eb775a5a684ce3f6c47d4b

Download Submit
C:\Users\Admin\AppData\Roaming\teamviewer\teamviewer.exe

Filesize
19.8MB

MD5
e51beeef2a2539ff8ef9e4bf7ffdf002

SHA1
fb7435fcbe78d1e50364db3bc527a7e394a3cc71

SHA256
e09a35ac6c37f4807daf1dcfeb8e2f1fa78003cf1b48b942152ad54152ed2ae6

SHA512
363417b1fb3a4fd12267190cde711366b287def6d00a9ceda33f0f71c88c3500ed57553772f10880edef23eb4733c36c009d07fcf1eb775a5a684ce3f6c47d4b

Download Submit
memory/1576-150-0x0000000000C30000-0x0000000000C40000-memory.dmp

Filesize
64KB

Download
memory/3468-157-0x00000000031A0000-0x00000000031B0000-memory.dmp

Filesize
64KB

Download
memory/3580-137-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/3580-138-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/3580-133-0x00000000002B0000-0x0000000000332000-memory.dmp

Filesize
520KB

Download
memory/3580-136-0x0000000004DE0000-0x0000000004E46000-memory.dmp

Filesize
408KB

Download
memory/3580-135-0x0000000004D40000-0x0000000004DD2000-memory.dmp

Filesize
584KB

Download
memory/3580-134-0x0000000005410000-0x00000000059B4000-memory.dmp

Filesize
5.6MB

Download
memory/3720-144-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/3720-143-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/3720-139-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3788-154-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/3880-147-0x0000000004820000-0x0000000004830000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads