asyncrat | 5d318ad1fa11ca3660fe35faff0e0aaef8acd820e01cdd5ee7305c30314f5303

Analysis

max time kernel
143s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2023, 05:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Vnd Vietcombankpdf.exe
Size

164KB
MD5

17a37bf8286737da1e6b94f8094ca1c1
SHA1

4c926d254cdc3bc5f243f97b5602cbae2d9669a5
SHA256

5d318ad1fa11ca3660fe35faff0e0aaef8acd820e01cdd5ee7305c30314f5303
SHA512

66c3ba7121ed0485fb9dbef897f15baf2920575aec6e3d3b773ca36052b09217df277a7127c6e907241d62f0c239f1099c5e43ad3c811c84f5323d2e1d9357ca
SSDEEP

3072:XfY/TU9fE9PEtuAbx1qh8nA7Yg75h/zu3GOFkqqymeiy5wt8biswBM6GZ7wzG48:PYa6cxchIAR5h/zLak+mPtIisW8gV8

Score

10^/10

asyncrat persistence rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/1172-141-0x0000000000400000-0x0000000000423000-memory.dmp	asyncrat
behavioral2/memory/1172-142-0x0000000000400000-0x0000000000423000-memory.dmp	asyncrat
behavioral2/memory/1172-143-0x0000000000400000-0x0000000000423000-memory.dmp	asyncrat
behavioral2/memory/1172-144-0x0000000000400000-0x0000000000423000-memory.dmp	asyncrat

Loads dropped DLL 1 IoCs

pid	Process
544	Vnd Vietcombankpdf.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oxhcclhhqa = "C:\\Users\\Admin\\AppData\\Roaming\\mvrrbkkgp\\pyuueajjso.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Vnd Vietcombankpdf.exe\""	Vnd Vietcombankpdf.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 544 set thread context of 1172	544	Vnd Vietcombankpdf.exe	83

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
544	Vnd Vietcombankpdf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1172	Vnd Vietcombankpdf.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 544 wrote to memory of 1172	544	Vnd Vietcombankpdf.exe	83
PID 544 wrote to memory of 1172	544	Vnd Vietcombankpdf.exe	83
PID 544 wrote to memory of 1172	544	Vnd Vietcombankpdf.exe	83
PID 544 wrote to memory of 1172	544	Vnd Vietcombankpdf.exe	83

C:\Users\Admin\AppData\Local\Temp\Vnd Vietcombankpdf.exe
"C:\Users\Admin\AppData\Local\Temp\Vnd Vietcombankpdf.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:544
- C:\Users\Admin\AppData\Local\Temp\Vnd Vietcombankpdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Vnd Vietcombankpdf.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsc73CF.tmp\smjrtvd.dll

Filesize
4KB

MD5
e39081d0a073b0aa576cb5b2571b2a1b

SHA1
da726c1269d8b7127dcb77f95d44e63b597b0bc6

SHA256
467a142e9aee7798d20ce3d3339fb04a49a4c219c9795d4a69ef0def1000069b

SHA512
03f642399b5da14556e741217e5b10070ca03e5f4135127cb886f8b8835290c89aa95638f7974b8796f0f867937c1953b2d3a8e80d56fbb6276ba70fd8cb383a

Download Submit
memory/544-139-0x0000000000B30000-0x0000000000B32000-memory.dmp

Filesize
8KB

Download
memory/1172-141-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1172-142-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1172-143-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1172-144-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1172-145-0x0000000004910000-0x0000000004920000-memory.dmp

Filesize
64KB

Download
memory/1172-146-0x0000000004910000-0x0000000004920000-memory.dmp

Filesize
64KB

Download
memory/1172-147-0x0000000004910000-0x0000000004920000-memory.dmp

Filesize
64KB

Download
memory/1172-148-0x0000000004910000-0x0000000004920000-memory.dmp

Filesize
64KB

Download
memory/1172-151-0x00000000052C0000-0x000000000535C000-memory.dmp

Filesize
624KB

Download
memory/1172-152-0x0000000005360000-0x0000000005904000-memory.dmp

Filesize
5.6MB

Download
memory/1172-153-0x0000000005970000-0x00000000059D6000-memory.dmp

Filesize
408KB

Download
memory/1172-155-0x0000000004910000-0x0000000004920000-memory.dmp

Filesize
64KB

Download
memory/1172-156-0x0000000004910000-0x0000000004920000-memory.dmp

Filesize
64KB

Download
memory/1172-157-0x0000000004910000-0x0000000004920000-memory.dmp

Filesize
64KB

Download
memory/1172-158-0x0000000004910000-0x0000000004920000-memory.dmp

Filesize
64KB

Download