asyncrat | 322fc6cd95736358b1034043b92ff96ce8caeb1f3fd93a9ebfc276c237fd7634

Analysis

max time kernel
28s
max time network
32s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
15/05/2023, 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NVIDIA Container.exe
Size

68KB
MD5

fe1fb35eb4bd25f55a4f45b818de2c9f
SHA1

8a188fb0cedcbc7920e13ee47a7f9f127057aaa4
SHA256

322fc6cd95736358b1034043b92ff96ce8caeb1f3fd93a9ebfc276c237fd7634
SHA512

93387da7197b270c88f42002efec3ea93257595f15757cc7e153fd12dabcea5f4ac62234a01234aca0135e73c430c8863aa73ca485f209f579798a90bb2ff139
SSDEEP

1536:mJM1Tn8I8Q7vIh5wp0OP/iEGbbCw+KmL1GeyEoR+VclN:mJM1Tn8I8Q7e5wp0+/PGbbCBKmLyJkY

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

discordmod.duckdns.org:8848

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
true
install_file
NVIDIA Container.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/4028-121-0x0000000000710000-0x0000000000728000-memory.dmp	asyncrat

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4372	4028	WerFault.exe	65

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4028	NVIDIA Container.exe
Token: SeSecurityPrivilege	4028	NVIDIA Container.exe
Token: SeTakeOwnershipPrivilege	4028	NVIDIA Container.exe
Token: SeLoadDriverPrivilege	4028	NVIDIA Container.exe
Token: SeSystemProfilePrivilege	4028	NVIDIA Container.exe
Token: SeSystemtimePrivilege	4028	NVIDIA Container.exe
Token: SeProfSingleProcessPrivilege	4028	NVIDIA Container.exe
Token: SeIncBasePriorityPrivilege	4028	NVIDIA Container.exe
Token: SeCreatePagefilePrivilege	4028	NVIDIA Container.exe
Token: SeBackupPrivilege	4028	NVIDIA Container.exe
Token: SeRestorePrivilege	4028	NVIDIA Container.exe
Token: SeShutdownPrivilege	4028	NVIDIA Container.exe
Token: SeDebugPrivilege	4028	NVIDIA Container.exe
Token: SeSystemEnvironmentPrivilege	4028	NVIDIA Container.exe
Token: SeRemoteShutdownPrivilege	4028	NVIDIA Container.exe
Token: SeUndockPrivilege	4028	NVIDIA Container.exe
Token: SeManageVolumePrivilege	4028	NVIDIA Container.exe
Token: 33	4028	NVIDIA Container.exe
Token: 34	4028	NVIDIA Container.exe
Token: 35	4028	NVIDIA Container.exe
Token: 36	4028	NVIDIA Container.exe

C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe
"C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4028
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4028 -s 988
  2⤵
  - Program crash
  PID:4372

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4028-121-0x0000000000710000-0x0000000000728000-memory.dmp

Filesize
96KB

Download
memory/4028-122-0x0000000000F00000-0x0000000000F10000-memory.dmp

Filesize
64KB

Download
memory/4028-123-0x0000000000F00000-0x0000000000F10000-memory.dmp

Filesize
64KB

Download