asyncrat | ddd4f8f5f13ada5e5b4bc3d0b0d1a49572b68f600ef3bda720566171f229c5c6

General

Target

svchost.exe
Size

4.9MB
MD5

6a6d722b4d27203afa3c468ddc6b96b0
SHA1

de9c73b7f98ed83dd17903ef41021481e30ef369
SHA256

ddd4f8f5f13ada5e5b4bc3d0b0d1a49572b68f600ef3bda720566171f229c5c6
SHA512

2418cdd6cf0b8e561847094a82235c83e0a146a2cbe53160f659e4a06192b51a6b7b90bf853a7901e879fc6e833928c4d061bf660e684c73d8ed8465ea1e16ab
SSDEEP

49152:jc+tbK8sTWJ708s2iwe0bjIZaxzrzrx8l0n3JjpmdPvoM/ICr5TVD:Y+1KbTWJY8saPbjICzPrGYFpmdPg8V

Score

10^/10

asyncrat microsoft rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Microsoft

C2

megaplaneta01.ddns.net:4782

localhost:4782

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\svchost.exe	asyncrat
C:\Users\Admin\AppData\Local\svchost.exe	asyncrat
C:\Users\Admin\AppData\Local\svchost.exe	asyncrat
behavioral1/memory/340-77-0x0000000000F20000-0x0000000000F32000-memory.dmp	asyncrat
behavioral1/memory/340-78-0x0000000000E50000-0x0000000000E90000-memory.dmp	asyncrat

Drops startup file 1 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk svchost.exe
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

340 svchost.exe
Loads dropped DLL 1 IoCs

Processes:

RegAsm.exe

pid process

952 RegAsm.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 1624 set thread context of 952 1624 svchost.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	svchost.exe

pid	process
340	svchost.exe

pid	process
952	RegAsm.exe

description	pid	process	target process
PID 1624 set thread context of 952	1624	svchost.exe	RegAsm.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

svchost.exeRegAsm.exe

description	pid	process	target process
PID 1624 wrote to memory of 952	1624	svchost.exe	RegAsm.exe
PID 1624 wrote to memory of 952	1624	svchost.exe	RegAsm.exe
PID 1624 wrote to memory of 952	1624	svchost.exe	RegAsm.exe
PID 1624 wrote to memory of 952	1624	svchost.exe	RegAsm.exe
PID 1624 wrote to memory of 952	1624	svchost.exe	RegAsm.exe
PID 1624 wrote to memory of 952	1624	svchost.exe	RegAsm.exe
PID 1624 wrote to memory of 952	1624	svchost.exe	RegAsm.exe
PID 1624 wrote to memory of 952	1624	svchost.exe	RegAsm.exe
PID 1624 wrote to memory of 952	1624	svchost.exe	RegAsm.exe
PID 1624 wrote to memory of 952	1624	svchost.exe	RegAsm.exe
PID 1624 wrote to memory of 952	1624	svchost.exe	RegAsm.exe
PID 1624 wrote to memory of 952	1624	svchost.exe	RegAsm.exe
PID 952 wrote to memory of 340	952	RegAsm.exe	svchost.exe
PID 952 wrote to memory of 340	952	RegAsm.exe	svchost.exe
PID 952 wrote to memory of 340	952	RegAsm.exe	svchost.exe
PID 952 wrote to memory of 340	952	RegAsm.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:952

C:\Users\Admin\AppData\Local\svchost.exe
"C:\Users\Admin\AppData\Local\svchost.exe"
3⤵
- Executes dropped EXE
PID:340

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\svchost.exe
Filesize
45KB

MD5
b1c69c02c0b584f5d922dfd04710df58

SHA1
5e0e4c71bff4b5c26c12ecec83ba39949ad52762

SHA256
e2faaccc18ac5e160462229aee43c32abef2040a44433e41b1c30fb86d18dbfc

SHA512
dd338684bfad64ed127b13533e45c2a20833b2f503b636452821055017283fb52fa93c232e57821ea2833c063bd12a631a1d96a1fc3b0d0eeb8245b35f05cf93

Download Submit
C:\Users\Admin\AppData\Local\svchost.exe
Filesize
45KB

MD5
b1c69c02c0b584f5d922dfd04710df58

SHA1
5e0e4c71bff4b5c26c12ecec83ba39949ad52762

SHA256
e2faaccc18ac5e160462229aee43c32abef2040a44433e41b1c30fb86d18dbfc

SHA512
dd338684bfad64ed127b13533e45c2a20833b2f503b636452821055017283fb52fa93c232e57821ea2833c063bd12a631a1d96a1fc3b0d0eeb8245b35f05cf93

Download Submit
\Users\Admin\AppData\Local\svchost.exe
Filesize
45KB

MD5
b1c69c02c0b584f5d922dfd04710df58

SHA1
5e0e4c71bff4b5c26c12ecec83ba39949ad52762

SHA256
e2faaccc18ac5e160462229aee43c32abef2040a44433e41b1c30fb86d18dbfc

SHA512
dd338684bfad64ed127b13533e45c2a20833b2f503b636452821055017283fb52fa93c232e57821ea2833c063bd12a631a1d96a1fc3b0d0eeb8245b35f05cf93

Download Submit
memory/340-79-0x0000000000E50000-0x0000000000E90000-memory.dmp

Filesize
256KB

Download
memory/340-78-0x0000000000E50000-0x0000000000E90000-memory.dmp

Filesize
256KB

Download
memory/340-77-0x0000000000F20000-0x0000000000F32000-memory.dmp

Filesize
72KB

Download
memory/952-59-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/952-62-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/952-64-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/952-66-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/952-67-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/952-61-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/952-60-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/952-58-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/952-57-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1624-54-0x0000000000D80000-0x0000000001276000-memory.dmp

Filesize
5.0MB

Download
memory/1624-56-0x00000000009D0000-0x0000000000A0A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing