asyncrat | ddd4f8f5f13ada5e5b4bc3d0b0d1a49572b68f600ef3bda720566171f229c5c6

General

Target

svchost.exe
Size

4.9MB
MD5

6a6d722b4d27203afa3c468ddc6b96b0
SHA1

de9c73b7f98ed83dd17903ef41021481e30ef369
SHA256

ddd4f8f5f13ada5e5b4bc3d0b0d1a49572b68f600ef3bda720566171f229c5c6
SHA512

2418cdd6cf0b8e561847094a82235c83e0a146a2cbe53160f659e4a06192b51a6b7b90bf853a7901e879fc6e833928c4d061bf660e684c73d8ed8465ea1e16ab
SSDEEP

49152:jc+tbK8sTWJ708s2iwe0bjIZaxzrzrx8l0n3JjpmdPvoM/ICr5TVD:Y+1KbTWJY8saPbjICzPrGYFpmdPg8V

Score

10^/10

asyncrat microsoft rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Microsoft

C2

megaplaneta01.ddns.net:4782

localhost:4782

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\svchost.exe	asyncrat
C:\Users\Admin\AppData\Local\svchost.exe	asyncrat
behavioral2/memory/2660-205-0x0000000000E80000-0x0000000000E92000-memory.dmp	asyncrat
C:\Users\Admin\AppData\Local\svchost.exe	asyncrat

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

RegAsm.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation RegAsm.exe
Drops startup file 1 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk svchost.exe
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

2660 svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 2184 set thread context of 4200 2184 svchost.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

RegAsm.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ RegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	RegAsm.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	svchost.exe

pid	process
2660	svchost.exe

description	pid	process	target process
PID 2184 set thread context of 4200	2184	svchost.exe	RegAsm.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	RegAsm.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

svchost.exeRegAsm.exe

description	pid	process	target process
PID 2184 wrote to memory of 4200	2184	svchost.exe	RegAsm.exe
PID 2184 wrote to memory of 4200	2184	svchost.exe	RegAsm.exe
PID 2184 wrote to memory of 4200	2184	svchost.exe	RegAsm.exe
PID 2184 wrote to memory of 4200	2184	svchost.exe	RegAsm.exe
PID 2184 wrote to memory of 4200	2184	svchost.exe	RegAsm.exe
PID 2184 wrote to memory of 4200	2184	svchost.exe	RegAsm.exe
PID 2184 wrote to memory of 4200	2184	svchost.exe	RegAsm.exe
PID 2184 wrote to memory of 4200	2184	svchost.exe	RegAsm.exe
PID 4200 wrote to memory of 2660	4200	RegAsm.exe	svchost.exe
PID 4200 wrote to memory of 2660	4200	RegAsm.exe	svchost.exe
PID 4200 wrote to memory of 2660	4200	RegAsm.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4200

C:\Users\Admin\AppData\Local\svchost.exe
"C:\Users\Admin\AppData\Local\svchost.exe"
3⤵
- Executes dropped EXE
PID:2660

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log
Filesize
902B

MD5
448752a5d912569222e464a0ea7ab541

SHA1
b6e81e17158a138502d1330f336c5fbd1d9884ff

SHA256
b4e28bd179b559b9eefd3d919d79e3d0a87cfaf0d897ee0ce9fb40744ca7f0c4

SHA512
bc3f3ffb2cee12b7e874d50c1404c4e640466bef512d5026fbd8589a00c0a5301e9013b7f20c9e84ff4da0d94716f5c89079699cd584eea9541a4a9ea1499b8e

Download Submit
C:\Users\Admin\AppData\Local\svchost.exe
Filesize
45KB

MD5
b1c69c02c0b584f5d922dfd04710df58

SHA1
5e0e4c71bff4b5c26c12ecec83ba39949ad52762

SHA256
e2faaccc18ac5e160462229aee43c32abef2040a44433e41b1c30fb86d18dbfc

SHA512
dd338684bfad64ed127b13533e45c2a20833b2f503b636452821055017283fb52fa93c232e57821ea2833c063bd12a631a1d96a1fc3b0d0eeb8245b35f05cf93

Download Submit
C:\Users\Admin\AppData\Local\svchost.exe
Filesize
45KB

MD5
b1c69c02c0b584f5d922dfd04710df58

SHA1
5e0e4c71bff4b5c26c12ecec83ba39949ad52762

SHA256
e2faaccc18ac5e160462229aee43c32abef2040a44433e41b1c30fb86d18dbfc

SHA512
dd338684bfad64ed127b13533e45c2a20833b2f503b636452821055017283fb52fa93c232e57821ea2833c063bd12a631a1d96a1fc3b0d0eeb8245b35f05cf93

Download Submit
C:\Users\Admin\AppData\Local\svchost.exe
Filesize
45KB

MD5
b1c69c02c0b584f5d922dfd04710df58

SHA1
5e0e4c71bff4b5c26c12ecec83ba39949ad52762

SHA256
e2faaccc18ac5e160462229aee43c32abef2040a44433e41b1c30fb86d18dbfc

SHA512
dd338684bfad64ed127b13533e45c2a20833b2f503b636452821055017283fb52fa93c232e57821ea2833c063bd12a631a1d96a1fc3b0d0eeb8245b35f05cf93

Download Submit
memory/2184-133-0x0000000000EA0000-0x0000000001396000-memory.dmp

Filesize
5.0MB

Download
memory/2184-134-0x0000000006400000-0x0000000006492000-memory.dmp

Filesize
584KB

Download
memory/2184-135-0x0000000006540000-0x00000000065DC000-memory.dmp

Filesize
624KB

Download
memory/2184-136-0x0000000007260000-0x0000000007804000-memory.dmp

Filesize
5.6MB

Download
memory/2660-205-0x0000000000E80000-0x0000000000E92000-memory.dmp

Filesize
72KB

Download
memory/4200-138-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4200-141-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4200-142-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing