asyncrat | 1270491bd3068a4159eee0ad8c8d6871cf0ba80cac9fd749a7e9d1c02f6f3653

Analysis

max time kernel
135s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2023 11:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04963699.exe
Size

255KB
MD5

cc54630cfed370da5d83b5c3d0ee9ec4
SHA1

d18ba6e2d8e877bc0bec89536087f49a4bf32921
SHA256

1270491bd3068a4159eee0ad8c8d6871cf0ba80cac9fd749a7e9d1c02f6f3653
SHA512

1b7a78bb5303e97cb74896d68d6094a050e8859a2b944840619ad3b589a4654d292363e3afce33a7fd2d1805ead532ba706951149a9742f5040f2252d17b695a
SSDEEP

3072:FRsjupfBVcoFDzbtu/c762soY8zyCy0A:MKxBVjF3bc/cpsoYSHA

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

iphy1.duckdns.org:8808

Mutex

AsyncMutex_6SI8OkPnkg

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3340-136-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

04963699.exe

description pid process target process

PID 1028 set thread context of 3340 1028 04963699.exe vbc.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3056 schtasks.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

04963699.exe

pid process

1028 04963699.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

vbc.exe

description pid process

Token: SeDebugPrivilege 3340 vbc.exe

description	pid	process	target process
PID 1028 set thread context of 3340	1028	04963699.exe	vbc.exe

pid	process
3056	schtasks.exe

pid	process
1028	04963699.exe

description	pid	process
Token: SeDebugPrivilege	3340	vbc.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

04963699.execmd.exe

description	pid	process	target process
PID 1028 wrote to memory of 3340	1028	04963699.exe	vbc.exe
PID 1028 wrote to memory of 3340	1028	04963699.exe	vbc.exe
PID 1028 wrote to memory of 3340	1028	04963699.exe	vbc.exe
PID 1028 wrote to memory of 3340	1028	04963699.exe	vbc.exe
PID 1028 wrote to memory of 3340	1028	04963699.exe	vbc.exe
PID 1028 wrote to memory of 3340	1028	04963699.exe	vbc.exe
PID 1028 wrote to memory of 3340	1028	04963699.exe	vbc.exe
PID 1028 wrote to memory of 3340	1028	04963699.exe	vbc.exe
PID 1028 wrote to memory of 736	1028	04963699.exe	cmd.exe
PID 1028 wrote to memory of 736	1028	04963699.exe	cmd.exe
PID 1028 wrote to memory of 736	1028	04963699.exe	cmd.exe
PID 1028 wrote to memory of 1148	1028	04963699.exe	cmd.exe
PID 1028 wrote to memory of 1148	1028	04963699.exe	cmd.exe
PID 1028 wrote to memory of 1148	1028	04963699.exe	cmd.exe
PID 1148 wrote to memory of 3056	1148	cmd.exe	schtasks.exe
PID 1148 wrote to memory of 3056	1148	cmd.exe	schtasks.exe
PID 1148 wrote to memory of 3056	1148	cmd.exe	schtasks.exe
PID 1028 wrote to memory of 3472	1028	04963699.exe	cmd.exe
PID 1028 wrote to memory of 3472	1028	04963699.exe	cmd.exe
PID 1028 wrote to memory of 3472	1028	04963699.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\04963699.exe
"C:\Users\Admin\AppData\Local\Temp\04963699.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3340

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\winpr01"
2⤵
PID:736

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\winpr01\winpr01.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\winpr01\winpr01.exe'" /f
3⤵
- Creates scheduled task(s)
PID:3056

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\04963699.exe" "C:\Users\Admin\AppData\Roaming\winpr01\winpr01.exe"
2⤵
PID:3472

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1028-133-0x0000000000560000-0x00000000005A6000-memory.dmp

Filesize
280KB

Download
memory/1028-134-0x0000000005680000-0x0000000005C24000-memory.dmp

Filesize
5.6MB

Download
memory/1028-135-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/3340-136-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3340-138-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/3340-139-0x0000000002DF0000-0x0000000002E56000-memory.dmp

Filesize
408KB

Download
memory/3340-140-0x0000000005A10000-0x0000000005AAC000-memory.dmp

Filesize
624KB

Download
memory/3340-141-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download