asyncrat | d447242a078661aa69c652929cbedbc1896b135aa50ed27427ea8c7e4d4a71be

Analysis

max time kernel
136s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
13-06-2023 14:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

171KB
MD5

7c44e8e46e3f7669ad24db6756895950
SHA1

ad74d9dbca6885a004e21824d87f8e5168030484
SHA256

d447242a078661aa69c652929cbedbc1896b135aa50ed27427ea8c7e4d4a71be
SHA512

97b96bb2d5b07b13aae9768867b040ea67b8cc5bfcbfe15f61fe71809609d3d6c6fa867efec91cd1431d27affae8380bd514788cf5b235142bb8c095458c06fd
SSDEEP

3072:FWAm7g0RE3N82rmAniiFhb7zPeo7f8D6L6W6/68696Ugtdy+PkDLJ6rSIalbn:sHE3i2rmVizt8D6L6W6/68696UgtPkDd

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

192.168.175.1:1800

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/4700-135-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4452 set thread context of 4700	4452	file.exe	83

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3236	4452	WerFault.exe	82

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4452	file.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4452 wrote to memory of 4700	4452	file.exe	83
PID 4452 wrote to memory of 4700	4452	file.exe	83
PID 4452 wrote to memory of 4700	4452	file.exe	83
PID 4452 wrote to memory of 4700	4452	file.exe	83
PID 4452 wrote to memory of 4700	4452	file.exe	83

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  -arguments
  2⤵
  PID:4700
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 540
  2⤵
  - Program crash
  PID:3236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4452 -ip 4452
1⤵
PID:4396

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4700-135-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4700-140-0x0000000002EC0000-0x0000000002ED0000-memory.dmp

Filesize
64KB

Download
memory/4700-141-0x0000000002EC0000-0x0000000002ED0000-memory.dmp

Filesize
64KB

Download