asyncrat | b7d4b9e9051e99ad6b53905d98e6a2f29eb7c25a012fa7fc1e6e546761a538ec

General

Target

b7d4b9e9051e99ad6b53905d98e6a2f29eb7c25a012fa7fc1e6e546761a538ec_JC.exe
Size

305KB
MD5

a824d5ae995e025f951d2a04792c7307
SHA1

d0e9c86d9875d0bb3bae347420d827bb739a8d56
SHA256

b7d4b9e9051e99ad6b53905d98e6a2f29eb7c25a012fa7fc1e6e546761a538ec
SHA512

765ab7457d7c7b84cd6ce881eab8f3a3b7485a9dce0dd7b94c13a0be0563e27bcc0af0d0f829cc94cefaf3ec1f810c39f2dfaaabe7d63783c80d08c330e57a8e
SSDEEP

6144:2TiVSIllyI/bi13ow+gidaC4akQT9rJGyUg7hdC81PQ0okbIx:2TiVPrJ/Vw+giIcjMnPx

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

AuroraRat 1.0.9.1

Botnet

Default

C2

38.6.189.150:8848

Mutex

AuroraRatMutex_Nein

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 4 IoCs

rat

resource	yara_rule
behavioral1/files/0x000e00000001230a-11.dat	asyncrat
behavioral1/files/0x000e00000001230a-12.dat	asyncrat
behavioral1/files/0x000e00000001230a-9.dat	asyncrat
behavioral1/memory/2796-14-0x0000000000C80000-0x0000000000C96000-memory.dmp	asyncrat

Executes dropped EXE 2 IoCs

pid	Process
2324	iexpoler.exe
2796	svchsot.exe

Loads dropped DLL 3 IoCs

pid	Process
3068	b7d4b9e9051e99ad6b53905d98e6a2f29eb7c25a012fa7fc1e6e546761a538ec_JC.exe
3068	b7d4b9e9051e99ad6b53905d98e6a2f29eb7c25a012fa7fc1e6e546761a538ec_JC.exe
3068	b7d4b9e9051e99ad6b53905d98e6a2f29eb7c25a012fa7fc1e6e546761a538ec_JC.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3068	b7d4b9e9051e99ad6b53905d98e6a2f29eb7c25a012fa7fc1e6e546761a538ec_JC.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2796	svchsot.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3068	b7d4b9e9051e99ad6b53905d98e6a2f29eb7c25a012fa7fc1e6e546761a538ec_JC.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2324	3068	b7d4b9e9051e99ad6b53905d98e6a2f29eb7c25a012fa7fc1e6e546761a538ec_JC.exe	28
PID 3068 wrote to memory of 2324	3068	b7d4b9e9051e99ad6b53905d98e6a2f29eb7c25a012fa7fc1e6e546761a538ec_JC.exe	28
PID 3068 wrote to memory of 2324	3068	b7d4b9e9051e99ad6b53905d98e6a2f29eb7c25a012fa7fc1e6e546761a538ec_JC.exe	28
PID 3068 wrote to memory of 2324	3068	b7d4b9e9051e99ad6b53905d98e6a2f29eb7c25a012fa7fc1e6e546761a538ec_JC.exe	28
PID 3068 wrote to memory of 2796	3068	b7d4b9e9051e99ad6b53905d98e6a2f29eb7c25a012fa7fc1e6e546761a538ec_JC.exe	29
PID 3068 wrote to memory of 2796	3068	b7d4b9e9051e99ad6b53905d98e6a2f29eb7c25a012fa7fc1e6e546761a538ec_JC.exe	29
PID 3068 wrote to memory of 2796	3068	b7d4b9e9051e99ad6b53905d98e6a2f29eb7c25a012fa7fc1e6e546761a538ec_JC.exe	29
PID 3068 wrote to memory of 2796	3068	b7d4b9e9051e99ad6b53905d98e6a2f29eb7c25a012fa7fc1e6e546761a538ec_JC.exe	29

C:\Users\Admin\AppData\Local\Temp\b7d4b9e9051e99ad6b53905d98e6a2f29eb7c25a012fa7fc1e6e546761a538ec_JC.exe
"C:\Users\Admin\AppData\Local\Temp\b7d4b9e9051e99ad6b53905d98e6a2f29eb7c25a012fa7fc1e6e546761a538ec_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Users\Admin\AppData\Local\Temp\iexpoler.exe
  C:\Users\Admin\AppData\Local\Temp\\iexpoler.exe
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Users\Admin\AppData\Local\Temp\svchsot.exe
  C:\Users\Admin\AppData\Local\Temp\\svchsot.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2796

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\iexpoler.exe

Filesize
114KB

MD5
71227a3af26b22238f0b03b11abfa7be

SHA1
16356ae80ca36c906b4a5314e35c01bbf44a6668

SHA256
9c3985677e2a0cf6b2d8af4f1e7f99dd4dc13d26770bd97022474088b379d618

SHA512
e1df4d66f44c288209ac3718c7c4905e100a0f1c3e0c53c2249e9fc6bc99c57771e1bbab0775baa2f2674737dad865a4a82bf9fd6fc998d5c26134a61b8f0733

Download Submit
C:\Users\Admin\AppData\Local\Temp\iexpoler.exe

Filesize
114KB

MD5
71227a3af26b22238f0b03b11abfa7be

SHA1
16356ae80ca36c906b4a5314e35c01bbf44a6668

SHA256
9c3985677e2a0cf6b2d8af4f1e7f99dd4dc13d26770bd97022474088b379d618

SHA512
e1df4d66f44c288209ac3718c7c4905e100a0f1c3e0c53c2249e9fc6bc99c57771e1bbab0775baa2f2674737dad865a4a82bf9fd6fc998d5c26134a61b8f0733

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchsot.exe

Filesize
63KB

MD5
6cd26d6bb4b50164f6d55ce39daa2006

SHA1
2693732777757f7246c78d83897f5c1e9eba3ffb

SHA256
58adae9c12bb223fb534124951a7a51efaa66f5a531946a744e7671605a57138

SHA512
558e443d3b9dd45303ca89604f005292db2dbd32e5b577b20704ccc96af0526012758ac107a25d1ac49b8a7c9671cc28a89eb420324df89d52f2bbc6052b5ea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchsot.exe

Filesize
63KB

MD5
6cd26d6bb4b50164f6d55ce39daa2006

SHA1
2693732777757f7246c78d83897f5c1e9eba3ffb

SHA256
58adae9c12bb223fb534124951a7a51efaa66f5a531946a744e7671605a57138

SHA512
558e443d3b9dd45303ca89604f005292db2dbd32e5b577b20704ccc96af0526012758ac107a25d1ac49b8a7c9671cc28a89eb420324df89d52f2bbc6052b5ea2

Download Submit
\Users\Admin\AppData\Local\Temp\iexpoler.exe

Filesize
114KB

MD5
71227a3af26b22238f0b03b11abfa7be

SHA1
16356ae80ca36c906b4a5314e35c01bbf44a6668

SHA256
9c3985677e2a0cf6b2d8af4f1e7f99dd4dc13d26770bd97022474088b379d618

SHA512
e1df4d66f44c288209ac3718c7c4905e100a0f1c3e0c53c2249e9fc6bc99c57771e1bbab0775baa2f2674737dad865a4a82bf9fd6fc998d5c26134a61b8f0733

Download Submit
\Users\Admin\AppData\Local\Temp\iexpoler.exe

Filesize
114KB

MD5
71227a3af26b22238f0b03b11abfa7be

SHA1
16356ae80ca36c906b4a5314e35c01bbf44a6668

SHA256
9c3985677e2a0cf6b2d8af4f1e7f99dd4dc13d26770bd97022474088b379d618

SHA512
e1df4d66f44c288209ac3718c7c4905e100a0f1c3e0c53c2249e9fc6bc99c57771e1bbab0775baa2f2674737dad865a4a82bf9fd6fc998d5c26134a61b8f0733

Download Submit
\Users\Admin\AppData\Local\Temp\svchsot.exe

Filesize
63KB

MD5
6cd26d6bb4b50164f6d55ce39daa2006

SHA1
2693732777757f7246c78d83897f5c1e9eba3ffb

SHA256
58adae9c12bb223fb534124951a7a51efaa66f5a531946a744e7671605a57138

SHA512
558e443d3b9dd45303ca89604f005292db2dbd32e5b577b20704ccc96af0526012758ac107a25d1ac49b8a7c9671cc28a89eb420324df89d52f2bbc6052b5ea2

Download Submit
memory/2324-13-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2796-14-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2796-15-0x000007FEF5FF0000-0x000007FEF69DC000-memory.dmp

Filesize
9.9MB

Download
memory/2796-16-0x000000001B2D0000-0x000000001B350000-memory.dmp

Filesize
512KB

Download
memory/2796-17-0x0000000077990000-0x0000000077B39000-memory.dmp

Filesize
1.7MB

Download
memory/2796-18-0x000007FEF5FF0000-0x000007FEF69DC000-memory.dmp

Filesize
9.9MB

Download
memory/2796-19-0x000000001B2D0000-0x000000001B350000-memory.dmp

Filesize
512KB

Download
memory/2796-20-0x0000000077990000-0x0000000077B39000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing