asyncrat | 641926faa61b285dc56392e849301861e5f786a3e45a7373dd334f34aa65d40d

General

Target

bf53ed4544ae919496ff12f7969ba3dc.exe
Size

47KB
MD5

bf53ed4544ae919496ff12f7969ba3dc
SHA1

cd2a5ac9357bc733dbce4bc2f8ee488199154b57
SHA256

641926faa61b285dc56392e849301861e5f786a3e45a7373dd334f34aa65d40d
SHA512

d71df91d569c890dc4be16737ee17692f1f6fa434eb64d0cb81e6c6e9491a7a6306011859907ea805b7495739a7bddb535790420310b0fb8ab9d46958ba97be7
SSDEEP

768:auu91TwQsOnFWUF01/mo2qDpwUJ+CQswGhWPI8fhMz+0b+FOAjv5JQgMc4jmXDBc:auu91TwSo2JQhf8fAxb+FTjv5JQhdiXy

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

65.108.24.87:6606

65.108.24.87:7707

65.108.24.87:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
win10.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 6 IoCs

rat

resource	yara_rule
behavioral1/memory/2320-0-0x0000000000DA0000-0x0000000000DB2000-memory.dmp	asyncrat
behavioral1/files/0x0009000000012021-13.dat	asyncrat
behavioral1/files/0x0009000000012021-14.dat	asyncrat
behavioral1/files/0x0009000000012021-15.dat	asyncrat
behavioral1/memory/2872-16-0x00000000001F0000-0x0000000000202000-memory.dmp	asyncrat
behavioral1/memory/2872-18-0x0000000000620000-0x0000000000660000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

pid	Process
2872	win10.exe

Loads dropped DLL 1 IoCs

pid	Process
2808	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2804	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2264	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2320	bf53ed4544ae919496ff12f7969ba3dc.exe
2320	bf53ed4544ae919496ff12f7969ba3dc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2320	bf53ed4544ae919496ff12f7969ba3dc.exe
Token: SeDebugPrivilege	2872	win10.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2632	2320	bf53ed4544ae919496ff12f7969ba3dc.exe	28
PID 2320 wrote to memory of 2632	2320	bf53ed4544ae919496ff12f7969ba3dc.exe	28
PID 2320 wrote to memory of 2632	2320	bf53ed4544ae919496ff12f7969ba3dc.exe	28
PID 2320 wrote to memory of 2632	2320	bf53ed4544ae919496ff12f7969ba3dc.exe	28
PID 2320 wrote to memory of 2808	2320	bf53ed4544ae919496ff12f7969ba3dc.exe	30
PID 2320 wrote to memory of 2808	2320	bf53ed4544ae919496ff12f7969ba3dc.exe	30
PID 2320 wrote to memory of 2808	2320	bf53ed4544ae919496ff12f7969ba3dc.exe	30
PID 2320 wrote to memory of 2808	2320	bf53ed4544ae919496ff12f7969ba3dc.exe	30
PID 2632 wrote to memory of 2804	2632	cmd.exe	32
PID 2632 wrote to memory of 2804	2632	cmd.exe	32
PID 2632 wrote to memory of 2804	2632	cmd.exe	32
PID 2632 wrote to memory of 2804	2632	cmd.exe	32
PID 2808 wrote to memory of 2264	2808	cmd.exe	33
PID 2808 wrote to memory of 2264	2808	cmd.exe	33
PID 2808 wrote to memory of 2264	2808	cmd.exe	33
PID 2808 wrote to memory of 2264	2808	cmd.exe	33
PID 2808 wrote to memory of 2872	2808	cmd.exe	34
PID 2808 wrote to memory of 2872	2808	cmd.exe	34
PID 2808 wrote to memory of 2872	2808	cmd.exe	34
PID 2808 wrote to memory of 2872	2808	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\bf53ed4544ae919496ff12f7969ba3dc.exe
"C:\Users\Admin\AppData\Local\Temp\bf53ed4544ae919496ff12f7969ba3dc.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "win10" /tr '"C:\Users\Admin\AppData\Roaming\win10.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "win10" /tr '"C:\Users\Admin\AppData\Roaming\win10.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:2804
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp56A8.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2264
- - C:\Users\Admin\AppData\Roaming\win10.exe
    "C:\Users\Admin\AppData\Roaming\win10.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab780F.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp56A8.tmp.bat

Filesize
149B

MD5
ded99944e4d52827cd57579a0fd46fdb

SHA1
91990c645eae26f07bfd8185c2b72f8fd27b3fba

SHA256
8776f2a2a56281745b0c901e11f8a2945c8e462d7edb8c8777892d24d009eb52

SHA512
c3c503ca79a72c387ee174bbd37c245452f36574e72c364d55228c8ce3649a24bb81f07116da12f742f5e1186c1359b928b4f4115b00672b6d63687eacf130b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp56A8.tmp.bat

Filesize
149B

MD5
ded99944e4d52827cd57579a0fd46fdb

SHA1
91990c645eae26f07bfd8185c2b72f8fd27b3fba

SHA256
8776f2a2a56281745b0c901e11f8a2945c8e462d7edb8c8777892d24d009eb52

SHA512
c3c503ca79a72c387ee174bbd37c245452f36574e72c364d55228c8ce3649a24bb81f07116da12f742f5e1186c1359b928b4f4115b00672b6d63687eacf130b9

Download Submit
C:\Users\Admin\AppData\Roaming\win10.exe

Filesize
47KB

MD5
bf53ed4544ae919496ff12f7969ba3dc

SHA1
cd2a5ac9357bc733dbce4bc2f8ee488199154b57

SHA256
641926faa61b285dc56392e849301861e5f786a3e45a7373dd334f34aa65d40d

SHA512
d71df91d569c890dc4be16737ee17692f1f6fa434eb64d0cb81e6c6e9491a7a6306011859907ea805b7495739a7bddb535790420310b0fb8ab9d46958ba97be7

Download Submit
C:\Users\Admin\AppData\Roaming\win10.exe

Filesize
47KB

MD5
bf53ed4544ae919496ff12f7969ba3dc

SHA1
cd2a5ac9357bc733dbce4bc2f8ee488199154b57

SHA256
641926faa61b285dc56392e849301861e5f786a3e45a7373dd334f34aa65d40d

SHA512
d71df91d569c890dc4be16737ee17692f1f6fa434eb64d0cb81e6c6e9491a7a6306011859907ea805b7495739a7bddb535790420310b0fb8ab9d46958ba97be7

Download Submit
\Users\Admin\AppData\Roaming\win10.exe

Filesize
47KB

MD5
bf53ed4544ae919496ff12f7969ba3dc

SHA1
cd2a5ac9357bc733dbce4bc2f8ee488199154b57

SHA256
641926faa61b285dc56392e849301861e5f786a3e45a7373dd334f34aa65d40d

SHA512
d71df91d569c890dc4be16737ee17692f1f6fa434eb64d0cb81e6c6e9491a7a6306011859907ea805b7495739a7bddb535790420310b0fb8ab9d46958ba97be7

Download Submit
memory/2320-0-0x0000000000DA0000-0x0000000000DB2000-memory.dmp

Filesize
72KB

Download
memory/2320-11-0x0000000074BC0000-0x00000000752AE000-memory.dmp

Filesize
6.9MB

Download
memory/2320-2-0x0000000004D60000-0x0000000004DA0000-memory.dmp

Filesize
256KB

Download
memory/2320-1-0x0000000074BC0000-0x00000000752AE000-memory.dmp

Filesize
6.9MB

Download
memory/2872-16-0x00000000001F0000-0x0000000000202000-memory.dmp

Filesize
72KB

Download
memory/2872-17-0x0000000074B70000-0x000000007525E000-memory.dmp

Filesize
6.9MB

Download
memory/2872-18-0x0000000000620000-0x0000000000660000-memory.dmp

Filesize
256KB

Download
memory/2872-35-0x0000000074B70000-0x000000007525E000-memory.dmp

Filesize
6.9MB

Download
memory/2872-36-0x0000000000620000-0x0000000000660000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads