asyncrat | 999d43ee4c9a1ec38c0b00fc38abe0b29b13cc83983c6ee895cbb2768b29022d

Analysis

max time kernel
148s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2023 08:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6543c547b83be07c11742aebcba0264026667005c7d4b90ca9ee8da62ad06984.exe
Size

10.2MB
MD5

6cfc8a19911d2a4401c1c362587e83ce
SHA1

757f656302382738175a6a73ed7e412bba55011c
SHA256

6543c547b83be07c11742aebcba0264026667005c7d4b90ca9ee8da62ad06984
SHA512

4da1ae530f9e06cf69ee4d68f5166586096940248f58954e928e16d56faa2cdefcb4ba865588964a254659c14642de8af9fe8e393a168a642e9a5648ef5f29a2
SSDEEP

98304:01+qfbaSe1um0WohRcxAqV6EiTEEhG8VdjDEJgkKQ:nGWM0x7VdiAfj

Score

10^/10

asyncrat crypt one rat

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Crypt One

194.180.49.190:9254

Mutex

c7737c6a-d18e-4344-9a5b-860541cfb072

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral13/memory/684-3-0x0000000000790000-0x00000000007A6000-memory.dmp	asyncrat
behavioral13/memory/684-11-0x00000000028A0000-0x00000000028B0000-memory.dmp	asyncrat

Suspicious use of SetThreadContext 1 IoCs

Processes:

6543c547b83be07c11742aebcba0264026667005c7d4b90ca9ee8da62ad06984.exe

description pid process target process

PID 4612 set thread context of 684 4612 6543c547b83be07c11742aebcba0264026667005c7d4b90ca9ee8da62ad06984.exe jsc.exe

description	pid	process	target process
PID 4612 set thread context of 684	4612	6543c547b83be07c11742aebcba0264026667005c7d4b90ca9ee8da62ad06984.exe	jsc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

6543c547b83be07c11742aebcba0264026667005c7d4b90ca9ee8da62ad06984.exe

pid	process
4612	6543c547b83be07c11742aebcba0264026667005c7d4b90ca9ee8da62ad06984.exe
4612	6543c547b83be07c11742aebcba0264026667005c7d4b90ca9ee8da62ad06984.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

jsc.exe

description pid process

Token: SeDebugPrivilege 684 jsc.exe

description	pid	process
Token: SeDebugPrivilege	684	jsc.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

6543c547b83be07c11742aebcba0264026667005c7d4b90ca9ee8da62ad06984.exe

description	pid	process	target process
PID 4612 wrote to memory of 684	4612	6543c547b83be07c11742aebcba0264026667005c7d4b90ca9ee8da62ad06984.exe	jsc.exe
PID 4612 wrote to memory of 684	4612	6543c547b83be07c11742aebcba0264026667005c7d4b90ca9ee8da62ad06984.exe	jsc.exe
PID 4612 wrote to memory of 684	4612	6543c547b83be07c11742aebcba0264026667005c7d4b90ca9ee8da62ad06984.exe	jsc.exe
PID 4612 wrote to memory of 684	4612	6543c547b83be07c11742aebcba0264026667005c7d4b90ca9ee8da62ad06984.exe	jsc.exe
PID 4612 wrote to memory of 684	4612	6543c547b83be07c11742aebcba0264026667005c7d4b90ca9ee8da62ad06984.exe	jsc.exe

C:\Users\Admin\AppData\Local\Temp\6543c547b83be07c11742aebcba0264026667005c7d4b90ca9ee8da62ad06984.exe
"C:\Users\Admin\AppData\Local\Temp\6543c547b83be07c11742aebcba0264026667005c7d4b90ca9ee8da62ad06984.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:684

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/684-3-0x0000000000790000-0x00000000007A6000-memory.dmp

Filesize
88KB

Download
memory/684-4-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/684-5-0x00000000028A0000-0x00000000028B0000-memory.dmp

Filesize
64KB

Download
memory/684-6-0x00000000772C1000-0x00000000772C2000-memory.dmp

Filesize
4KB

Download
memory/684-10-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/684-11-0x00000000028A0000-0x00000000028B0000-memory.dmp

Filesize
64KB

Download
memory/4612-2-0x00007FF6DDAF0000-0x00007FF6DE58E000-memory.dmp

Filesize
10.6MB

Download
memory/4612-8-0x00007FF6DDAF0000-0x00007FF6DE58E000-memory.dmp

Filesize
10.6MB

Download
memory/4612-9-0x00007FF6DDAF0000-0x00007FF6DE58E000-memory.dmp

Filesize
10.6MB

Download