asyncrat | 999d43ee4c9a1ec38c0b00fc38abe0b29b13cc83983c6ee895cbb2768b29022d

Analysis

max time kernel
148s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2023 08:33

Target

6543c547b83be07c11742aebcba0264026667005c7d4b90ca9ee8da62ad06984.exe
Size

10.2MB
MD5

6cfc8a19911d2a4401c1c362587e83ce
SHA1

757f656302382738175a6a73ed7e412bba55011c
SHA256

6543c547b83be07c11742aebcba0264026667005c7d4b90ca9ee8da62ad06984
SHA512

4da1ae530f9e06cf69ee4d68f5166586096940248f58954e928e16d56faa2cdefcb4ba865588964a254659c14642de8af9fe8e393a168a642e9a5648ef5f29a2
SSDEEP

98304:01+qfbaSe1um0WohRcxAqV6EiTEEhG8VdjDEJgkKQ:nGWM0x7VdiAfj

Score

10^/10

Family

asyncrat

Version

5.0.5

Botnet

Crypt One

194.180.49.190:9254

Mutex

c7737c6a-d18e-4344-9a5b-860541cfb072

Attributes

aes.plain

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral13/memory/684-3-0x0000000000790000-0x00000000007A6000-memory.dmp	asyncrat
behavioral13/memory/684-11-0x00000000028A0000-0x00000000028B0000-memory.dmp	asyncrat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4612 set thread context of 684	4612	6543c547b83be07c11742aebcba0264026667005c7d4b90ca9ee8da62ad06984.exe	91

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4612	6543c547b83be07c11742aebcba0264026667005c7d4b90ca9ee8da62ad06984.exe
4612	6543c547b83be07c11742aebcba0264026667005c7d4b90ca9ee8da62ad06984.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	684	jsc.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4612 wrote to memory of 684	4612	6543c547b83be07c11742aebcba0264026667005c7d4b90ca9ee8da62ad06984.exe	91
PID 4612 wrote to memory of 684	4612	6543c547b83be07c11742aebcba0264026667005c7d4b90ca9ee8da62ad06984.exe	91
PID 4612 wrote to memory of 684	4612	6543c547b83be07c11742aebcba0264026667005c7d4b90ca9ee8da62ad06984.exe	91
PID 4612 wrote to memory of 684	4612	6543c547b83be07c11742aebcba0264026667005c7d4b90ca9ee8da62ad06984.exe	91
PID 4612 wrote to memory of 684	4612	6543c547b83be07c11742aebcba0264026667005c7d4b90ca9ee8da62ad06984.exe	91

C:\Users\Admin\AppData\Local\Temp\6543c547b83be07c11742aebcba0264026667005c7d4b90ca9ee8da62ad06984.exe
"C:\Users\Admin\AppData\Local\Temp\6543c547b83be07c11742aebcba0264026667005c7d4b90ca9ee8da62ad06984.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:684

memory/684-3-0x0000000000790000-0x00000000007A6000-memory.dmp

Filesize
88KB

Download
memory/684-4-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/684-5-0x00000000028A0000-0x00000000028B0000-memory.dmp

Filesize
64KB

Download
memory/684-6-0x00000000772C1000-0x00000000772C2000-memory.dmp

Filesize
4KB

Download
memory/684-10-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/684-11-0x00000000028A0000-0x00000000028B0000-memory.dmp

Filesize
64KB

Download
memory/4612-2-0x00007FF6DDAF0000-0x00007FF6DE58E000-memory.dmp

Filesize
10.6MB

Download
memory/4612-8-0x00007FF6DDAF0000-0x00007FF6DE58E000-memory.dmp

Filesize
10.6MB

Download
memory/4612-9-0x00007FF6DDAF0000-0x00007FF6DE58E000-memory.dmp

Filesize
10.6MB

Download