asyncrat | e296fd745e2a6dfb3f345a73e59174d5236c9c55855c8ee0c5602955614d9794

General

Target

e296fd745e2a6dfb3f345a73e59174d5236c9c55855c8ee0c5602955614d9794.exe
Size

168KB
MD5

460c5e2904724e5babe7c3f7eaaf8de9
SHA1

a648b18830c27850fe651e6601792a7676c18c94
SHA256

e296fd745e2a6dfb3f345a73e59174d5236c9c55855c8ee0c5602955614d9794
SHA512

31cf6090a1764abc61aced61fc78e0f9471a636f0e95f997ed083798908c075fb7d5fd78e45d17f5e0ba53d37fe1c7ea8342acb71b0ac41b94e7e1fc6b2b8f16
SSDEEP

3072:2L31ZGgcsKuvP6Thmcy6bzVprBAs6UKoq0yiw7bWbJ:83ugdvP6K6b/rBAsq/iwQ

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

donelpacino.ddns.net:5500

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/2916-5-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

pid	Process
4800	notepad.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2952 set thread context of 2916	2952	e296fd745e2a6dfb3f345a73e59174d5236c9c55855c8ee0c5602955614d9794.exe	83

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1808	schtasks.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 2916	2952	e296fd745e2a6dfb3f345a73e59174d5236c9c55855c8ee0c5602955614d9794.exe	83
PID 2952 wrote to memory of 2916	2952	e296fd745e2a6dfb3f345a73e59174d5236c9c55855c8ee0c5602955614d9794.exe	83
PID 2952 wrote to memory of 2916	2952	e296fd745e2a6dfb3f345a73e59174d5236c9c55855c8ee0c5602955614d9794.exe	83
PID 2952 wrote to memory of 2916	2952	e296fd745e2a6dfb3f345a73e59174d5236c9c55855c8ee0c5602955614d9794.exe	83
PID 2952 wrote to memory of 2916	2952	e296fd745e2a6dfb3f345a73e59174d5236c9c55855c8ee0c5602955614d9794.exe	83
PID 2952 wrote to memory of 2916	2952	e296fd745e2a6dfb3f345a73e59174d5236c9c55855c8ee0c5602955614d9794.exe	83
PID 2952 wrote to memory of 2916	2952	e296fd745e2a6dfb3f345a73e59174d5236c9c55855c8ee0c5602955614d9794.exe	83
PID 2952 wrote to memory of 2916	2952	e296fd745e2a6dfb3f345a73e59174d5236c9c55855c8ee0c5602955614d9794.exe	83
PID 2952 wrote to memory of 2760	2952	e296fd745e2a6dfb3f345a73e59174d5236c9c55855c8ee0c5602955614d9794.exe	84
PID 2952 wrote to memory of 2760	2952	e296fd745e2a6dfb3f345a73e59174d5236c9c55855c8ee0c5602955614d9794.exe	84
PID 2952 wrote to memory of 2760	2952	e296fd745e2a6dfb3f345a73e59174d5236c9c55855c8ee0c5602955614d9794.exe	84
PID 2952 wrote to memory of 3844	2952	e296fd745e2a6dfb3f345a73e59174d5236c9c55855c8ee0c5602955614d9794.exe	87
PID 2952 wrote to memory of 3844	2952	e296fd745e2a6dfb3f345a73e59174d5236c9c55855c8ee0c5602955614d9794.exe	87
PID 2952 wrote to memory of 3844	2952	e296fd745e2a6dfb3f345a73e59174d5236c9c55855c8ee0c5602955614d9794.exe	87
PID 2952 wrote to memory of 3040	2952	e296fd745e2a6dfb3f345a73e59174d5236c9c55855c8ee0c5602955614d9794.exe	85
PID 2952 wrote to memory of 3040	2952	e296fd745e2a6dfb3f345a73e59174d5236c9c55855c8ee0c5602955614d9794.exe	85
PID 2952 wrote to memory of 3040	2952	e296fd745e2a6dfb3f345a73e59174d5236c9c55855c8ee0c5602955614d9794.exe	85
PID 3844 wrote to memory of 1808	3844	cmd.exe	90
PID 3844 wrote to memory of 1808	3844	cmd.exe	90
PID 3844 wrote to memory of 1808	3844	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\e296fd745e2a6dfb3f345a73e59174d5236c9c55855c8ee0c5602955614d9794.exe
"C:\Users\Admin\AppData\Local\Temp\e296fd745e2a6dfb3f345a73e59174d5236c9c55855c8ee0c5602955614d9794.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Users\Admin\AppData\Local\Temp\e296fd745e2a6dfb3f345a73e59174d5236c9c55855c8ee0c5602955614d9794.exe
  "C:\Users\Admin\AppData\Local\Temp\e296fd745e2a6dfb3f345a73e59174d5236c9c55855c8ee0c5602955614d9794.exe"
  2⤵
  PID:2916
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\notepad"
  2⤵
  PID:2760
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\e296fd745e2a6dfb3f345a73e59174d5236c9c55855c8ee0c5602955614d9794.exe" "C:\Users\Admin\AppData\Roaming\notepad\notepad.exe"
  2⤵
  PID:3040
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\notepad\notepad.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3844
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\notepad\notepad.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:1808

C:\Users\Admin\AppData\Roaming\notepad\notepad.exe
C:\Users\Admin\AppData\Roaming\notepad\notepad.exe
1⤵
- Executes dropped EXE
PID:4800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\notepad\notepad.exe

Filesize
168KB

MD5
460c5e2904724e5babe7c3f7eaaf8de9

SHA1
a648b18830c27850fe651e6601792a7676c18c94

SHA256
e296fd745e2a6dfb3f345a73e59174d5236c9c55855c8ee0c5602955614d9794

SHA512
31cf6090a1764abc61aced61fc78e0f9471a636f0e95f997ed083798908c075fb7d5fd78e45d17f5e0ba53d37fe1c7ea8342acb71b0ac41b94e7e1fc6b2b8f16

Download Submit
C:\Users\Admin\AppData\Roaming\notepad\notepad.exe

Filesize
168KB

MD5
460c5e2904724e5babe7c3f7eaaf8de9

SHA1
a648b18830c27850fe651e6601792a7676c18c94

SHA256
e296fd745e2a6dfb3f345a73e59174d5236c9c55855c8ee0c5602955614d9794

SHA512
31cf6090a1764abc61aced61fc78e0f9471a636f0e95f997ed083798908c075fb7d5fd78e45d17f5e0ba53d37fe1c7ea8342acb71b0ac41b94e7e1fc6b2b8f16

Download Submit
memory/2916-12-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/2916-5-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2916-6-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/2916-11-0x0000000005660000-0x0000000005670000-memory.dmp

Filesize
64KB

Download
memory/2916-15-0x0000000005660000-0x0000000005670000-memory.dmp

Filesize
64KB

Download
memory/2952-3-0x0000000002AB0000-0x0000000002AC0000-memory.dmp

Filesize
64KB

Download
memory/2952-4-0x0000000002A80000-0x0000000002A9E000-memory.dmp

Filesize
120KB

Download
memory/2952-8-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/2952-0-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/2952-2-0x00000000055C0000-0x0000000005B64000-memory.dmp

Filesize
5.6MB

Download
memory/2952-1-0x0000000000650000-0x000000000067E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads