asyncrat | b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8

General

Target

b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8.exe
Size

1.4MB
MD5

1d3c46705beab45cb1b080ff24d4549e
SHA1

8ebd8e1ffa610939943284daafaeb1e27f35e988
SHA256

b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8
SHA512

37e93589c7c01f276d0e34875a06c787006db24e8ba458ac0d21f434252b169eb30d7c5f5e008f1b1a57f1d7829c39d49495c4f7b96e66d6c4aa2d49fc477d36
SSDEEP

24576:AmJMORe2zOUaltm9yU0Wd/qcU714D++PdQ+WhOCayUNo9X+aBjJVI1OyJ/:9+Ge2zhaltm9yvcUD4wkyUc7HH

Score

10^/10

asyncrat update rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Update

C2

6.tcp.eu.ngrok.io:18488

Mutex

bQQYBRR46lgR

Attributes

delay
3
install
true
install_file
Update.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1072-2-0x0000000000C20000-0x000000000102E000-memory.dmp	asyncrat
behavioral1/memory/1072-14-0x0000000000C20000-0x000000000102E000-memory.dmp	asyncrat
behavioral1/memory/2600-21-0x0000000000240000-0x000000000064E000-memory.dmp	asyncrat
behavioral1/memory/2600-23-0x0000000000240000-0x000000000064E000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

Processes:

Update.exe

pid process

2600 Update.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

3012 cmd.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
2600	Update.exe

pid	process
3012	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs

Processes:

b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8.exeUpdate.exe

pid	process
1072	b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8.exe
1072	b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8.exe
2600	Update.exe
2600	Update.exe
2600	Update.exe
2600	Update.exe
2600	Update.exe
2600	Update.exe
2600	Update.exe
2600	Update.exe
2600	Update.exe
2600	Update.exe
2600	Update.exe
2600	Update.exe
2600	Update.exe
2600	Update.exe
2600	Update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1420 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3000 timeout.exe

pid	process
1420	schtasks.exe

pid	process
3000	timeout.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8.exeUpdate.exe

pid	process
1072	b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8.exe
1072	b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8.exe
1072	b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8.exe
2600	Update.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8.exeUpdate.exe

description	pid	process
Token: SeDebugPrivilege	1072	b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8.exe
Token: SeDebugPrivilege	2600	Update.exe
Token: SeDebugPrivilege	2600	Update.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8.exeUpdate.exe

pid process

1072 b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8.exe
2600 Update.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8.execmd.execmd.exe

description	pid	process	target process
PID 1072 wrote to memory of 2708	1072	b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8.exe	cmd.exe
PID 1072 wrote to memory of 2708	1072	b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8.exe	cmd.exe
PID 1072 wrote to memory of 2708	1072	b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8.exe	cmd.exe
PID 1072 wrote to memory of 2708	1072	b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8.exe	cmd.exe
PID 1072 wrote to memory of 3012	1072	b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8.exe	cmd.exe
PID 1072 wrote to memory of 3012	1072	b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8.exe	cmd.exe
PID 1072 wrote to memory of 3012	1072	b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8.exe	cmd.exe
PID 1072 wrote to memory of 3012	1072	b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8.exe	cmd.exe
PID 2708 wrote to memory of 1420	2708	cmd.exe	schtasks.exe
PID 2708 wrote to memory of 1420	2708	cmd.exe	schtasks.exe
PID 2708 wrote to memory of 1420	2708	cmd.exe	schtasks.exe
PID 2708 wrote to memory of 1420	2708	cmd.exe	schtasks.exe
PID 3012 wrote to memory of 3000	3012	cmd.exe	timeout.exe
PID 3012 wrote to memory of 3000	3012	cmd.exe	timeout.exe
PID 3012 wrote to memory of 3000	3012	cmd.exe	timeout.exe
PID 3012 wrote to memory of 3000	3012	cmd.exe	timeout.exe
PID 3012 wrote to memory of 2600	3012	cmd.exe	Update.exe
PID 3012 wrote to memory of 2600	3012	cmd.exe	Update.exe
PID 3012 wrote to memory of 2600	3012	cmd.exe	Update.exe
PID 3012 wrote to memory of 2600	3012	cmd.exe	Update.exe
PID 3012 wrote to memory of 2600	3012	cmd.exe	Update.exe
PID 3012 wrote to memory of 2600	3012	cmd.exe	Update.exe
PID 3012 wrote to memory of 2600	3012	cmd.exe	Update.exe

C:\Users\Admin\AppData\Local\Temp\b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8.exe
"C:\Users\Admin\AppData\Local\Temp\b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Update" /tr '"C:\Users\Admin\AppData\Roaming\Update.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Update" /tr '"C:\Users\Admin\AppData\Roaming\Update.exe"'
3⤵
- Creates scheduled task(s)
PID:1420

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp6D05.tmp.bat""
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:3000

C:\Users\Admin\AppData\Roaming\Update.exe
"C:\Users\Admin\AppData\Roaming\Update.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2600

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabB492.tmp
Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6D05.tmp.bat
Filesize
150B

MD5
73b1c8e5cc494f02e4f799c4dace21a2

SHA1
f15ca712a8839176dc05979cbe6f5cd3ea7ad062

SHA256
87569de0bbf09592509ade17ac0ba248209e130b8940ea04968977cdddcbee62

SHA512
746fab8579ce3fc8b3ba34bba392e10edb86dee70327eded3b572b00b97d04955a5c834fd43ca4a0dec6801a21a760fc043105e8ea08e00011b98e50018e7421

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6D05.tmp.bat
Filesize
150B

MD5
73b1c8e5cc494f02e4f799c4dace21a2

SHA1
f15ca712a8839176dc05979cbe6f5cd3ea7ad062

SHA256
87569de0bbf09592509ade17ac0ba248209e130b8940ea04968977cdddcbee62

SHA512
746fab8579ce3fc8b3ba34bba392e10edb86dee70327eded3b572b00b97d04955a5c834fd43ca4a0dec6801a21a760fc043105e8ea08e00011b98e50018e7421

Download Submit
C:\Users\Admin\AppData\Roaming\Update.exe
Filesize
1.4MB

MD5
1d3c46705beab45cb1b080ff24d4549e

SHA1
8ebd8e1ffa610939943284daafaeb1e27f35e988

SHA256
b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8

SHA512
37e93589c7c01f276d0e34875a06c787006db24e8ba458ac0d21f434252b169eb30d7c5f5e008f1b1a57f1d7829c39d49495c4f7b96e66d6c4aa2d49fc477d36

Download Submit
C:\Users\Admin\AppData\Roaming\Update.exe
Filesize
1.4MB

MD5
1d3c46705beab45cb1b080ff24d4549e

SHA1
8ebd8e1ffa610939943284daafaeb1e27f35e988

SHA256
b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8

SHA512
37e93589c7c01f276d0e34875a06c787006db24e8ba458ac0d21f434252b169eb30d7c5f5e008f1b1a57f1d7829c39d49495c4f7b96e66d6c4aa2d49fc477d36

Download Submit
\Users\Admin\AppData\Roaming\Update.exe
Filesize
1.4MB

MD5
1d3c46705beab45cb1b080ff24d4549e

SHA1
8ebd8e1ffa610939943284daafaeb1e27f35e988

SHA256
b091c3ea9ca2f565dc4455017ea7b7337806ced4a340c993b0135a9e238f5ff8

SHA512
37e93589c7c01f276d0e34875a06c787006db24e8ba458ac0d21f434252b169eb30d7c5f5e008f1b1a57f1d7829c39d49495c4f7b96e66d6c4aa2d49fc477d36

Download Submit
memory/1072-0-0x0000000000C20000-0x000000000102E000-memory.dmp

Filesize
4.1MB

Download
memory/1072-1-0x0000000074370000-0x0000000074A5E000-memory.dmp

Filesize
6.9MB

Download
memory/1072-2-0x0000000000C20000-0x000000000102E000-memory.dmp

Filesize
4.1MB

Download
memory/1072-3-0x00000000052B0000-0x00000000052F0000-memory.dmp

Filesize
256KB

Download
memory/1072-14-0x0000000000C20000-0x000000000102E000-memory.dmp

Filesize
4.1MB

Download
memory/1072-15-0x0000000074370000-0x0000000074A5E000-memory.dmp

Filesize
6.9MB

Download
memory/2600-23-0x0000000000240000-0x000000000064E000-memory.dmp

Filesize
4.1MB

Download
memory/2600-21-0x0000000000240000-0x000000000064E000-memory.dmp

Filesize
4.1MB

Download
memory/2600-22-0x0000000073280000-0x000000007396E000-memory.dmp

Filesize
6.9MB

Download
memory/2600-20-0x0000000000240000-0x000000000064E000-memory.dmp

Filesize
4.1MB

Download
memory/2600-24-0x0000000005110000-0x0000000005150000-memory.dmp

Filesize
256KB

Download
memory/2600-43-0x0000000000240000-0x000000000064E000-memory.dmp

Filesize
4.1MB

Download
memory/2600-44-0x0000000073280000-0x000000007396E000-memory.dmp

Filesize
6.9MB

Download
memory/2600-45-0x0000000005110000-0x0000000005150000-memory.dmp

Filesize
256KB

Download
memory/3012-18-0x0000000002050000-0x000000000245E000-memory.dmp

Filesize
4.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads