asyncrat | 779468167b7fb6ae608f098d8460a0c6f7a825e088fe60ed31ea4f9e8e664f00

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2023 17:30

Target

x3NwbDeSEJhx.exe
Size

47KB
MD5

b8de60b0604826596aa8cf5a3e127b97
SHA1

186ef2511fa3ee1c962930be0b4e434ef8e48c13
SHA256

779468167b7fb6ae608f098d8460a0c6f7a825e088fe60ed31ea4f9e8e664f00
SHA512

eceea17a36963302bf411e2f019866dd767a6c48c31fabc9fdff2523c175812033fc13455584829a54486973a6e649173c30b7dcec1085431bd6f3d535b92c4a
SSDEEP

768:4q+s3pUtDILNCCa+DiptelDSN+iV08YbygeSQg/yzS+dUZ1vEgK/JvZVc6KN:4q+AGtQOptKDs4zb1EuyzS+dknkJvZVS

Score

10^/10

Family

asyncrat

Version

1.0.7

Botnet

Default

diciembre12.duckdns.org:1984

Mutex

DcRatMutex_qwqdanchun

Attributes

aes.plain

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4280-0-0x0000000000630000-0x0000000000642000-memory.dmp	asyncrat
behavioral2/memory/4280-7-0x000000001D6D0000-0x000000001D734000-memory.dmp	asyncrat

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2312 timeout.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

x3NwbDeSEJhx.exe

description pid process

Token: SeDebugPrivilege 4280 x3NwbDeSEJhx.exe

pid	process
2312	timeout.exe

description	pid	process
Token: SeDebugPrivilege	4280	x3NwbDeSEJhx.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

x3NwbDeSEJhx.execmd.exe

description	pid	process	target process
PID 4280 wrote to memory of 2068	4280	x3NwbDeSEJhx.exe	cmd.exe
PID 4280 wrote to memory of 2068	4280	x3NwbDeSEJhx.exe	cmd.exe
PID 2068 wrote to memory of 2312	2068	cmd.exe	timeout.exe
PID 2068 wrote to memory of 2312	2068	cmd.exe	timeout.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3A26.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:2068

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:2312

C:\Users\Admin\AppData\Local\Temp\tmp3A26.tmp.bat
Filesize
164B

MD5
36e322a2f9f3fee0e95ac2fe09be2765

SHA1
b39d34b57420c9380f63ea13d658a3856a68b245

SHA256
72f151e2a62d004ab0a935310e55d9a8ccb07495ab5e511a74a4f98557be3b0b

SHA512
1054d76c0c81470995d2942c887a2d3ba861272765f528bcff25dda2168476ad8164d0aa1a00cb034a904cd02ff8786209492d9fcd95d794cf8e792282202439

Download Submit
memory/4280-0-0x0000000000630000-0x0000000000642000-memory.dmp

Filesize
72KB

Download
memory/4280-1-0x00007FF8C5280000-0x00007FF8C5D41000-memory.dmp

Filesize
10.8MB

Download
memory/4280-2-0x000000001B2D0000-0x000000001B2E0000-memory.dmp

Filesize
64KB

Download
memory/4280-5-0x00007FF8CE6A0000-0x00007FF8CE6B9000-memory.dmp

Filesize
100KB

Download
memory/4280-6-0x000000001D750000-0x000000001D7C6000-memory.dmp

Filesize
472KB

Download
memory/4280-7-0x000000001D6D0000-0x000000001D734000-memory.dmp

Filesize
400KB

Download
memory/4280-8-0x000000001D7D0000-0x000000001D7EE000-memory.dmp

Filesize
120KB

Download
memory/4280-13-0x00007FF8C5280000-0x00007FF8C5D41000-memory.dmp

Filesize
10.8MB

Download
memory/4280-14-0x00007FF8CE6A0000-0x00007FF8CE6B9000-memory.dmp

Filesize
100KB

Download