asyncrat | 64a45101867e90b0a25e1ee21e83110985d06d3b9733bfb7e50fff89697737ae

General

Target

Windows Defender.exe
Size

183KB
MD5

9bcabaf1958649a969466f1c2964629f
SHA1

6871eb25d595532063eb5acab819ba0d886638b0
SHA256

64a45101867e90b0a25e1ee21e83110985d06d3b9733bfb7e50fff89697737ae
SHA512

3f3b1297cc0dfc66b944b88a000dd709d0ddd0e715a52229460cffe32d051222cb6a601d8e51fa68cb92a726e0cf525e0c9485b757ba35e12b6be82e33498fa5
SSDEEP

3072:IeVkX3EYqYkQW6ZQIpfiJZ5bnhkxtS951xNCygrTPE/i0tGKGMGuuMWnejTAtTDw:6X3EYM6ZQ4aH5bhkWb1iyWPkLGK/c3nb

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.2

C2

1.14.206.144:6606

1.14.206.144:7707

1.14.206.144:8808

Mutex

564-8c88999ba04b

Attributes

delay
0
install
true
install_file
Windows Defender.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2876-0-0x0000000000010000-0x0000000000044000-memory.dmp	asyncrat
C:\Users\Admin\AppData\Roaming\Windows Defender.exe	asyncrat
C:\Users\Admin\AppData\Roaming\Windows Defender.exe	asyncrat
behavioral1/memory/2768-12-0x0000000000130000-0x0000000000164000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

Processes:

Windows Defender.exe

pid process

2768 Windows Defender.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2596 schtasks.exe

pid	process
2768	Windows Defender.exe

pid	process
2596	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

Windows Defender.exeWindows Defender.exe

pid	process
2876	Windows Defender.exe
2876	Windows Defender.exe
2876	Windows Defender.exe
2876	Windows Defender.exe
2876	Windows Defender.exe
2876	Windows Defender.exe
2876	Windows Defender.exe
2876	Windows Defender.exe
2876	Windows Defender.exe
2876	Windows Defender.exe
2876	Windows Defender.exe
2876	Windows Defender.exe
2876	Windows Defender.exe
2768	Windows Defender.exe
2768	Windows Defender.exe
2768	Windows Defender.exe
2768	Windows Defender.exe
2768	Windows Defender.exe
2768	Windows Defender.exe
2768	Windows Defender.exe
2768	Windows Defender.exe
2768	Windows Defender.exe
2768	Windows Defender.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Windows Defender.exeWindows Defender.exe

description pid process

Token: SeDebugPrivilege 2876 Windows Defender.exe
Token: SeDebugPrivilege 2768 Windows Defender.exe

description	pid	process
Token: SeDebugPrivilege	2876	Windows Defender.exe
Token: SeDebugPrivilege	2768	Windows Defender.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Windows Defender.exeWScript.exe

description	pid	process	target process
PID 2876 wrote to memory of 2776	2876	Windows Defender.exe	WScript.exe
PID 2876 wrote to memory of 2776	2876	Windows Defender.exe	WScript.exe
PID 2876 wrote to memory of 2776	2876	Windows Defender.exe	WScript.exe
PID 2776 wrote to memory of 2596	2776	WScript.exe	schtasks.exe
PID 2776 wrote to memory of 2596	2776	WScript.exe	schtasks.exe
PID 2776 wrote to memory of 2596	2776	WScript.exe	schtasks.exe
PID 2876 wrote to memory of 2768	2876	Windows Defender.exe	Windows Defender.exe
PID 2876 wrote to memory of 2768	2876	Windows Defender.exe	Windows Defender.exe
PID 2876 wrote to memory of 2768	2876	Windows Defender.exe	Windows Defender.exe

C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Defender.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tmp9EA0.tmp.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:2776

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc onlogon /rl highest /tn Windows Defender.exe /tr "C:\Users\Admin\AppData\Roaming\Windows Defender.exe
3⤵
- Creates scheduled task(s)
PID:2596

C:\Users\Admin\AppData\Roaming\Windows Defender.exe
"C:\Users\Admin\AppData\Roaming\Windows Defender.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2588

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2056

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9EA0.tmp.vbs
Filesize
234B

MD5
4b064866856430b91e4f33706d8363d9

SHA1
f286151060da5a66256a3908de8be15ad28c637e

SHA256
e2803825118e2deb1a3d20ad1426506ec8f84fde3c60822c503c7dd7e38c3386

SHA512
300127b621124cda7cf80353614cf7bfda1863b78fd45a35dd7d56e11cbf5267fc3a5217a0a3a19ddc1cb5e14b3b3b4dd2a0930ebba7ea3ed0f50c4c2536b396

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Defender.exe
Filesize
183KB

MD5
9bcabaf1958649a969466f1c2964629f

SHA1
6871eb25d595532063eb5acab819ba0d886638b0

SHA256
64a45101867e90b0a25e1ee21e83110985d06d3b9733bfb7e50fff89697737ae

SHA512
3f3b1297cc0dfc66b944b88a000dd709d0ddd0e715a52229460cffe32d051222cb6a601d8e51fa68cb92a726e0cf525e0c9485b757ba35e12b6be82e33498fa5

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Defender.exe
Filesize
183KB

MD5
9bcabaf1958649a969466f1c2964629f

SHA1
6871eb25d595532063eb5acab819ba0d886638b0

SHA256
64a45101867e90b0a25e1ee21e83110985d06d3b9733bfb7e50fff89697737ae

SHA512
3f3b1297cc0dfc66b944b88a000dd709d0ddd0e715a52229460cffe32d051222cb6a601d8e51fa68cb92a726e0cf525e0c9485b757ba35e12b6be82e33498fa5

Download Submit
memory/2768-12-0x0000000000130000-0x0000000000164000-memory.dmp

Filesize
208KB

Download
memory/2768-14-0x000007FEF5150000-0x000007FEF5B3C000-memory.dmp

Filesize
9.9MB

Download
memory/2768-15-0x000000001B1D0000-0x000000001B250000-memory.dmp

Filesize
512KB

Download
memory/2768-33-0x000007FEF5150000-0x000007FEF5B3C000-memory.dmp

Filesize
9.9MB

Download
memory/2768-34-0x000000001B1D0000-0x000000001B250000-memory.dmp

Filesize
512KB

Download
memory/2876-0-0x0000000000010000-0x0000000000044000-memory.dmp

Filesize
208KB

Download
memory/2876-1-0x000007FEF5150000-0x000007FEF5B3C000-memory.dmp

Filesize
9.9MB

Download
memory/2876-2-0x000000001B010000-0x000000001B090000-memory.dmp

Filesize
512KB

Download
memory/2876-13-0x000007FEF5150000-0x000007FEF5B3C000-memory.dmp

Filesize
9.9MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads