asyncrat | 8fdc412291f33a96a35c93d3d2bf03b338054509cd855f60109809a8e74100fe

General

Target

bf4f7264ef324c5c14dccd8679685d3f.exe
Size

749KB
MD5

bf4f7264ef324c5c14dccd8679685d3f
SHA1

055a91cacfa6756ae1bf9d603ddea5e9b1b8f684
SHA256

8fdc412291f33a96a35c93d3d2bf03b338054509cd855f60109809a8e74100fe
SHA512

703b160a1ea781c12540f4bbba970b1d5d60be2bb83b0982cfb7b6e7b0db7d6cd50637c6c5a9cde433dc353f7228d157ec0400789272a47833c3d08438805e90
SSDEEP

12288:nUOTuurJr8VWrdMi4/Bfj+fqQ0eaQWH4X1/t6obHX8Rk+e8MTgtNxtxiF1kgDWS/:jrGVG2ZeaElv8lHz

Score

10^/10

asyncrat azorult zgrat noip infostealer rat trojan

Malware Config

Extracted

Family

azorult

C2

http://aka-mining.com/wordpress@/index.php

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

noip

C2

rocking.ddns.net:55714

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
image.exe
install_folder
%Temp%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2656-7-0x00000000050E0000-0x00000000050F6000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Async RAT payload 10 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1384-12-0x0000000000400000-0x000000000042C000-memory.dmp	asyncrat
behavioral2/memory/1384-8-0x0000000000400000-0x000000000042C000-memory.dmp	asyncrat
C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe	asyncrat
behavioral2/memory/3608-32-0x0000000000810000-0x0000000000822000-memory.dmp	asyncrat
behavioral2/memory/1384-35-0x0000000000400000-0x000000000042C000-memory.dmp	asyncrat
C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe	asyncrat
C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe	asyncrat
C:\Users\Admin\AppData\Local\Temp\image.exe	asyncrat
C:\Users\Admin\AppData\Local\Temp\image.exe	asyncrat
behavioral2/memory/2248-55-0x0000000005230000-0x0000000005240000-memory.dmp	asyncrat

Suspicious use of SetThreadContext 1 IoCs

Processes:

bf4f7264ef324c5c14dccd8679685d3f.exe

description pid process target process

PID 2656 set thread context of 1384 2656 bf4f7264ef324c5c14dccd8679685d3f.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3280 888 WerFault.exe http.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3860 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3356 timeout.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

bf4f7264ef324c5c14dccd8679685d3f.exe

pid process

2656 bf4f7264ef324c5c14dccd8679685d3f.exe
2656 bf4f7264ef324c5c14dccd8679685d3f.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

bf4f7264ef324c5c14dccd8679685d3f.exe

description pid process

Token: SeDebugPrivilege 2656 bf4f7264ef324c5c14dccd8679685d3f.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid process

1384 RegAsm.exe

description	pid	process	target process
PID 2656 set thread context of 1384	2656	bf4f7264ef324c5c14dccd8679685d3f.exe	RegAsm.exe

pid	pid_target	process	target process
3280	888	WerFault.exe	http.exe

pid	process
3860	schtasks.exe

pid	process
3356	timeout.exe

pid	process
2656	bf4f7264ef324c5c14dccd8679685d3f.exe
2656	bf4f7264ef324c5c14dccd8679685d3f.exe

description	pid	process
Token: SeDebugPrivilege	2656	bf4f7264ef324c5c14dccd8679685d3f.exe

pid	process
1384	RegAsm.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

bf4f7264ef324c5c14dccd8679685d3f.exe

description	pid	process	target process
PID 2656 wrote to memory of 5092	2656	bf4f7264ef324c5c14dccd8679685d3f.exe	RegAsm.exe
PID 2656 wrote to memory of 5092	2656	bf4f7264ef324c5c14dccd8679685d3f.exe	RegAsm.exe
PID 2656 wrote to memory of 5092	2656	bf4f7264ef324c5c14dccd8679685d3f.exe	RegAsm.exe
PID 2656 wrote to memory of 1384	2656	bf4f7264ef324c5c14dccd8679685d3f.exe	RegAsm.exe
PID 2656 wrote to memory of 1384	2656	bf4f7264ef324c5c14dccd8679685d3f.exe	RegAsm.exe
PID 2656 wrote to memory of 1384	2656	bf4f7264ef324c5c14dccd8679685d3f.exe	RegAsm.exe
PID 2656 wrote to memory of 1384	2656	bf4f7264ef324c5c14dccd8679685d3f.exe	RegAsm.exe
PID 2656 wrote to memory of 1384	2656	bf4f7264ef324c5c14dccd8679685d3f.exe	RegAsm.exe
PID 2656 wrote to memory of 1384	2656	bf4f7264ef324c5c14dccd8679685d3f.exe	RegAsm.exe
PID 2656 wrote to memory of 1384	2656	bf4f7264ef324c5c14dccd8679685d3f.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\bf4f7264ef324c5c14dccd8679685d3f.exe
"C:\Users\Admin\AppData\Local\Temp\bf4f7264ef324c5c14dccd8679685d3f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1384
- - C:\Users\Admin\AppData\Local\Temp\http.exe
    "C:\Users\Admin\AppData\Local\Temp\http.exe" 0
    3⤵
    PID:888
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 1608
      4⤵
      Program crash
      PID:3280
- - C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe
    "C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe" 0
    3⤵
    PID:3608
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp53DD.tmp.bat""
      4⤵
      PID:4476
    - - C:\Users\Admin\AppData\Local\Temp\image.exe
        
        "C:\Users\Admin\AppData\Local\Temp\image.exe"
        5⤵
        
        PID:2248
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "image" /tr '"C:\Users\Admin\AppData\Local\Temp\image.exe"' & exit
      4⤵
      PID:3364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:5092

C:\Windows\SysWOW64\timeout.exe
timeout 3
1⤵
- Delays execution with timeout.exe
PID:3356

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "image" /tr '"C:\Users\Admin\AppData\Local\Temp\image.exe"'
1⤵
- Creates scheduled task(s)
PID:3860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 888 -ip 888
1⤵
PID:3556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe

Filesize
9KB

MD5
0e8fd0e37f259b3b377ca368d113ba7f

SHA1
0e1f111aa456da8e7829b269e14adf6e79e09598

SHA256
417673f4944062cbd289ca3a1d483fb9e2bf86b51cb5d45a367f5c44d1459079

SHA512
c2a4205abf276b99409d6655810e910223d20a70f8fe95e64aede41ad58b5115956139cae05e372162edc7408926a92005be251d95503e4f0bd0ef530dabdfd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsyncClient_noip.exe

Filesize
1KB

MD5
08ba38808dda07452f4124d9237b6568

SHA1
64cd77494088e2893f978c59b472911aed69aaaa

SHA256
5d3e8c321695dbda787c17957284447de0de9e27d1b6dc102a26b0d2e87a3aba

SHA512
2ae9050310e1eda8cc89f9fc8f688fa37b6a4040bd11161c65fe74386c4eed663da4a548a66ffa79cac77c9f8b561672e58e97bc5396243aab391a2431808a8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\http.exe

Filesize
1KB

MD5
18b9d3f54162c47c84059a0c8828c35f

SHA1
80d2eb70f325b6de231d5eb9232ca4a5ff8051b5

SHA256
70d55029d146879d4f5871397ac2e06efb67a27ac67749ca96ccd8317f17ecf5

SHA512
89c88d013766df97b9a7e6833a39e9479e102dd934b8e90401d5f9d28c548fad17cb943ea72ede518c22af70e343c6e1eed67509453f3e522ecb3ee8297884a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\image.exe

Filesize
34KB

MD5
2a7fe0441d0f6d522b9039c705d8431c

SHA1
8cbe416f923e4d8f37973cfaacc8bb592ca45c31

SHA256
b7771e66bfd8dd8d17082c2e6c0520e46d15a0d4024e08befd9b377723acc11f

SHA512
83d4f5552fe964061cc7ea3ffaea21648912455e3db29d307cebd8c9b4055331d8ee78173ea7b3714649ff1d67634d4e0bdfb55e15d5c0a6a861369c55b34019

Download Submit
C:\Users\Admin\AppData\Local\Temp\image.exe

Filesize
43KB

MD5
8d7e62aa159428b438b9b3228e9959a2

SHA1
1cf3be5bc78e40ae8892a53dbfda1d96dee7ac23

SHA256
dfc975319eca66d4b6aa488596dc9942eac393c08e2fe288add0997663d6be7b

SHA512
367f6de4c6cdd45cdfb97792e33ca51ae2bcd69809ffda2a1d4038e6f413173df98ace1e09a3643b77d04823bbf50baf177faee53871725e86faccf28a9045a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp53DD.tmp.bat

Filesize
152B

MD5
6dba35622bb482f33a6aa7eb39bc7001

SHA1
f81fd27e49647d17c7004eef5e21d775e537ccec

SHA256
18b7240b11788db810a0b4f5b0974b23a08c26db224d515fdb34216f637061ed

SHA512
8aacc1c2f1aa1d7cc2f7600d39c2be14e2d431b7595e5f841b160de9f4163a33729178122ca8a0934be4f98986f2d122e0fcd1c1ab6341ea20b6d9e47cd8b3c1

Download Submit
memory/888-53-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/888-51-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1384-8-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1384-12-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1384-35-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2248-55-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/2248-54-0x0000000073BE0000-0x0000000074390000-memory.dmp

Filesize
7.7MB

Download
memory/2248-52-0x0000000005230000-0x0000000005240000-memory.dmp

Filesize
64KB

Download
memory/2248-50-0x0000000073BE0000-0x0000000074390000-memory.dmp

Filesize
7.7MB

Download
memory/2656-1-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/2656-0-0x0000000000520000-0x00000000005E2000-memory.dmp

Filesize
776KB

Download
memory/2656-11-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/2656-2-0x0000000004F80000-0x000000000501C000-memory.dmp

Filesize
624KB

Download
memory/2656-3-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/2656-4-0x0000000004EF0000-0x0000000004F52000-memory.dmp

Filesize
392KB

Download
memory/2656-6-0x0000000005180000-0x0000000005212000-memory.dmp

Filesize
584KB

Download
memory/2656-5-0x0000000005690000-0x0000000005C34000-memory.dmp

Filesize
5.6MB

Download
memory/2656-7-0x00000000050E0000-0x00000000050F6000-memory.dmp

Filesize
88KB

Download
memory/3608-40-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/3608-46-0x0000000073860000-0x0000000074010000-memory.dmp

Filesize
7.7MB

Download
memory/3608-36-0x0000000073860000-0x0000000074010000-memory.dmp

Filesize
7.7MB

Download
memory/3608-32-0x0000000000810000-0x0000000000822000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads