asyncrat | d016bdbb800f110f54633bf0e359a63e6b9cec97dd8163d91ade4a6f1ff6e13f

Analysis

max time kernel
156s
max time network
182s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d6434f71babd8b5dcd4cc1f3eb611c8.exe
Size

287KB
MD5

0d6434f71babd8b5dcd4cc1f3eb611c8
SHA1

4a0e99bd953463c8d0e7d9b7be4bb8f88e2e3bfe
SHA256

d016bdbb800f110f54633bf0e359a63e6b9cec97dd8163d91ade4a6f1ff6e13f
SHA512

2a273c0cc1fcd8ab739f7706d6703bef7f7bce60a36b23bd9029ff98485aaaca886a65732f2d940f8ca989925218a03f09f6d5094884dd7d21614f7338c28814
SSDEEP

6144:sY6hfTDBE1zt2bdMYbqj/V3eEDrP+YGaJZiVahETPcuXyXLJSNPC/p:4fTDocmYm/V373+YG1V6ETPc9iC/p

Score

10^/10

asyncrat zgrat 6 rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

185.157.160.147:1973

Mutex

6SI8OkPnk0ut56r

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral1/memory/3016-6-0x0000000005C00000-0x0000000005C70000-memory.dmp	family_zgrat_v1
behavioral1/memory/3016-7-0x0000000005C00000-0x0000000005C6B000-memory.dmp	family_zgrat_v1
behavioral1/memory/3016-10-0x0000000005C00000-0x0000000005C6B000-memory.dmp	family_zgrat_v1
behavioral1/memory/3016-8-0x0000000005C00000-0x0000000005C6B000-memory.dmp	family_zgrat_v1
behavioral1/memory/3016-12-0x0000000005C00000-0x0000000005C6B000-memory.dmp	family_zgrat_v1
behavioral1/memory/3016-18-0x0000000005C00000-0x0000000005C6B000-memory.dmp	family_zgrat_v1
behavioral1/memory/3016-16-0x0000000005C00000-0x0000000005C6B000-memory.dmp	family_zgrat_v1
behavioral1/memory/3016-20-0x0000000005C00000-0x0000000005C6B000-memory.dmp	family_zgrat_v1
behavioral1/memory/3016-28-0x0000000005C00000-0x0000000005C6B000-memory.dmp	family_zgrat_v1
behavioral1/memory/3016-36-0x0000000005C00000-0x0000000005C6B000-memory.dmp	family_zgrat_v1
behavioral1/memory/3016-44-0x0000000005C00000-0x0000000005C6B000-memory.dmp	family_zgrat_v1
behavioral1/memory/3016-50-0x0000000005C00000-0x0000000005C6B000-memory.dmp	family_zgrat_v1
behavioral1/memory/3016-54-0x0000000005C00000-0x0000000005C6B000-memory.dmp	family_zgrat_v1
behavioral1/memory/3016-52-0x0000000005C00000-0x0000000005C6B000-memory.dmp	family_zgrat_v1
behavioral1/memory/3016-56-0x0000000005C00000-0x0000000005C6B000-memory.dmp	family_zgrat_v1
behavioral1/memory/3016-48-0x0000000005C00000-0x0000000005C6B000-memory.dmp	family_zgrat_v1
behavioral1/memory/3016-46-0x0000000005C00000-0x0000000005C6B000-memory.dmp	family_zgrat_v1
behavioral1/memory/3016-42-0x0000000005C00000-0x0000000005C6B000-memory.dmp	family_zgrat_v1
behavioral1/memory/3016-58-0x0000000005C00000-0x0000000005C6B000-memory.dmp	family_zgrat_v1
behavioral1/memory/3016-62-0x0000000005C00000-0x0000000005C6B000-memory.dmp	family_zgrat_v1
behavioral1/memory/3016-64-0x0000000005C00000-0x0000000005C6B000-memory.dmp	family_zgrat_v1
behavioral1/memory/3016-66-0x0000000005C00000-0x0000000005C6B000-memory.dmp	family_zgrat_v1
behavioral1/memory/3016-70-0x0000000005C00000-0x0000000005C6B000-memory.dmp	family_zgrat_v1
behavioral1/memory/3016-68-0x0000000005C00000-0x0000000005C6B000-memory.dmp	family_zgrat_v1
behavioral1/memory/3016-60-0x0000000005C00000-0x0000000005C6B000-memory.dmp	family_zgrat_v1
behavioral1/memory/3016-40-0x0000000005C00000-0x0000000005C6B000-memory.dmp	family_zgrat_v1
behavioral1/memory/3016-38-0x0000000005C00000-0x0000000005C6B000-memory.dmp	family_zgrat_v1
behavioral1/memory/3016-34-0x0000000005C00000-0x0000000005C6B000-memory.dmp	family_zgrat_v1
behavioral1/memory/3016-32-0x0000000005C00000-0x0000000005C6B000-memory.dmp	family_zgrat_v1
behavioral1/memory/3016-30-0x0000000005C00000-0x0000000005C6B000-memory.dmp	family_zgrat_v1
behavioral1/memory/3016-26-0x0000000005C00000-0x0000000005C6B000-memory.dmp	family_zgrat_v1
behavioral1/memory/3016-24-0x0000000005C00000-0x0000000005C6B000-memory.dmp	family_zgrat_v1
behavioral1/memory/3016-22-0x0000000005C00000-0x0000000005C6B000-memory.dmp	family_zgrat_v1
behavioral1/memory/3016-14-0x0000000005C00000-0x0000000005C6B000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/2972-2394-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/2972-2396-0x0000000000DD0000-0x0000000000E10000-memory.dmp	asyncrat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3016 set thread context of 2972	3016	0d6434f71babd8b5dcd4cc1f3eb611c8.exe	30

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3016	0d6434f71babd8b5dcd4cc1f3eb611c8.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3016	0d6434f71babd8b5dcd4cc1f3eb611c8.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2972	3016	0d6434f71babd8b5dcd4cc1f3eb611c8.exe	30
PID 3016 wrote to memory of 2972	3016	0d6434f71babd8b5dcd4cc1f3eb611c8.exe	30
PID 3016 wrote to memory of 2972	3016	0d6434f71babd8b5dcd4cc1f3eb611c8.exe	30
PID 3016 wrote to memory of 2972	3016	0d6434f71babd8b5dcd4cc1f3eb611c8.exe	30
PID 3016 wrote to memory of 2972	3016	0d6434f71babd8b5dcd4cc1f3eb611c8.exe	30
PID 3016 wrote to memory of 2972	3016	0d6434f71babd8b5dcd4cc1f3eb611c8.exe	30
PID 3016 wrote to memory of 2972	3016	0d6434f71babd8b5dcd4cc1f3eb611c8.exe	30
PID 3016 wrote to memory of 2972	3016	0d6434f71babd8b5dcd4cc1f3eb611c8.exe	30
PID 3016 wrote to memory of 2972	3016	0d6434f71babd8b5dcd4cc1f3eb611c8.exe	30

C:\Users\Admin\AppData\Local\Temp\0d6434f71babd8b5dcd4cc1f3eb611c8.exe
"C:\Users\Admin\AppData\Local\Temp\0d6434f71babd8b5dcd4cc1f3eb611c8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\0d6434f71babd8b5dcd4cc1f3eb611c8.exe
  C:\Users\Admin\AppData\Local\Temp\0d6434f71babd8b5dcd4cc1f3eb611c8.exe
  2⤵
  PID:2972

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2972-2394-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2972-2398-0x0000000000DD0000-0x0000000000E10000-memory.dmp

Filesize
256KB

Download
memory/2972-2397-0x0000000072E30000-0x000000007351E000-memory.dmp

Filesize
6.9MB

Download
memory/2972-2396-0x0000000000DD0000-0x0000000000E10000-memory.dmp

Filesize
256KB

Download
memory/2972-2395-0x0000000072E30000-0x000000007351E000-memory.dmp

Filesize
6.9MB

Download
memory/3016-46-0x0000000005C00000-0x0000000005C6B000-memory.dmp

Filesize
428KB

Download
memory/3016-64-0x0000000005C00000-0x0000000005C6B000-memory.dmp

Filesize
428KB

Download
memory/3016-7-0x0000000005C00000-0x0000000005C6B000-memory.dmp

Filesize
428KB

Download
memory/3016-10-0x0000000005C00000-0x0000000005C6B000-memory.dmp

Filesize
428KB

Download
memory/3016-8-0x0000000005C00000-0x0000000005C6B000-memory.dmp

Filesize
428KB

Download
memory/3016-12-0x0000000005C00000-0x0000000005C6B000-memory.dmp

Filesize
428KB

Download
memory/3016-18-0x0000000005C00000-0x0000000005C6B000-memory.dmp

Filesize
428KB

Download
memory/3016-16-0x0000000005C00000-0x0000000005C6B000-memory.dmp

Filesize
428KB

Download
memory/3016-20-0x0000000005C00000-0x0000000005C6B000-memory.dmp

Filesize
428KB

Download
memory/3016-28-0x0000000005C00000-0x0000000005C6B000-memory.dmp

Filesize
428KB

Download
memory/3016-36-0x0000000005C00000-0x0000000005C6B000-memory.dmp

Filesize
428KB

Download
memory/3016-44-0x0000000005C00000-0x0000000005C6B000-memory.dmp

Filesize
428KB

Download
memory/3016-50-0x0000000005C00000-0x0000000005C6B000-memory.dmp

Filesize
428KB

Download
memory/3016-54-0x0000000005C00000-0x0000000005C6B000-memory.dmp

Filesize
428KB

Download
memory/3016-52-0x0000000005C00000-0x0000000005C6B000-memory.dmp

Filesize
428KB

Download
memory/3016-56-0x0000000005C00000-0x0000000005C6B000-memory.dmp

Filesize
428KB

Download
memory/3016-48-0x0000000005C00000-0x0000000005C6B000-memory.dmp

Filesize
428KB

Download
memory/3016-0-0x0000000000F90000-0x0000000000FDC000-memory.dmp

Filesize
304KB

Download
memory/3016-42-0x0000000005C00000-0x0000000005C6B000-memory.dmp

Filesize
428KB

Download
memory/3016-58-0x0000000005C00000-0x0000000005C6B000-memory.dmp

Filesize
428KB

Download
memory/3016-62-0x0000000005C00000-0x0000000005C6B000-memory.dmp

Filesize
428KB

Download
memory/3016-6-0x0000000005C00000-0x0000000005C70000-memory.dmp

Filesize
448KB

Download
memory/3016-66-0x0000000005C00000-0x0000000005C6B000-memory.dmp

Filesize
428KB

Download
memory/3016-70-0x0000000005C00000-0x0000000005C6B000-memory.dmp

Filesize
428KB

Download
memory/3016-68-0x0000000005C00000-0x0000000005C6B000-memory.dmp

Filesize
428KB

Download
memory/3016-60-0x0000000005C00000-0x0000000005C6B000-memory.dmp

Filesize
428KB

Download
memory/3016-40-0x0000000005C00000-0x0000000005C6B000-memory.dmp

Filesize
428KB

Download
memory/3016-38-0x0000000005C00000-0x0000000005C6B000-memory.dmp

Filesize
428KB

Download
memory/3016-34-0x0000000005C00000-0x0000000005C6B000-memory.dmp

Filesize
428KB

Download
memory/3016-32-0x0000000005C00000-0x0000000005C6B000-memory.dmp

Filesize
428KB

Download
memory/3016-30-0x0000000005C00000-0x0000000005C6B000-memory.dmp

Filesize
428KB

Download
memory/3016-26-0x0000000005C00000-0x0000000005C6B000-memory.dmp

Filesize
428KB

Download
memory/3016-24-0x0000000005C00000-0x0000000005C6B000-memory.dmp

Filesize
428KB

Download
memory/3016-22-0x0000000005C00000-0x0000000005C6B000-memory.dmp

Filesize
428KB

Download
memory/3016-14-0x0000000005C00000-0x0000000005C6B000-memory.dmp

Filesize
428KB

Download
memory/3016-2390-0x0000000073E10000-0x00000000744FE000-memory.dmp

Filesize
6.9MB

Download
memory/3016-5-0x0000000000F20000-0x0000000000F6A000-memory.dmp

Filesize
296KB

Download
memory/3016-4-0x0000000004E00000-0x0000000004E40000-memory.dmp

Filesize
256KB

Download
memory/3016-3-0x0000000073E10000-0x00000000744FE000-memory.dmp

Filesize
6.9MB

Download
memory/3016-2-0x0000000004E00000-0x0000000004E40000-memory.dmp

Filesize
256KB

Download
memory/3016-1-0x0000000073E10000-0x00000000744FE000-memory.dmp

Filesize
6.9MB

Download