asyncrat | d0d8566e5537f7d1c749632eafdd9475e89ca672376dba56055815538d80f2aa

Analysis

max time kernel
9s
max time network
142s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 10:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0x0007000000023241-391.exe
Size

5.4MB
MD5

82b237983c744cf8c87ecb771cb6712c
SHA1

f02619183210ebcfbeef9fb36bc05bb60f8525f4
SHA256

d0d8566e5537f7d1c749632eafdd9475e89ca672376dba56055815538d80f2aa
SHA512

6acf7572ae8b6d76f70cff83947835c0bbea9e4cd0dd6149ce13e2d68240cec946e26629d3e3cbbf2240b6ddd76de09ae4a76974b52cab4352f2e2ad89a82ba4
SSDEEP

98304:viV6amVAcmZWGN57Ze13cnIRtO+niV6amVAcmZWGN57Ze13cnIRtG:vis9VALJZLIR5nis9VALJZLIR

Score

10^/10

asyncrat rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/2980-7-0x0000000001130000-0x000000000137A000-memory.dmp	asyncrat
behavioral1/files/0x000a0000000133a9-6.dat	asyncrat
behavioral1/files/0x000a0000000133a9-5.dat	asyncrat

Executes dropped EXE 1 IoCs

pid	Process
2980	splwow64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
2980	splwow64.exe
2980	splwow64.exe
2980	splwow64.exe
2980	splwow64.exe
2980	splwow64.exe
2980	splwow64.exe
2980	splwow64.exe
2980	splwow64.exe
2980	splwow64.exe
2980	splwow64.exe
2980	splwow64.exe
2980	splwow64.exe
2980	splwow64.exe
2980	splwow64.exe
2980	splwow64.exe
2980	splwow64.exe
2980	splwow64.exe
2980	splwow64.exe
2980	splwow64.exe
2980	splwow64.exe
2980	splwow64.exe
2980	splwow64.exe
2980	splwow64.exe
2980	splwow64.exe
2980	splwow64.exe
2980	splwow64.exe
2980	splwow64.exe
2980	splwow64.exe
2980	splwow64.exe
2980	splwow64.exe
2980	splwow64.exe
2980	splwow64.exe
2980	splwow64.exe
2980	splwow64.exe
2980	splwow64.exe
2980	splwow64.exe
2980	splwow64.exe
2980	splwow64.exe
2980	splwow64.exe
2980	splwow64.exe
2980	splwow64.exe
2980	splwow64.exe
2980	splwow64.exe
2980	splwow64.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2980	splwow64.exe
Token: SeDebugPrivilege	2980	splwow64.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2980	2856	0x0007000000023241-391.exe	21
PID 2856 wrote to memory of 2980	2856	0x0007000000023241-391.exe	21
PID 2856 wrote to memory of 2980	2856	0x0007000000023241-391.exe	21

C:\Users\Admin\AppData\Local\Temp\0x0007000000023241-391.exe
"C:\Users\Admin\AppData\Local\Temp\0x0007000000023241-391.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Users\Admin\AppData\Roaming\splwow64.exe
  "C:\Users\Admin\AppData\Roaming\splwow64.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\splwow64.exe

Filesize
381KB

MD5
42f8bf6d3ff9152efb3b8efe9a37c63c

SHA1
0774823d4c35f8331d289e7c8b81593d78da81f7

SHA256
b85937db9366c4ad07985ed5dd3c12dd558c331c9a390df86b75736a93be8eda

SHA512
5c8acafa7a840ccbe60ea659757d7f56cd818ec6151cabe434501af14afa6b7124eeec26549b6b3c300403b3fed1d57ca41565fa998b0670b92d0e5ee302e639

Download Submit
C:\Users\Admin\AppData\Roaming\splwow64.exe

Filesize
92KB

MD5
9719adb104eb29090405f16d8cc8b453

SHA1
c6170155bad29d40af932b376434505fc99d9484

SHA256
fc1ac9b57c37ca02421a6627fa3d526d67c4389b2d006c09385c0ec5b735cecf

SHA512
be4a790fd32886d43cd7391f24bd65c8b197d309f984da94e09a99708e03499bc06f536cc5582cca8d6fa1cd7efb58d5038e7a6d274e5dc36ed975afcfe57bc0

Download Submit
memory/2856-1-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

Filesize
9.9MB

Download
memory/2856-0-0x00000000012B0000-0x0000000001824000-memory.dmp

Filesize
5.5MB

Download
memory/2856-9-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

Filesize
9.9MB

Download
memory/2980-7-0x0000000001130000-0x000000000137A000-memory.dmp

Filesize
2.3MB

Download
memory/2980-8-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

Filesize
9.9MB

Download
memory/2980-10-0x000000001B4F0000-0x000000001B570000-memory.dmp

Filesize
512KB

Download
memory/2980-25-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

Filesize
9.9MB

Download
memory/2980-26-0x000000001B4F0000-0x000000001B570000-memory.dmp

Filesize
512KB

Download