asyncrat | 0430110381976669226247e7c5403ac61f4d419c7fa223231ce5c9af7cd3bbf1

General

Target

54c5be1e2056c9d591b7e35853ca4a84.exe
Size

585KB
MD5

54c5be1e2056c9d591b7e35853ca4a84
SHA1

c00bd4d0c3b6060dde5095c4c6938badf1b29eda
SHA256

0430110381976669226247e7c5403ac61f4d419c7fa223231ce5c9af7cd3bbf1
SHA512

8d6e219729f8a981c94b7e8d7b5f2bf764367b096381abaa3033171c590587b00ced309e641a9955f60c3836fc366c91bfd90414216373cd91e66ab2f24a4c75
SSDEEP

6144:5jrbYSqQ/Gq/lqLrBOOfd0tV9D8DT/XELB:5nb/xq0V9ATfWB

Score

10^/10

asyncrat wire$$$$$$$$rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

WIRE$$$$$$$$

C2

severdops.ddns.net:6204

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
iconfx.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2728-8-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/2728-10-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/2728-14-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/2728-16-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/2728-18-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/2728-24-0x0000000000F00000-0x0000000000F40000-memory.dmp	asyncrat

Executes dropped EXE 2 IoCs

Processes:

iconfx.exeiconfx.exe

pid process

2392 iconfx.exe
3008 iconfx.exe
Loads dropped DLL 7 IoCs

Processes:

cmd.exeWerFault.exe

pid process

2584 cmd.exe
2584 cmd.exe
668 WerFault.exe
668 WerFault.exe
668 WerFault.exe
668 WerFault.exe
668 WerFault.exe

pid	process
2392	iconfx.exe
3008	iconfx.exe

pid	process
2584	cmd.exe
2584	cmd.exe
668	WerFault.exe
668	WerFault.exe
668	WerFault.exe
668	WerFault.exe
668	WerFault.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

54c5be1e2056c9d591b7e35853ca4a84.exeiconfx.exe

description	pid	process	target process
PID 2348 set thread context of 2728	2348	54c5be1e2056c9d591b7e35853ca4a84.exe	54c5be1e2056c9d591b7e35853ca4a84.exe
PID 2392 set thread context of 3008	2392	iconfx.exe	iconfx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2316 2348 WerFault.exe 54c5be1e2056c9d591b7e35853ca4a84.exe
668 2392 WerFault.exe iconfx.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2512 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1940 timeout.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

54c5be1e2056c9d591b7e35853ca4a84.exe

pid process

2728 54c5be1e2056c9d591b7e35853ca4a84.exe
2728 54c5be1e2056c9d591b7e35853ca4a84.exe

pid	pid_target	process	target process
2316	2348	WerFault.exe	54c5be1e2056c9d591b7e35853ca4a84.exe
668	2392	WerFault.exe	iconfx.exe

pid	process
2512	schtasks.exe

pid	process
1940	timeout.exe

pid	process
2728	54c5be1e2056c9d591b7e35853ca4a84.exe
2728	54c5be1e2056c9d591b7e35853ca4a84.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

54c5be1e2056c9d591b7e35853ca4a84.exe54c5be1e2056c9d591b7e35853ca4a84.exeiconfx.exeiconfx.exe

description	pid	process
Token: SeDebugPrivilege	2348	54c5be1e2056c9d591b7e35853ca4a84.exe
Token: SeDebugPrivilege	2728	54c5be1e2056c9d591b7e35853ca4a84.exe
Token: SeDebugPrivilege	2392	iconfx.exe
Token: SeDebugPrivilege	3008	iconfx.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

54c5be1e2056c9d591b7e35853ca4a84.exe54c5be1e2056c9d591b7e35853ca4a84.execmd.execmd.exeiconfx.exe

description	pid	process	target process
PID 2348 wrote to memory of 2728	2348	54c5be1e2056c9d591b7e35853ca4a84.exe	54c5be1e2056c9d591b7e35853ca4a84.exe
PID 2348 wrote to memory of 2728	2348	54c5be1e2056c9d591b7e35853ca4a84.exe	54c5be1e2056c9d591b7e35853ca4a84.exe
PID 2348 wrote to memory of 2728	2348	54c5be1e2056c9d591b7e35853ca4a84.exe	54c5be1e2056c9d591b7e35853ca4a84.exe
PID 2348 wrote to memory of 2728	2348	54c5be1e2056c9d591b7e35853ca4a84.exe	54c5be1e2056c9d591b7e35853ca4a84.exe
PID 2348 wrote to memory of 2728	2348	54c5be1e2056c9d591b7e35853ca4a84.exe	54c5be1e2056c9d591b7e35853ca4a84.exe
PID 2348 wrote to memory of 2728	2348	54c5be1e2056c9d591b7e35853ca4a84.exe	54c5be1e2056c9d591b7e35853ca4a84.exe
PID 2348 wrote to memory of 2728	2348	54c5be1e2056c9d591b7e35853ca4a84.exe	54c5be1e2056c9d591b7e35853ca4a84.exe
PID 2348 wrote to memory of 2728	2348	54c5be1e2056c9d591b7e35853ca4a84.exe	54c5be1e2056c9d591b7e35853ca4a84.exe
PID 2348 wrote to memory of 2728	2348	54c5be1e2056c9d591b7e35853ca4a84.exe	54c5be1e2056c9d591b7e35853ca4a84.exe
PID 2348 wrote to memory of 2316	2348	54c5be1e2056c9d591b7e35853ca4a84.exe	WerFault.exe
PID 2348 wrote to memory of 2316	2348	54c5be1e2056c9d591b7e35853ca4a84.exe	WerFault.exe
PID 2348 wrote to memory of 2316	2348	54c5be1e2056c9d591b7e35853ca4a84.exe	WerFault.exe
PID 2348 wrote to memory of 2316	2348	54c5be1e2056c9d591b7e35853ca4a84.exe	WerFault.exe
PID 2728 wrote to memory of 2844	2728	54c5be1e2056c9d591b7e35853ca4a84.exe	cmd.exe
PID 2728 wrote to memory of 2844	2728	54c5be1e2056c9d591b7e35853ca4a84.exe	cmd.exe
PID 2728 wrote to memory of 2844	2728	54c5be1e2056c9d591b7e35853ca4a84.exe	cmd.exe
PID 2728 wrote to memory of 2844	2728	54c5be1e2056c9d591b7e35853ca4a84.exe	cmd.exe
PID 2728 wrote to memory of 2584	2728	54c5be1e2056c9d591b7e35853ca4a84.exe	cmd.exe
PID 2728 wrote to memory of 2584	2728	54c5be1e2056c9d591b7e35853ca4a84.exe	cmd.exe
PID 2728 wrote to memory of 2584	2728	54c5be1e2056c9d591b7e35853ca4a84.exe	cmd.exe
PID 2728 wrote to memory of 2584	2728	54c5be1e2056c9d591b7e35853ca4a84.exe	cmd.exe
PID 2844 wrote to memory of 2512	2844	cmd.exe	schtasks.exe
PID 2844 wrote to memory of 2512	2844	cmd.exe	schtasks.exe
PID 2844 wrote to memory of 2512	2844	cmd.exe	schtasks.exe
PID 2844 wrote to memory of 2512	2844	cmd.exe	schtasks.exe
PID 2584 wrote to memory of 1940	2584	cmd.exe	timeout.exe
PID 2584 wrote to memory of 1940	2584	cmd.exe	timeout.exe
PID 2584 wrote to memory of 1940	2584	cmd.exe	timeout.exe
PID 2584 wrote to memory of 1940	2584	cmd.exe	timeout.exe
PID 2584 wrote to memory of 2392	2584	cmd.exe	iconfx.exe
PID 2584 wrote to memory of 2392	2584	cmd.exe	iconfx.exe
PID 2584 wrote to memory of 2392	2584	cmd.exe	iconfx.exe
PID 2584 wrote to memory of 2392	2584	cmd.exe	iconfx.exe
PID 2392 wrote to memory of 3008	2392	iconfx.exe	iconfx.exe
PID 2392 wrote to memory of 3008	2392	iconfx.exe	iconfx.exe
PID 2392 wrote to memory of 3008	2392	iconfx.exe	iconfx.exe
PID 2392 wrote to memory of 3008	2392	iconfx.exe	iconfx.exe
PID 2392 wrote to memory of 3008	2392	iconfx.exe	iconfx.exe
PID 2392 wrote to memory of 3008	2392	iconfx.exe	iconfx.exe
PID 2392 wrote to memory of 3008	2392	iconfx.exe	iconfx.exe
PID 2392 wrote to memory of 3008	2392	iconfx.exe	iconfx.exe
PID 2392 wrote to memory of 3008	2392	iconfx.exe	iconfx.exe
PID 2392 wrote to memory of 668	2392	iconfx.exe	WerFault.exe
PID 2392 wrote to memory of 668	2392	iconfx.exe	WerFault.exe
PID 2392 wrote to memory of 668	2392	iconfx.exe	WerFault.exe
PID 2392 wrote to memory of 668	2392	iconfx.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\54c5be1e2056c9d591b7e35853ca4a84.exe
"C:\Users\Admin\AppData\Local\Temp\54c5be1e2056c9d591b7e35853ca4a84.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348

C:\Users\Admin\AppData\Local\Temp\54c5be1e2056c9d591b7e35853ca4a84.exe
"C:\Users\Admin\AppData\Local\Temp\54c5be1e2056c9d591b7e35853ca4a84.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "iconfx" /tr '"C:\Users\Admin\AppData\Roaming\iconfx.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2844

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "iconfx" /tr '"C:\Users\Admin\AppData\Roaming\iconfx.exe"'
4⤵
- Creates scheduled task(s)
PID:2512

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpA544.tmp.bat""
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:1940

C:\Users\Admin\AppData\Roaming\iconfx.exe
"C:\Users\Admin\AppData\Roaming\iconfx.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392

C:\Users\Admin\AppData\Roaming\iconfx.exe
"C:\Users\Admin\AppData\Roaming\iconfx.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 652
5⤵
- Loads dropped DLL
- Program crash
PID:668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 640
2⤵
- Program crash
PID:2316

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA544.tmp.bat
Filesize
150B

MD5
704efbd1e924d49aba5005896e0355e4

SHA1
5efe2a835b03b711c0419b983187991946982b73

SHA256
8987793863909ac1dd7593808bd685d5f2f1e1597d0547435740c8c4c949a070

SHA512
771ec090dd8ff185f44e31ada6a132c3f2f8c9481ae2aa6a90437c732ed17456bbd9a91628d58055a24cf4fb962fdc1a1237d7aebdb1280279ef28bb889b44dd

Download Submit
\Users\Admin\AppData\Roaming\iconfx.exe
Filesize
585KB

MD5
54c5be1e2056c9d591b7e35853ca4a84

SHA1
c00bd4d0c3b6060dde5095c4c6938badf1b29eda

SHA256
0430110381976669226247e7c5403ac61f4d419c7fa223231ce5c9af7cd3bbf1

SHA512
8d6e219729f8a981c94b7e8d7b5f2bf764367b096381abaa3033171c590587b00ced309e641a9955f60c3836fc366c91bfd90414216373cd91e66ab2f24a4c75

Download Submit
\Users\Admin\AppData\Roaming\iconfx.exe
Filesize
486KB

MD5
ac6ba1f7d876186da2c87c4b1ba1b71c

SHA1
ea42c220c711d4537c4ed9b6a32575d9e89a5ba7

SHA256
4b0b1e5a55995c84d0f47b3daf012dca646dbde9b58c4f80c3dc13cf6e250eb1

SHA512
4f316a5d05a7570e2db983d559d544bcba39ef8a42b4691df2238488bb24a847b87d3ce303009f8c34c9f93e8807d81fe488f828481b0afadb0833d9b4564308

Download Submit
\Users\Admin\AppData\Roaming\iconfx.exe
Filesize
177KB

MD5
f6b1cb65830df4f1b1c9982fe1c397b6

SHA1
1a31e188b309c487bffeed90a7bb5dc1ec475a86

SHA256
251c97e13377712ba3660d243ef662839763ed21371d8f5c18770990fd4c6d02

SHA512
8eeab8c9bcd003a5200a4f81a711ea97a1fe843c4e71631cc097109460d2474e995d54d89b3e905cb184a9292264eaea5c5622db7e3ef48313926ec31078147d

Download Submit
\Users\Admin\AppData\Roaming\iconfx.exe
Filesize
563KB

MD5
52d1f059e14c9f163c8100098c0dfb23

SHA1
0014ef019f3d9a4aeab25a5a211ec56409b46c60

SHA256
acd5f171772eb931682265c4e54c00a0fad2c756594fdfad231acfb2b6fa1434

SHA512
31a7a82af68655f628aa771b677c40b3b11be25cf1e59c1fc9cc189c08b6726844784c385566e6568fafda0fac50e06687c455f9abb62253c2b1e9866c4d1793

Download Submit
memory/2348-19-0x00000000003B0000-0x00000000003B8000-memory.dmp

Filesize
32KB

Download
memory/2348-0-0x0000000001010000-0x00000000010A6000-memory.dmp

Filesize
600KB

Download
memory/2348-3-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2348-2-0x0000000000C70000-0x0000000000CB0000-memory.dmp

Filesize
256KB

Download
memory/2348-1-0x0000000074B50000-0x000000007523E000-memory.dmp

Filesize
6.9MB

Download
memory/2348-35-0x0000000000C70000-0x0000000000CB0000-memory.dmp

Filesize
256KB

Download
memory/2348-23-0x0000000074B50000-0x000000007523E000-memory.dmp

Filesize
6.9MB

Download
memory/2392-61-0x0000000074B50000-0x000000007523E000-memory.dmp

Filesize
6.9MB

Download
memory/2392-42-0x0000000004920000-0x0000000004960000-memory.dmp

Filesize
256KB

Download
memory/2392-41-0x0000000074B50000-0x000000007523E000-memory.dmp

Filesize
6.9MB

Download
memory/2392-40-0x0000000000FC0000-0x0000000001056000-memory.dmp

Filesize
600KB

Download
memory/2728-10-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2728-8-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2728-24-0x0000000000F00000-0x0000000000F40000-memory.dmp

Filesize
256KB

Download
memory/2728-22-0x0000000074B50000-0x000000007523E000-memory.dmp

Filesize
6.9MB

Download
memory/2728-18-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2728-16-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2728-14-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2728-4-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2728-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2728-6-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2728-34-0x0000000074B50000-0x000000007523E000-memory.dmp

Filesize
6.9MB

Download
memory/3008-59-0x0000000074B50000-0x000000007523E000-memory.dmp

Filesize
6.9MB

Download
memory/3008-47-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3008-62-0x0000000074B50000-0x000000007523E000-memory.dmp

Filesize
6.9MB

Download
memory/3008-63-0x0000000004D00000-0x0000000004D40000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads