asyncrat | 79ad3b97b133a46650bd4e9243585e619cb2225a05d8dede6d1aa78a6a54bf19

General

Target

79ad3b97b133a46650bd4e9243585e619cb2225a05d8dede6d1aa78a6a54bf19.exe
Size

194KB
MD5

150d0d25b7a369b2b55c7cfbf25a204f
SHA1

225b5a35019cd044dc603d9d997c41065283bfc7
SHA256

79ad3b97b133a46650bd4e9243585e619cb2225a05d8dede6d1aa78a6a54bf19
SHA512

564f39c2a96a0975dd68e75e2398e603c5c5a5b7267c5c53fd83bc8d2326a08c1414ca8fffa311cc8832e0d63a1c5d1cd3a12653b471fe83552e2c641a62189b
SSDEEP

3072:4uiJTUKP2zG0K3buTbSHynFYrNm6+xmfswft:4uiR+Ct3beneR+KV

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

139.180.171.110:22636

139.180.171.110:1604

Mutex

RfO8CsTGr0kh

Attributes

delay
3
install
true
install_file
chrome.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/2500-0-0x00000000009C0000-0x00000000009F6000-memory.dmp	asyncrat
behavioral1/files/0x000a000000012263-15.dat	asyncrat
behavioral1/memory/2844-16-0x0000000000EF0000-0x0000000000F26000-memory.dmp	asyncrat
behavioral1/memory/2844-18-0x0000000000D40000-0x0000000000D80000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

pid	Process
2844	chrome.exe

Loads dropped DLL 1 IoCs

pid	Process
3000	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2876	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2568	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2500	79ad3b97b133a46650bd4e9243585e619cb2225a05d8dede6d1aa78a6a54bf19.exe
2500	79ad3b97b133a46650bd4e9243585e619cb2225a05d8dede6d1aa78a6a54bf19.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2500	79ad3b97b133a46650bd4e9243585e619cb2225a05d8dede6d1aa78a6a54bf19.exe
Token: SeDebugPrivilege	2844	chrome.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 2704	2500	79ad3b97b133a46650bd4e9243585e619cb2225a05d8dede6d1aa78a6a54bf19.exe	33
PID 2500 wrote to memory of 2704	2500	79ad3b97b133a46650bd4e9243585e619cb2225a05d8dede6d1aa78a6a54bf19.exe	33
PID 2500 wrote to memory of 2704	2500	79ad3b97b133a46650bd4e9243585e619cb2225a05d8dede6d1aa78a6a54bf19.exe	33
PID 2500 wrote to memory of 2704	2500	79ad3b97b133a46650bd4e9243585e619cb2225a05d8dede6d1aa78a6a54bf19.exe	33
PID 2500 wrote to memory of 3000	2500	79ad3b97b133a46650bd4e9243585e619cb2225a05d8dede6d1aa78a6a54bf19.exe	31
PID 2500 wrote to memory of 3000	2500	79ad3b97b133a46650bd4e9243585e619cb2225a05d8dede6d1aa78a6a54bf19.exe	31
PID 2500 wrote to memory of 3000	2500	79ad3b97b133a46650bd4e9243585e619cb2225a05d8dede6d1aa78a6a54bf19.exe	31
PID 2500 wrote to memory of 3000	2500	79ad3b97b133a46650bd4e9243585e619cb2225a05d8dede6d1aa78a6a54bf19.exe	31
PID 2704 wrote to memory of 2876	2704	cmd.exe	29
PID 2704 wrote to memory of 2876	2704	cmd.exe	29
PID 2704 wrote to memory of 2876	2704	cmd.exe	29
PID 2704 wrote to memory of 2876	2704	cmd.exe	29
PID 3000 wrote to memory of 2568	3000	cmd.exe	28
PID 3000 wrote to memory of 2568	3000	cmd.exe	28
PID 3000 wrote to memory of 2568	3000	cmd.exe	28
PID 3000 wrote to memory of 2568	3000	cmd.exe	28
PID 3000 wrote to memory of 2844	3000	cmd.exe	34
PID 3000 wrote to memory of 2844	3000	cmd.exe	34
PID 3000 wrote to memory of 2844	3000	cmd.exe	34
PID 3000 wrote to memory of 2844	3000	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\79ad3b97b133a46650bd4e9243585e619cb2225a05d8dede6d1aa78a6a54bf19.exe
"C:\Users\Admin\AppData\Local\Temp\79ad3b97b133a46650bd4e9243585e619cb2225a05d8dede6d1aa78a6a54bf19.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpB886.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Users\Admin\AppData\Roaming\chrome.exe
    "C:\Users\Admin\AppData\Roaming\chrome.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2844
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "chrome" /tr '"C:\Users\Admin\AppData\Roaming\chrome.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2704

C:\Windows\SysWOW64\timeout.exe
timeout 3
1⤵
- Delays execution with timeout.exe
PID:2568

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "chrome" /tr '"C:\Users\Admin\AppData\Roaming\chrome.exe"'
1⤵
- Creates scheduled task(s)
PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB886.tmp.bat

Filesize
150B

MD5
69c69d156fff3ce497f0e70bd1f305bd

SHA1
b924ecdce56b818a2e753cd918be33d78a6bc698

SHA256
c26de6cb8be1d23da27de4b272851a21ae7ba8820f9206e1fe67dcbe64f0dd4f

SHA512
bac803965cfe28032cd33688a9074f0131e59de9e436fc5c15e93ca187657a5e950351ad7d92396ef7d489b5f83c2aa46f479cc1f17e12e37fae396bc8f99643

Download Submit
C:\Users\Admin\AppData\Roaming\chrome.exe

Filesize
194KB

MD5
150d0d25b7a369b2b55c7cfbf25a204f

SHA1
225b5a35019cd044dc603d9d997c41065283bfc7

SHA256
79ad3b97b133a46650bd4e9243585e619cb2225a05d8dede6d1aa78a6a54bf19

SHA512
564f39c2a96a0975dd68e75e2398e603c5c5a5b7267c5c53fd83bc8d2326a08c1414ca8fffa311cc8832e0d63a1c5d1cd3a12653b471fe83552e2c641a62189b

Download Submit
memory/2500-1-0x0000000074B70000-0x000000007525E000-memory.dmp

Filesize
6.9MB

Download
memory/2500-0-0x00000000009C0000-0x00000000009F6000-memory.dmp

Filesize
216KB

Download
memory/2500-2-0x0000000004C20000-0x0000000004C60000-memory.dmp

Filesize
256KB

Download
memory/2500-12-0x0000000074B70000-0x000000007525E000-memory.dmp

Filesize
6.9MB

Download
memory/2844-16-0x0000000000EF0000-0x0000000000F26000-memory.dmp

Filesize
216KB

Download
memory/2844-17-0x0000000074B20000-0x000000007520E000-memory.dmp

Filesize
6.9MB

Download
memory/2844-18-0x0000000000D40000-0x0000000000D80000-memory.dmp

Filesize
256KB

Download
memory/2844-19-0x0000000074B20000-0x000000007520E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads