asyncrat | 8545fedaeb113fdb4000b3f6a8d0f0f4694f9198203086a7d1230385a5180f78

Analysis

max time kernel
131s
max time network
151s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
14/02/2024, 05:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8545fedaeb113fdb4000b3f6a8d0f0f4694f9198203086a7d1230385a5180f78.exe
Size

790KB
MD5

c8b4fb2984a495c19cc5d4dcc1922914
SHA1

bbc25258b543805926d034564015a2e4d40b0647
SHA256

8545fedaeb113fdb4000b3f6a8d0f0f4694f9198203086a7d1230385a5180f78
SHA512

d084a9565d9cd7137969bc0cfb2dad3e2370451715dccf89906eafbb2ecbdf20bc8e654ff4aaa8facf5bd8931861f8e3df4cf5f1079431debadeff93b37c2205
SSDEEP

12288:T6tHgfBPsucbAapcfyTAKQrj86Hil5QaHRnxiWUotpA5Xturz1J+mZWwVVVVVVVX:T6tHwxEAapcaXBxRwWFtpAzs1IWb/T

Score

10^/10

asyncrat zgrat torremenor persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

TORREMENOR

danielballesterosdominper.con-ip.com:4040

Mutex

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral1/memory/1856-2-0x0000000004240000-0x00000000042DC000-memory.dmp	family_zgrat_v1
behavioral1/memory/1856-4-0x0000000004240000-0x00000000042D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/1856-3-0x0000000004240000-0x00000000042D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/1856-6-0x0000000004240000-0x00000000042D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/1856-8-0x0000000004240000-0x00000000042D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/1856-10-0x0000000004240000-0x00000000042D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/1856-12-0x0000000004240000-0x00000000042D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/1856-18-0x0000000004240000-0x00000000042D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/1856-16-0x0000000004240000-0x00000000042D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/1856-14-0x0000000004240000-0x00000000042D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/1856-20-0x0000000004240000-0x00000000042D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/1856-22-0x0000000004240000-0x00000000042D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/1856-24-0x0000000004240000-0x00000000042D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/1856-26-0x0000000004240000-0x00000000042D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/1856-28-0x0000000004240000-0x00000000042D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/1856-30-0x0000000004240000-0x00000000042D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/1856-32-0x0000000004240000-0x00000000042D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/1856-34-0x0000000004240000-0x00000000042D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/1856-36-0x0000000004240000-0x00000000042D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/1856-38-0x0000000004240000-0x00000000042D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/1856-42-0x0000000004240000-0x00000000042D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/1856-40-0x0000000004240000-0x00000000042D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/1856-48-0x0000000004240000-0x00000000042D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/1856-46-0x0000000004240000-0x00000000042D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/1856-44-0x0000000004240000-0x00000000042D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/1856-50-0x0000000004240000-0x00000000042D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/1856-52-0x0000000004240000-0x00000000042D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/1856-54-0x0000000004240000-0x00000000042D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/1856-56-0x0000000004240000-0x00000000042D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/1856-58-0x0000000004240000-0x00000000042D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/1856-60-0x0000000004240000-0x00000000042D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/1856-62-0x0000000004240000-0x00000000042D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/1856-64-0x0000000004240000-0x00000000042D5000-memory.dmp	family_zgrat_v1
behavioral1/memory/1856-66-0x0000000004240000-0x00000000042D5000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detects file containing reversed ASEP Autorun registry keys 2 IoCs

resource	yara_rule
behavioral1/memory/772-958-0x0000000000400000-0x0000000000412000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
behavioral1/memory/772-960-0x0000000004C60000-0x0000000004CA0000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\Qxhmhuy = "C:\\Users\\Admin\\AppData\\Roaming\\Qxhmhuy.exe"	8545fedaeb113fdb4000b3f6a8d0f0f4694f9198203086a7d1230385a5180f78.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1856 set thread context of 772	1856	8545fedaeb113fdb4000b3f6a8d0f0f4694f9198203086a7d1230385a5180f78.exe	30

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1856	8545fedaeb113fdb4000b3f6a8d0f0f4694f9198203086a7d1230385a5180f78.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 772	1856	8545fedaeb113fdb4000b3f6a8d0f0f4694f9198203086a7d1230385a5180f78.exe	30
PID 1856 wrote to memory of 772	1856	8545fedaeb113fdb4000b3f6a8d0f0f4694f9198203086a7d1230385a5180f78.exe	30
PID 1856 wrote to memory of 772	1856	8545fedaeb113fdb4000b3f6a8d0f0f4694f9198203086a7d1230385a5180f78.exe	30
PID 1856 wrote to memory of 772	1856	8545fedaeb113fdb4000b3f6a8d0f0f4694f9198203086a7d1230385a5180f78.exe	30
PID 1856 wrote to memory of 772	1856	8545fedaeb113fdb4000b3f6a8d0f0f4694f9198203086a7d1230385a5180f78.exe	30
PID 1856 wrote to memory of 772	1856	8545fedaeb113fdb4000b3f6a8d0f0f4694f9198203086a7d1230385a5180f78.exe	30
PID 1856 wrote to memory of 772	1856	8545fedaeb113fdb4000b3f6a8d0f0f4694f9198203086a7d1230385a5180f78.exe	30
PID 1856 wrote to memory of 772	1856	8545fedaeb113fdb4000b3f6a8d0f0f4694f9198203086a7d1230385a5180f78.exe	30
PID 1856 wrote to memory of 772	1856	8545fedaeb113fdb4000b3f6a8d0f0f4694f9198203086a7d1230385a5180f78.exe	30

C:\Users\Admin\AppData\Local\Temp\8545fedaeb113fdb4000b3f6a8d0f0f4694f9198203086a7d1230385a5180f78.exe
"C:\Users\Admin\AppData\Local\Temp\8545fedaeb113fdb4000b3f6a8d0f0f4694f9198203086a7d1230385a5180f78.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  2⤵
  PID:772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/772-958-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/772-961-0x00000000749F0000-0x00000000750DE000-memory.dmp

Filesize
6.9MB

Download
memory/772-960-0x0000000004C60000-0x0000000004CA0000-memory.dmp

Filesize
256KB

Download
memory/772-959-0x00000000749F0000-0x00000000750DE000-memory.dmp

Filesize
6.9MB

Download
memory/1856-42-0x0000000004240000-0x00000000042D5000-memory.dmp

Filesize
596KB

Download
memory/1856-44-0x0000000004240000-0x00000000042D5000-memory.dmp

Filesize
596KB

Download
memory/1856-8-0x0000000004240000-0x00000000042D5000-memory.dmp

Filesize
596KB

Download
memory/1856-10-0x0000000004240000-0x00000000042D5000-memory.dmp

Filesize
596KB

Download
memory/1856-12-0x0000000004240000-0x00000000042D5000-memory.dmp

Filesize
596KB

Download
memory/1856-18-0x0000000004240000-0x00000000042D5000-memory.dmp

Filesize
596KB

Download
memory/1856-16-0x0000000004240000-0x00000000042D5000-memory.dmp

Filesize
596KB

Download
memory/1856-14-0x0000000004240000-0x00000000042D5000-memory.dmp

Filesize
596KB

Download
memory/1856-20-0x0000000004240000-0x00000000042D5000-memory.dmp

Filesize
596KB

Download
memory/1856-22-0x0000000004240000-0x00000000042D5000-memory.dmp

Filesize
596KB

Download
memory/1856-24-0x0000000004240000-0x00000000042D5000-memory.dmp

Filesize
596KB

Download
memory/1856-26-0x0000000004240000-0x00000000042D5000-memory.dmp

Filesize
596KB

Download
memory/1856-28-0x0000000004240000-0x00000000042D5000-memory.dmp

Filesize
596KB

Download
memory/1856-30-0x0000000004240000-0x00000000042D5000-memory.dmp

Filesize
596KB

Download
memory/1856-32-0x0000000004240000-0x00000000042D5000-memory.dmp

Filesize
596KB

Download
memory/1856-34-0x0000000004240000-0x00000000042D5000-memory.dmp

Filesize
596KB

Download
memory/1856-36-0x0000000004240000-0x00000000042D5000-memory.dmp

Filesize
596KB

Download
memory/1856-46-0x0000000004240000-0x00000000042D5000-memory.dmp

Filesize
596KB

Download
memory/1856-0-0x0000000000360000-0x0000000000428000-memory.dmp

Filesize
800KB

Download
memory/1856-40-0x0000000004240000-0x00000000042D5000-memory.dmp

Filesize
596KB

Download
memory/1856-6-0x0000000004240000-0x00000000042D5000-memory.dmp

Filesize
596KB

Download
memory/1856-48-0x0000000004240000-0x00000000042D5000-memory.dmp

Filesize
596KB

Download
memory/1856-38-0x0000000004240000-0x00000000042D5000-memory.dmp

Filesize
596KB

Download
memory/1856-50-0x0000000004240000-0x00000000042D5000-memory.dmp

Filesize
596KB

Download
memory/1856-52-0x0000000004240000-0x00000000042D5000-memory.dmp

Filesize
596KB

Download
memory/1856-54-0x0000000004240000-0x00000000042D5000-memory.dmp

Filesize
596KB

Download
memory/1856-56-0x0000000004240000-0x00000000042D5000-memory.dmp

Filesize
596KB

Download
memory/1856-58-0x0000000004240000-0x00000000042D5000-memory.dmp

Filesize
596KB

Download
memory/1856-60-0x0000000004240000-0x00000000042D5000-memory.dmp

Filesize
596KB

Download
memory/1856-62-0x0000000004240000-0x00000000042D5000-memory.dmp

Filesize
596KB

Download
memory/1856-64-0x0000000004240000-0x00000000042D5000-memory.dmp

Filesize
596KB

Download
memory/1856-66-0x0000000004240000-0x00000000042D5000-memory.dmp

Filesize
596KB

Download
memory/1856-936-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/1856-935-0x0000000004BC0000-0x0000000004C00000-memory.dmp

Filesize
256KB

Download
memory/1856-937-0x0000000000820000-0x0000000000852000-memory.dmp

Filesize
200KB

Download
memory/1856-938-0x00000000049D0000-0x0000000004A1C000-memory.dmp

Filesize
304KB

Download
memory/1856-939-0x0000000074A70000-0x000000007515E000-memory.dmp

Filesize
6.9MB

Download
memory/1856-940-0x0000000004BC0000-0x0000000004C00000-memory.dmp

Filesize
256KB

Download
memory/1856-954-0x0000000074A70000-0x000000007515E000-memory.dmp

Filesize
6.9MB

Download
memory/1856-3-0x0000000004240000-0x00000000042D5000-memory.dmp

Filesize
596KB

Download
memory/1856-4-0x0000000004240000-0x00000000042D5000-memory.dmp

Filesize
596KB

Download
memory/1856-2-0x0000000004240000-0x00000000042DC000-memory.dmp

Filesize
624KB

Download
memory/1856-1-0x0000000074A70000-0x000000007515E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads