asyncrat | 1063342a4b01665860de63007e264aab2fc7e4399de6ce3d3146ff4ced1701e8

General

Target

e1b34d64a5765a02ae949b36ec895606.exe
Size

562KB
MD5

e1b34d64a5765a02ae949b36ec895606
SHA1

0e50f0f10b68149a78a1843d61b75a29930c4ddb
SHA256

1063342a4b01665860de63007e264aab2fc7e4399de6ce3d3146ff4ced1701e8
SHA512

cfe876bac1844c227de2619d09ed7deeecb20a5150affbc618152451b6728cdbca500a24025f1401038c88f74f8b2722741f077e61dc31805649635c1ff78741
SSDEEP

12288:9vRw11rKHESl9YELkhjXEIrsO5Cqt0w/2J8mZ4Ft:xIrKLKykjdUq0wC8me

Score

10^/10

asyncrat rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000b00000001225c-13.dat	family_asyncrat

Executes dropped EXE 1 IoCs

pid	Process
2592	Windows DeepSea.exe

Loads dropped DLL 1 IoCs

pid	Process
2536	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2652	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2868	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2968	e1b34d64a5765a02ae949b36ec895606.exe
2968	e1b34d64a5765a02ae949b36ec895606.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2968	e1b34d64a5765a02ae949b36ec895606.exe
Token: SeDebugPrivilege	2592	Windows DeepSea.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 2620	2968	e1b34d64a5765a02ae949b36ec895606.exe	28
PID 2968 wrote to memory of 2620	2968	e1b34d64a5765a02ae949b36ec895606.exe	28
PID 2968 wrote to memory of 2620	2968	e1b34d64a5765a02ae949b36ec895606.exe	28
PID 2968 wrote to memory of 2620	2968	e1b34d64a5765a02ae949b36ec895606.exe	28
PID 2968 wrote to memory of 2536	2968	e1b34d64a5765a02ae949b36ec895606.exe	30
PID 2968 wrote to memory of 2536	2968	e1b34d64a5765a02ae949b36ec895606.exe	30
PID 2968 wrote to memory of 2536	2968	e1b34d64a5765a02ae949b36ec895606.exe	30
PID 2968 wrote to memory of 2536	2968	e1b34d64a5765a02ae949b36ec895606.exe	30
PID 2620 wrote to memory of 2652	2620	cmd.exe	32
PID 2620 wrote to memory of 2652	2620	cmd.exe	32
PID 2620 wrote to memory of 2652	2620	cmd.exe	32
PID 2620 wrote to memory of 2652	2620	cmd.exe	32
PID 2536 wrote to memory of 2868	2536	cmd.exe	33
PID 2536 wrote to memory of 2868	2536	cmd.exe	33
PID 2536 wrote to memory of 2868	2536	cmd.exe	33
PID 2536 wrote to memory of 2868	2536	cmd.exe	33
PID 2536 wrote to memory of 2592	2536	cmd.exe	34
PID 2536 wrote to memory of 2592	2536	cmd.exe	34
PID 2536 wrote to memory of 2592	2536	cmd.exe	34
PID 2536 wrote to memory of 2592	2536	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\e1b34d64a5765a02ae949b36ec895606.exe
"C:\Users\Admin\AppData\Local\Temp\e1b34d64a5765a02ae949b36ec895606.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows DeepSea" /tr '"C:\Users\Admin\AppData\Roaming\Windows DeepSea.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "Windows DeepSea" /tr '"C:\Users\Admin\AppData\Roaming\Windows DeepSea.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:2652
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp9905.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2868
- - C:\Users\Admin\AppData\Roaming\Windows DeepSea.exe
    "C:\Users\Admin\AppData\Roaming\Windows DeepSea.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9905.tmp.bat

Filesize
159B

MD5
8403c4e7bc86c1f52a149bca6741d658

SHA1
e5017d0eeea3174e97b9bb6061cbdc727d2026f1

SHA256
7f751f48b81395640b746bf93109ad01ad74b8c11076374d724d716523224484

SHA512
fd1a42b4f3c12d34b06b6e9042ecad2333742c677c5a0f9e645e1e92ed475194ea51f5c5dd1bcdc7251f21516c76a3ac999d44beedee47c854388e2257c36d87

Download Submit
\Users\Admin\AppData\Roaming\Windows DeepSea.exe

Filesize
562KB

MD5
e1b34d64a5765a02ae949b36ec895606

SHA1
0e50f0f10b68149a78a1843d61b75a29930c4ddb

SHA256
1063342a4b01665860de63007e264aab2fc7e4399de6ce3d3146ff4ced1701e8

SHA512
cfe876bac1844c227de2619d09ed7deeecb20a5150affbc618152451b6728cdbca500a24025f1401038c88f74f8b2722741f077e61dc31805649635c1ff78741

Download Submit
memory/2592-16-0x0000000001270000-0x0000000001302000-memory.dmp

Filesize
584KB

Download
memory/2592-17-0x0000000074230000-0x000000007491E000-memory.dmp

Filesize
6.9MB

Download
memory/2592-18-0x0000000000460000-0x00000000004A0000-memory.dmp

Filesize
256KB

Download
memory/2592-19-0x0000000074230000-0x000000007491E000-memory.dmp

Filesize
6.9MB

Download
memory/2592-20-0x0000000000460000-0x00000000004A0000-memory.dmp

Filesize
256KB

Download
memory/2968-0-0x00000000002D0000-0x0000000000362000-memory.dmp

Filesize
584KB

Download
memory/2968-1-0x0000000074920000-0x000000007500E000-memory.dmp

Filesize
6.9MB

Download
memory/2968-2-0x0000000004CD0000-0x0000000004D10000-memory.dmp

Filesize
256KB

Download
memory/2968-12-0x0000000074920000-0x000000007500E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads