asyncrat | f191d334abb3d33f9d99efb91b4c12f8f6367d8015c83b3f93adb272a2da5cf5

General

Target

f191d334abb3d33f9d99efb91b4c12f8f6367d8015c83b3f93adb272a2da5cf5.exe
Size

575KB
MD5

18ccd333d9d11e8bc62935caab393521
SHA1

ae54dc1fe193bf3ad174566a47ab1013f107e878
SHA256

f191d334abb3d33f9d99efb91b4c12f8f6367d8015c83b3f93adb272a2da5cf5
SHA512

a07d2a5cc0cb3044693c0274f728999335021cecf5a5bd697720c88e952f8ca69fd5e5ea7e581a3e400df439de6d5cb8d16d6dad6238f6415eaf4d7e5e1cba21
SSDEEP

12288:UB1oVeonJHI5mtDWQyskRb+udA2w1nelK8X+e:eo5dWmFWXRNA2/RX7

Score

10^/10

asyncrat testing rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Testing

C2

91.207.102.163:9899

Mutex

HbLmK5pOLkik

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detects executables packed with SmartAssembly 1 IoCs

resource	yara_rule
behavioral1/memory/2212-5-0x0000000000640000-0x000000000064C000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly

Detects file containing reversed ASEP Autorun registry keys 5 IoCs

resource	yara_rule
behavioral1/memory/2784-25-0x0000000000400000-0x0000000000412000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
behavioral1/memory/2784-27-0x0000000000400000-0x0000000000412000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
behavioral1/memory/2784-31-0x0000000000400000-0x0000000000412000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
behavioral1/memory/2784-33-0x0000000000400000-0x0000000000412000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
behavioral1/memory/2784-35-0x0000000000400000-0x0000000000412000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2212 set thread context of 2784	2212	f191d334abb3d33f9d99efb91b4c12f8f6367d8015c83b3f93adb272a2da5cf5.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2576	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2212	f191d334abb3d33f9d99efb91b4c12f8f6367d8015c83b3f93adb272a2da5cf5.exe
2212	f191d334abb3d33f9d99efb91b4c12f8f6367d8015c83b3f93adb272a2da5cf5.exe
2212	f191d334abb3d33f9d99efb91b4c12f8f6367d8015c83b3f93adb272a2da5cf5.exe
2212	f191d334abb3d33f9d99efb91b4c12f8f6367d8015c83b3f93adb272a2da5cf5.exe
2212	f191d334abb3d33f9d99efb91b4c12f8f6367d8015c83b3f93adb272a2da5cf5.exe
2212	f191d334abb3d33f9d99efb91b4c12f8f6367d8015c83b3f93adb272a2da5cf5.exe
2212	f191d334abb3d33f9d99efb91b4c12f8f6367d8015c83b3f93adb272a2da5cf5.exe
2212	f191d334abb3d33f9d99efb91b4c12f8f6367d8015c83b3f93adb272a2da5cf5.exe
2212	f191d334abb3d33f9d99efb91b4c12f8f6367d8015c83b3f93adb272a2da5cf5.exe
2552	powershell.exe
2652	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2212	f191d334abb3d33f9d99efb91b4c12f8f6367d8015c83b3f93adb272a2da5cf5.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	2652	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2552	2212	f191d334abb3d33f9d99efb91b4c12f8f6367d8015c83b3f93adb272a2da5cf5.exe	28
PID 2212 wrote to memory of 2552	2212	f191d334abb3d33f9d99efb91b4c12f8f6367d8015c83b3f93adb272a2da5cf5.exe	28
PID 2212 wrote to memory of 2552	2212	f191d334abb3d33f9d99efb91b4c12f8f6367d8015c83b3f93adb272a2da5cf5.exe	28
PID 2212 wrote to memory of 2552	2212	f191d334abb3d33f9d99efb91b4c12f8f6367d8015c83b3f93adb272a2da5cf5.exe	28
PID 2212 wrote to memory of 2652	2212	f191d334abb3d33f9d99efb91b4c12f8f6367d8015c83b3f93adb272a2da5cf5.exe	30
PID 2212 wrote to memory of 2652	2212	f191d334abb3d33f9d99efb91b4c12f8f6367d8015c83b3f93adb272a2da5cf5.exe	30
PID 2212 wrote to memory of 2652	2212	f191d334abb3d33f9d99efb91b4c12f8f6367d8015c83b3f93adb272a2da5cf5.exe	30
PID 2212 wrote to memory of 2652	2212	f191d334abb3d33f9d99efb91b4c12f8f6367d8015c83b3f93adb272a2da5cf5.exe	30
PID 2212 wrote to memory of 2576	2212	f191d334abb3d33f9d99efb91b4c12f8f6367d8015c83b3f93adb272a2da5cf5.exe	32
PID 2212 wrote to memory of 2576	2212	f191d334abb3d33f9d99efb91b4c12f8f6367d8015c83b3f93adb272a2da5cf5.exe	32
PID 2212 wrote to memory of 2576	2212	f191d334abb3d33f9d99efb91b4c12f8f6367d8015c83b3f93adb272a2da5cf5.exe	32
PID 2212 wrote to memory of 2576	2212	f191d334abb3d33f9d99efb91b4c12f8f6367d8015c83b3f93adb272a2da5cf5.exe	32
PID 2212 wrote to memory of 2784	2212	f191d334abb3d33f9d99efb91b4c12f8f6367d8015c83b3f93adb272a2da5cf5.exe	34
PID 2212 wrote to memory of 2784	2212	f191d334abb3d33f9d99efb91b4c12f8f6367d8015c83b3f93adb272a2da5cf5.exe	34
PID 2212 wrote to memory of 2784	2212	f191d334abb3d33f9d99efb91b4c12f8f6367d8015c83b3f93adb272a2da5cf5.exe	34
PID 2212 wrote to memory of 2784	2212	f191d334abb3d33f9d99efb91b4c12f8f6367d8015c83b3f93adb272a2da5cf5.exe	34
PID 2212 wrote to memory of 2784	2212	f191d334abb3d33f9d99efb91b4c12f8f6367d8015c83b3f93adb272a2da5cf5.exe	34
PID 2212 wrote to memory of 2784	2212	f191d334abb3d33f9d99efb91b4c12f8f6367d8015c83b3f93adb272a2da5cf5.exe	34
PID 2212 wrote to memory of 2784	2212	f191d334abb3d33f9d99efb91b4c12f8f6367d8015c83b3f93adb272a2da5cf5.exe	34
PID 2212 wrote to memory of 2784	2212	f191d334abb3d33f9d99efb91b4c12f8f6367d8015c83b3f93adb272a2da5cf5.exe	34
PID 2212 wrote to memory of 2784	2212	f191d334abb3d33f9d99efb91b4c12f8f6367d8015c83b3f93adb272a2da5cf5.exe	34

C:\Users\Admin\AppData\Local\Temp\f191d334abb3d33f9d99efb91b4c12f8f6367d8015c83b3f93adb272a2da5cf5.exe
"C:\Users\Admin\AppData\Local\Temp\f191d334abb3d33f9d99efb91b4c12f8f6367d8015c83b3f93adb272a2da5cf5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\f191d334abb3d33f9d99efb91b4c12f8f6367d8015c83b3f93adb272a2da5cf5.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2552
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\flVdJE.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2652
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\flVdJE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBA98.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2576
- C:\Users\Admin\AppData\Local\Temp\f191d334abb3d33f9d99efb91b4c12f8f6367d8015c83b3f93adb272a2da5cf5.exe
  "C:\Users\Admin\AppData\Local\Temp\f191d334abb3d33f9d99efb91b4c12f8f6367d8015c83b3f93adb272a2da5cf5.exe"
  2⤵
  PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpBA98.tmp

Filesize
1KB

MD5
626996d4276cf661ae9f7e3836b43934

SHA1
3951d9e5552ab405daf72964b73938a51f5d644e

SHA256
9abf612447c37746d1ccce1a8ceaec0b1eebae98b1310155080bd6cbdac577c1

SHA512
599469110c78e2ffec59f02cc9cec57268e809db69f359467593a36b769f95e960cd7cd7891e8712c7fc76cfa97965c55db687442c12d3fafc1fb2dce2ef0eb2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
8014d028e38d804d62075bbf40d37a6f

SHA1
295e6204a0646775401c461c07fc4ae2f8386cae

SHA256
8ccb85ff4e63e00f8f9fb3208e0f6d0817eac7f5ca8ef22f4b15f83ea67e5762

SHA512
4b57f74e9ac81c8a4273ceed3ef9c0aefec726c0f2766afd1cd96f81b7344e1bdd9c9405bb9dd2fa343f32b7f4107a855de1d58bd8a31857a3dd4c7583f48428

Download Submit
memory/2212-8-0x00000000048E0000-0x0000000004920000-memory.dmp

Filesize
256KB

Download
memory/2212-2-0x00000000048E0000-0x0000000004920000-memory.dmp

Filesize
256KB

Download
memory/2212-4-0x0000000000420000-0x0000000000428000-memory.dmp

Filesize
32KB

Download
memory/2212-5-0x0000000000640000-0x000000000064C000-memory.dmp

Filesize
48KB

Download
memory/2212-6-0x00000000009E0000-0x0000000000A34000-memory.dmp

Filesize
336KB

Download
memory/2212-7-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download
memory/2212-36-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download
memory/2212-3-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2212-0-0x0000000001320000-0x00000000013B6000-memory.dmp

Filesize
600KB

Download
memory/2212-1-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download
memory/2552-45-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/2552-47-0x000000006F4C0000-0x000000006FA6B000-memory.dmp

Filesize
5.7MB

Download
memory/2552-40-0x000000006F4C0000-0x000000006FA6B000-memory.dmp

Filesize
5.7MB

Download
memory/2552-38-0x000000006F4C0000-0x000000006FA6B000-memory.dmp

Filesize
5.7MB

Download
memory/2652-41-0x000000006F4C0000-0x000000006FA6B000-memory.dmp

Filesize
5.7MB

Download
memory/2652-39-0x0000000002530000-0x0000000002570000-memory.dmp

Filesize
256KB

Download
memory/2652-46-0x000000006F4C0000-0x000000006FA6B000-memory.dmp

Filesize
5.7MB

Download
memory/2652-42-0x0000000002530000-0x0000000002570000-memory.dmp

Filesize
256KB

Download
memory/2652-37-0x000000006F4C0000-0x000000006FA6B000-memory.dmp

Filesize
5.7MB

Download
memory/2652-43-0x0000000002530000-0x0000000002570000-memory.dmp

Filesize
256KB

Download
memory/2784-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2784-27-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2784-25-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2784-33-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2784-31-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2784-44-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download
memory/2784-23-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2784-21-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2784-35-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2784-48-0x0000000004E70000-0x0000000004EB0000-memory.dmp

Filesize
256KB

Download
memory/2784-49-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download
memory/2784-50-0x0000000004E70000-0x0000000004EB0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads