asyncrat | a9943104ff50fc79bf86d3fd41389bd395f871b7bb2b413a1ac628a9b679fcad

General

Target

a9943104ff50fc79bf86d3fd41389bd395f871b7bb2b413a1ac628a9b679fcad.exe
Size

47KB
MD5

0c35e8c36f627e8801c85a26d7e63b2b
SHA1

9d0d43a793ba17b89d9af95d48c30f5c6757288e
SHA256

a9943104ff50fc79bf86d3fd41389bd395f871b7bb2b413a1ac628a9b679fcad
SHA512

fc7e01c70faa4ec8425456bd2357f288bcd39d65e090423e7aea407de008c56bcb7812cefc5f476680fb57616641bb02ac21b1caf72b264d73b04e21c5ed77ac
SSDEEP

768:MukjVT0kLd3WULVPdVmo2qDNg8YwBTNNMPI4TGKXCp5/0b6rwxE1+LimhQ5JBDZ2:MukjVT0M912zwBXx4iEZb6ru7icsd0x

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

4.tcp.eu.ngrok.io:4040

4.tcp.eu.ngrok.io:120

4.tcp.eu.ngrok.io:14232

Mutex

AWCmV7whrG8q

Attributes

delay
3
install
true
install_file
sellam.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x000700000002325a-11.dat	family_asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	a9943104ff50fc79bf86d3fd41389bd395f871b7bb2b413a1ac628a9b679fcad.exe

Executes dropped EXE 1 IoCs

pid	Process
456	sellam.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
26	4.tcp.eu.ngrok.io
49	4.tcp.eu.ngrok.io
56	4.tcp.eu.ngrok.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1644	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
700	timeout.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
3192	a9943104ff50fc79bf86d3fd41389bd395f871b7bb2b413a1ac628a9b679fcad.exe
3192	a9943104ff50fc79bf86d3fd41389bd395f871b7bb2b413a1ac628a9b679fcad.exe
3192	a9943104ff50fc79bf86d3fd41389bd395f871b7bb2b413a1ac628a9b679fcad.exe
3192	a9943104ff50fc79bf86d3fd41389bd395f871b7bb2b413a1ac628a9b679fcad.exe
3192	a9943104ff50fc79bf86d3fd41389bd395f871b7bb2b413a1ac628a9b679fcad.exe
3192	a9943104ff50fc79bf86d3fd41389bd395f871b7bb2b413a1ac628a9b679fcad.exe
3192	a9943104ff50fc79bf86d3fd41389bd395f871b7bb2b413a1ac628a9b679fcad.exe
3192	a9943104ff50fc79bf86d3fd41389bd395f871b7bb2b413a1ac628a9b679fcad.exe
3192	a9943104ff50fc79bf86d3fd41389bd395f871b7bb2b413a1ac628a9b679fcad.exe
3192	a9943104ff50fc79bf86d3fd41389bd395f871b7bb2b413a1ac628a9b679fcad.exe
3192	a9943104ff50fc79bf86d3fd41389bd395f871b7bb2b413a1ac628a9b679fcad.exe
3192	a9943104ff50fc79bf86d3fd41389bd395f871b7bb2b413a1ac628a9b679fcad.exe
3192	a9943104ff50fc79bf86d3fd41389bd395f871b7bb2b413a1ac628a9b679fcad.exe
3192	a9943104ff50fc79bf86d3fd41389bd395f871b7bb2b413a1ac628a9b679fcad.exe
3192	a9943104ff50fc79bf86d3fd41389bd395f871b7bb2b413a1ac628a9b679fcad.exe
3192	a9943104ff50fc79bf86d3fd41389bd395f871b7bb2b413a1ac628a9b679fcad.exe
3192	a9943104ff50fc79bf86d3fd41389bd395f871b7bb2b413a1ac628a9b679fcad.exe
3192	a9943104ff50fc79bf86d3fd41389bd395f871b7bb2b413a1ac628a9b679fcad.exe
3192	a9943104ff50fc79bf86d3fd41389bd395f871b7bb2b413a1ac628a9b679fcad.exe
3192	a9943104ff50fc79bf86d3fd41389bd395f871b7bb2b413a1ac628a9b679fcad.exe
3192	a9943104ff50fc79bf86d3fd41389bd395f871b7bb2b413a1ac628a9b679fcad.exe
3192	a9943104ff50fc79bf86d3fd41389bd395f871b7bb2b413a1ac628a9b679fcad.exe
3192	a9943104ff50fc79bf86d3fd41389bd395f871b7bb2b413a1ac628a9b679fcad.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3192	a9943104ff50fc79bf86d3fd41389bd395f871b7bb2b413a1ac628a9b679fcad.exe
Token: SeDebugPrivilege	456	sellam.exe
Token: SeDebugPrivilege	456	sellam.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 2984	3192	a9943104ff50fc79bf86d3fd41389bd395f871b7bb2b413a1ac628a9b679fcad.exe	99
PID 3192 wrote to memory of 2984	3192	a9943104ff50fc79bf86d3fd41389bd395f871b7bb2b413a1ac628a9b679fcad.exe	99
PID 3192 wrote to memory of 2984	3192	a9943104ff50fc79bf86d3fd41389bd395f871b7bb2b413a1ac628a9b679fcad.exe	99
PID 3192 wrote to memory of 4436	3192	a9943104ff50fc79bf86d3fd41389bd395f871b7bb2b413a1ac628a9b679fcad.exe	101
PID 3192 wrote to memory of 4436	3192	a9943104ff50fc79bf86d3fd41389bd395f871b7bb2b413a1ac628a9b679fcad.exe	101
PID 3192 wrote to memory of 4436	3192	a9943104ff50fc79bf86d3fd41389bd395f871b7bb2b413a1ac628a9b679fcad.exe	101
PID 2984 wrote to memory of 1644	2984	cmd.exe	103
PID 2984 wrote to memory of 1644	2984	cmd.exe	103
PID 2984 wrote to memory of 1644	2984	cmd.exe	103
PID 4436 wrote to memory of 700	4436	cmd.exe	104
PID 4436 wrote to memory of 700	4436	cmd.exe	104
PID 4436 wrote to memory of 700	4436	cmd.exe	104
PID 4436 wrote to memory of 456	4436	cmd.exe	105
PID 4436 wrote to memory of 456	4436	cmd.exe	105
PID 4436 wrote to memory of 456	4436	cmd.exe	105

C:\Users\Admin\AppData\Local\Temp\a9943104ff50fc79bf86d3fd41389bd395f871b7bb2b413a1ac628a9b679fcad.exe
"C:\Users\Admin\AppData\Local\Temp\a9943104ff50fc79bf86d3fd41389bd395f871b7bb2b413a1ac628a9b679fcad.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "sellam" /tr '"C:\Users\Admin\AppData\Roaming\sellam.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "sellam" /tr '"C:\Users\Admin\AppData\Roaming\sellam.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:1644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp431F.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:700
- - C:\Users\Admin\AppData\Roaming\sellam.exe
    "C:\Users\Admin\AppData\Roaming\sellam.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3744 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp431F.tmp.bat

Filesize
150B

MD5
6554f98f6817d42de04c030150e66584

SHA1
4e383183f83138d4740405954512af0e8510006a

SHA256
f05c9992821804c1548218aad37afc034afde43273189ec6e622aeddd62931bc

SHA512
1fb6d13b58a28c64ad202f74b426ab86d40ce875e7838724806c51f8a8b3cbcec99878f265150f5f40b58803a0df71fb1a8ffd16ca573a0fa152dfdeb28230cf

Download Submit
C:\Users\Admin\AppData\Roaming\sellam.exe

Filesize
47KB

MD5
0c35e8c36f627e8801c85a26d7e63b2b

SHA1
9d0d43a793ba17b89d9af95d48c30f5c6757288e

SHA256
a9943104ff50fc79bf86d3fd41389bd395f871b7bb2b413a1ac628a9b679fcad

SHA512
fc7e01c70faa4ec8425456bd2357f288bcd39d65e090423e7aea407de008c56bcb7812cefc5f476680fb57616641bb02ac21b1caf72b264d73b04e21c5ed77ac

Download Submit
memory/456-13-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/456-14-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/456-15-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/456-16-0x0000000004D00000-0x0000000004D10000-memory.dmp

Filesize
64KB

Download
memory/3192-0-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/3192-1-0x0000000000B00000-0x0000000000B12000-memory.dmp

Filesize
72KB

Download
memory/3192-2-0x00000000055C0000-0x00000000055D0000-memory.dmp

Filesize
64KB

Download
memory/3192-3-0x0000000005670000-0x000000000570C000-memory.dmp

Filesize
624KB

Download
memory/3192-9-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads