asyncrat | 08f8498aec75418bb4c12972a6547ee2c4762160e7bf36c558a91b7b9110ed3f

General

Target

712940BAEF78C821E36B8701BF073C52.exe
Size

91KB
MD5

712940baef78c821e36b8701bf073c52
SHA1

d59896b87424fafc0d00ab5e5c2019bd941167ce
SHA256

08f8498aec75418bb4c12972a6547ee2c4762160e7bf36c558a91b7b9110ed3f
SHA512

68bc6df413e00e6420ee6db6e4d0497bab61908b96f48fdb6bf6aae9bed72de840d83dfc0017dd24995a05f29b415b82852f84e9b74de85d303b67cc396c7007
SSDEEP

1536:qoJFOWbLXbbetrgpFZ2nrWLtyEclopV4c78eiV:zFOWbLLbetrgQn6BpVD34

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8 - Customized by Mikewaals

Botnet

Default

C2

204.12.199.30:6606

204.12.199.30:7707

204.12.199.30:8808

Mutex

Bbtt03i3Zbxo

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Downloads MZ/PE file
Suspicious use of SetThreadContext 1 IoCs

Processes:

712940BAEF78C821E36B8701BF073C52.exe

description pid process target process

PID 2372 set thread context of 2724 2372 712940BAEF78C821E36B8701BF073C52.exe aspnet_compiler.exe
Executes dropped EXE 2 IoCs

Processes:

Accounts_Ledger_Software.eXEAccounts_Ledger_Software.eXE

pid process

2900 Accounts_Ledger_Software.eXE
1432 Accounts_Ledger_Software.eXE
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

SCHtAsKs.EXe

pid process

2816 SCHtAsKs.EXe

description	pid	process	target process
PID 2372 set thread context of 2724	2372	712940BAEF78C821E36B8701BF073C52.exe	aspnet_compiler.exe

pid	process
2900	Accounts_Ledger_Software.eXE
1432	Accounts_Ledger_Software.eXE

pid	process
2816	SCHtAsKs.EXe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

712940BAEF78C821E36B8701BF073C52.exeAccounts_Ledger_Software.eXEAccounts_Ledger_Software.eXE

pid	process
2372	712940BAEF78C821E36B8701BF073C52.exe
2372	712940BAEF78C821E36B8701BF073C52.exe
2372	712940BAEF78C821E36B8701BF073C52.exe
2372	712940BAEF78C821E36B8701BF073C52.exe
2900	Accounts_Ledger_Software.eXE
2900	Accounts_Ledger_Software.eXE
1432	Accounts_Ledger_Software.eXE
1432	Accounts_Ledger_Software.eXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

712940BAEF78C821E36B8701BF073C52.exeaspnet_compiler.exeAccounts_Ledger_Software.eXEAccounts_Ledger_Software.eXE

description	pid	process
Token: SeDebugPrivilege	2372	712940BAEF78C821E36B8701BF073C52.exe
Token: SeDebugPrivilege	2724	aspnet_compiler.exe
Token: SeDebugPrivilege	2900	Accounts_Ledger_Software.eXE
Token: SeDebugPrivilege	1432	Accounts_Ledger_Software.eXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

712940BAEF78C821E36B8701BF073C52.exetaskeng.exe

description	pid	process	target process
PID 2372 wrote to memory of 2816	2372	712940BAEF78C821E36B8701BF073C52.exe	SCHtAsKs.EXe
PID 2372 wrote to memory of 2816	2372	712940BAEF78C821E36B8701BF073C52.exe	SCHtAsKs.EXe
PID 2372 wrote to memory of 2816	2372	712940BAEF78C821E36B8701BF073C52.exe	SCHtAsKs.EXe
PID 2372 wrote to memory of 2816	2372	712940BAEF78C821E36B8701BF073C52.exe	SCHtAsKs.EXe
PID 2372 wrote to memory of 2724	2372	712940BAEF78C821E36B8701BF073C52.exe	aspnet_compiler.exe
PID 2372 wrote to memory of 2724	2372	712940BAEF78C821E36B8701BF073C52.exe	aspnet_compiler.exe
PID 2372 wrote to memory of 2724	2372	712940BAEF78C821E36B8701BF073C52.exe	aspnet_compiler.exe
PID 2372 wrote to memory of 2724	2372	712940BAEF78C821E36B8701BF073C52.exe	aspnet_compiler.exe
PID 2372 wrote to memory of 2724	2372	712940BAEF78C821E36B8701BF073C52.exe	aspnet_compiler.exe
PID 2372 wrote to memory of 2724	2372	712940BAEF78C821E36B8701BF073C52.exe	aspnet_compiler.exe
PID 2372 wrote to memory of 2724	2372	712940BAEF78C821E36B8701BF073C52.exe	aspnet_compiler.exe
PID 2372 wrote to memory of 2724	2372	712940BAEF78C821E36B8701BF073C52.exe	aspnet_compiler.exe
PID 2372 wrote to memory of 2724	2372	712940BAEF78C821E36B8701BF073C52.exe	aspnet_compiler.exe
PID 2796 wrote to memory of 2900	2796	taskeng.exe	Accounts_Ledger_Software.eXE
PID 2796 wrote to memory of 2900	2796	taskeng.exe	Accounts_Ledger_Software.eXE
PID 2796 wrote to memory of 2900	2796	taskeng.exe	Accounts_Ledger_Software.eXE
PID 2796 wrote to memory of 2900	2796	taskeng.exe	Accounts_Ledger_Software.eXE
PID 2796 wrote to memory of 1432	2796	taskeng.exe	Accounts_Ledger_Software.eXE
PID 2796 wrote to memory of 1432	2796	taskeng.exe	Accounts_Ledger_Software.eXE
PID 2796 wrote to memory of 1432	2796	taskeng.exe	Accounts_Ledger_Software.eXE
PID 2796 wrote to memory of 1432	2796	taskeng.exe	Accounts_Ledger_Software.eXE

C:\Users\Admin\AppData\Local\Temp\712940BAEF78C821E36B8701BF073C52.exe
"C:\Users\Admin\AppData\Local\Temp\712940BAEF78C821E36B8701BF073C52.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372

C:\Windows\SysWOW64\SCHtAsKs.EXe
"SCHtAsKs.EXe" /create /tn WindowsUpdates833481094 /tr "C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 09:37 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
2⤵
- Creates scheduled task(s)
PID:2816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Windows\system32\taskeng.exe
taskeng.exe {559638E5-9D6D-478A-BDB8-A5FB20F6D7A4} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2796

C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE
C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2900

C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE
C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1432

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE
Filesize
91KB

MD5
712940baef78c821e36b8701bf073c52

SHA1
d59896b87424fafc0d00ab5e5c2019bd941167ce

SHA256
08f8498aec75418bb4c12972a6547ee2c4762160e7bf36c558a91b7b9110ed3f

SHA512
68bc6df413e00e6420ee6db6e4d0497bab61908b96f48fdb6bf6aae9bed72de840d83dfc0017dd24995a05f29b415b82852f84e9b74de85d303b67cc396c7007

Download Submit
memory/1432-42-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/1432-40-0x0000000001220000-0x000000000123A000-memory.dmp

Filesize
104KB

Download
memory/1432-41-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/2372-13-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/2372-1-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/2372-2-0x0000000004C20000-0x0000000004C60000-memory.dmp

Filesize
256KB

Download
memory/2372-4-0x0000000000350000-0x000000000035A000-memory.dmp

Filesize
40KB

Download
memory/2372-0-0x0000000001130000-0x000000000114A000-memory.dmp

Filesize
104KB

Download
memory/2724-16-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2724-32-0x0000000004B60000-0x0000000004BA0000-memory.dmp

Filesize
256KB

Download
memory/2724-14-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2724-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2724-17-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/2724-18-0x0000000004B60000-0x0000000004BA0000-memory.dmp

Filesize
256KB

Download
memory/2724-31-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/2724-11-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2724-8-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2724-6-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2724-5-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2724-7-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2900-37-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/2900-36-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/2900-35-0x00000000002F0000-0x000000000030A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads