asyncrat | 46b90cce656efe63bc33b585581c2cafd25778f2854a334f0421d219ed17b339

General

Target

46b90cce656efe63bc33b585581c2cafd25778f2854a334f0421d219ed17b339.exe
Size

89KB
MD5

12de70d06ed65680914d061347ac1f95
SHA1

14023e1ed46236cbfb463ddccd6345caa3c14d54
SHA256

46b90cce656efe63bc33b585581c2cafd25778f2854a334f0421d219ed17b339
SHA512

7d6a20b0e9d6c5db0177e08f197f7858aa8000097c5eb2fa7a2b3d2181fefb53760efacd7fcba32d481193eee547162ac22b08b8e8777b68fc1597dec12db67f
SSDEEP

1536:EGjb5BKhaUxo6TRMinLvIbzV6A2SYzEOV4c7rei1:EGjb5IJxZTLnL4aSY4OVDui

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

103.249.112.118:8848

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Downloads MZ/PE file

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4736 set thread context of 3096	4736	46b90cce656efe63bc33b585581c2cafd25778f2854a334f0421d219ed17b339.exe	89

Executes dropped EXE 3 IoCs

pid	Process
3468	Accounts_Ledger_Software.eXE
3516	O6t2Ut6v.exe
3512	Accounts_Ledger_Software.eXE

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
380	SCHtAsKs.EXe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4736	46b90cce656efe63bc33b585581c2cafd25778f2854a334f0421d219ed17b339.exe
4736	46b90cce656efe63bc33b585581c2cafd25778f2854a334f0421d219ed17b339.exe
3468	Accounts_Ledger_Software.eXE
3468	Accounts_Ledger_Software.eXE
3512	Accounts_Ledger_Software.eXE
3512	Accounts_Ledger_Software.eXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4736	46b90cce656efe63bc33b585581c2cafd25778f2854a334f0421d219ed17b339.exe
Token: SeDebugPrivilege	3096	aspnet_compiler.exe
Token: SeDebugPrivilege	3468	Accounts_Ledger_Software.eXE
Token: SeDebugPrivilege	3516	O6t2Ut6v.exe
Token: SeDebugPrivilege	3512	Accounts_Ledger_Software.eXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 380	4736	46b90cce656efe63bc33b585581c2cafd25778f2854a334f0421d219ed17b339.exe	84
PID 4736 wrote to memory of 380	4736	46b90cce656efe63bc33b585581c2cafd25778f2854a334f0421d219ed17b339.exe	84
PID 4736 wrote to memory of 3096	4736	46b90cce656efe63bc33b585581c2cafd25778f2854a334f0421d219ed17b339.exe	89
PID 4736 wrote to memory of 3096	4736	46b90cce656efe63bc33b585581c2cafd25778f2854a334f0421d219ed17b339.exe	89
PID 4736 wrote to memory of 3096	4736	46b90cce656efe63bc33b585581c2cafd25778f2854a334f0421d219ed17b339.exe	89
PID 4736 wrote to memory of 3096	4736	46b90cce656efe63bc33b585581c2cafd25778f2854a334f0421d219ed17b339.exe	89
PID 4736 wrote to memory of 3096	4736	46b90cce656efe63bc33b585581c2cafd25778f2854a334f0421d219ed17b339.exe	89
PID 4736 wrote to memory of 3096	4736	46b90cce656efe63bc33b585581c2cafd25778f2854a334f0421d219ed17b339.exe	89
PID 4736 wrote to memory of 3096	4736	46b90cce656efe63bc33b585581c2cafd25778f2854a334f0421d219ed17b339.exe	89
PID 4736 wrote to memory of 3096	4736	46b90cce656efe63bc33b585581c2cafd25778f2854a334f0421d219ed17b339.exe	89
PID 3096 wrote to memory of 3516	3096	aspnet_compiler.exe	101
PID 3096 wrote to memory of 3516	3096	aspnet_compiler.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\46b90cce656efe63bc33b585581c2cafd25778f2854a334f0421d219ed17b339.exe
"C:\Users\Admin\AppData\Local\Temp\46b90cce656efe63bc33b585581c2cafd25778f2854a334f0421d219ed17b339.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Windows\SYSTEM32\SCHtAsKs.EXe
  "SCHtAsKs.EXe" /create /tn WindowsUpdates /TR 'C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE' /du 9999:59 /sc daily /ri 1
  2⤵
  - Creates scheduled task(s)
  PID:380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3096
- - C:\Users\Admin\AppData\Local\Temp\O6t2Ut6v.exe
    "C:\Users\Admin\AppData\Local\Temp\O6t2Ut6v.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3516

C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE
C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3468

C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE
C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Accounts_Ledger_Software.eXE.log

Filesize
660B

MD5
1c5e1d0ff3381486370760b0f2eb656b

SHA1
f9df6be8804ef611063f1ff277e323b1215372de

SHA256
f424c891fbc7385e9826beed2dd8755aeac5495744b5de0a1e370891a7beaf7a

SHA512
78f5fc40a185d04c9e4a02a3d1b10b4bd684c579a45a0d1e8f49f8dee9018ed7bc8875cbf21f98632f93ead667214a41904226ce54817b85caeeb4b0de54a743

Download Submit
C:\Users\Admin\AppData\Local\Temp\O6t2Ut6v.exe

Filesize
89KB

MD5
421c40695b1537b040830d13b7b860d8

SHA1
a63377c184c808116f7c192cd7c5f4dd763a77d3

SHA256
a48ed05b6c117fd2ecf7c9bbf17ae3253e6aab133cdd4a06da54298635a136a5

SHA512
27564661871e700fea1ef7e2d28e739e32a0c580323fbb42c5139a64b68afffae7ac9445eb7d304502b22bacb64c611a05392a19a59a4b30ddd4bad1aa59e2f0

Download Submit
C:\Users\Admin\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE

Filesize
89KB

MD5
12de70d06ed65680914d061347ac1f95

SHA1
14023e1ed46236cbfb463ddccd6345caa3c14d54

SHA256
46b90cce656efe63bc33b585581c2cafd25778f2854a334f0421d219ed17b339

SHA512
7d6a20b0e9d6c5db0177e08f197f7858aa8000097c5eb2fa7a2b3d2181fefb53760efacd7fcba32d481193eee547162ac22b08b8e8777b68fc1597dec12db67f

Download Submit
memory/3096-9-0x0000000074D40000-0x00000000754F0000-memory.dmp

Filesize
7.7MB

Download
memory/3096-24-0x0000000000D60000-0x0000000000DD6000-memory.dmp

Filesize
472KB

Download
memory/3096-6-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3096-26-0x0000000000C00000-0x0000000000C1E000-memory.dmp

Filesize
120KB

Download
memory/3096-25-0x0000000000970000-0x000000000097E000-memory.dmp

Filesize
56KB

Download
memory/3096-10-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/3096-11-0x00000000777A1000-0x00000000777A2000-memory.dmp

Filesize
4KB

Download
memory/3096-14-0x0000000005460000-0x00000000054FC000-memory.dmp

Filesize
624KB

Download
memory/3096-15-0x0000000005AB0000-0x0000000006054000-memory.dmp

Filesize
5.6MB

Download
memory/3096-16-0x0000000005570000-0x00000000055D6000-memory.dmp

Filesize
408KB

Download
memory/3096-17-0x0000000074D40000-0x00000000754F0000-memory.dmp

Filesize
7.7MB

Download
memory/3096-18-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/3468-22-0x00007FFA80960000-0x00007FFA81421000-memory.dmp

Filesize
10.8MB

Download
memory/3468-23-0x00007FFA80960000-0x00007FFA81421000-memory.dmp

Filesize
10.8MB

Download
memory/3512-46-0x00007FFA80960000-0x00007FFA81421000-memory.dmp

Filesize
10.8MB

Download
memory/3512-48-0x00007FFA80960000-0x00007FFA81421000-memory.dmp

Filesize
10.8MB

Download
memory/3516-42-0x00007FFA80960000-0x00007FFA81421000-memory.dmp

Filesize
10.8MB

Download
memory/3516-38-0x0000000000540000-0x000000000055A000-memory.dmp

Filesize
104KB

Download
memory/3516-40-0x00007FFA80960000-0x00007FFA81421000-memory.dmp

Filesize
10.8MB

Download
memory/3516-41-0x000000001B0F0000-0x000000001B100000-memory.dmp

Filesize
64KB

Download
memory/3516-43-0x000000001B0F0000-0x000000001B100000-memory.dmp

Filesize
64KB

Download
memory/3516-47-0x00007FFA80960000-0x00007FFA81421000-memory.dmp

Filesize
10.8MB

Download
memory/4736-8-0x00007FFA81FD0000-0x00007FFA82A91000-memory.dmp

Filesize
10.8MB

Download
memory/4736-3-0x000000001B110000-0x000000001B120000-memory.dmp

Filesize
64KB

Download
memory/4736-5-0x000000001B0D0000-0x000000001B0D1000-memory.dmp

Filesize
4KB

Download
memory/4736-2-0x00007FFA81FD0000-0x00007FFA82A91000-memory.dmp

Filesize
10.8MB

Download
memory/4736-0-0x0000000000410000-0x000000000042A000-memory.dmp

Filesize
104KB

Download
memory/4736-4-0x000000001B090000-0x000000001B0CC000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads