asyncrat | 502d5f5c411a1eeec35a874336b32d35502abb31afd202ad66bd9b2bc341307f

General

Target

2b953a27fe875c8394d05347a5d11d14.exe
Size

109KB
MD5

2b953a27fe875c8394d05347a5d11d14
SHA1

c4976290e6ec103671e7709abbed1a92c7c9b0a2
SHA256

502d5f5c411a1eeec35a874336b32d35502abb31afd202ad66bd9b2bc341307f
SHA512

5e62c4f031a05d4b3d8bc21b65d9d784de8eb759e13fe4ca9069c1c3520a8b0dcca964e1e39a6c38267d488f46a9986beb2161468dc5bc4ad1ff7313485ddf6e
SSDEEP

3072:Foiy0nuMAXQF6PIZEDlY+9TXxzQ+HsKWbmFq5:Foinzot84umF

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

Mutex

0pe3F2LrSSkk

Attributes

delay
3
install
true
install_file
Fluxus Folder.exe
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/qdzaTTaM

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2b953a27fe875c8394d05347a5d11d14.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	2b953a27fe875c8394d05347a5d11d14.exe

Executes dropped EXE 2 IoCs

Processes:

Fluxus Folder.exeFluxus Folder.exe

pid process

3276 Fluxus Folder.exe
4988 Fluxus Folder.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

39 pastebin.com
40 pastebin.com
41 0.tcp.eu.ngrok.io
73 0.tcp.eu.ngrok.io

pid	process
3276	Fluxus Folder.exe
4988	Fluxus Folder.exe

flow	ioc
39	pastebin.com
40	pastebin.com
41	0.tcp.eu.ngrok.io
73	0.tcp.eu.ngrok.io

Suspicious use of SetThreadContext 2 IoCs

Processes:

2b953a27fe875c8394d05347a5d11d14.exeFluxus Folder.exe

description	pid	process	target process
PID 900 set thread context of 4752	900	2b953a27fe875c8394d05347a5d11d14.exe	2b953a27fe875c8394d05347a5d11d14.exe
PID 3276 set thread context of 4988	3276	Fluxus Folder.exe	Fluxus Folder.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1804 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

244 timeout.exe

pid	process
1804	schtasks.exe

pid	process
244	timeout.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

2b953a27fe875c8394d05347a5d11d14.exe

pid	process
4752	2b953a27fe875c8394d05347a5d11d14.exe
4752	2b953a27fe875c8394d05347a5d11d14.exe
4752	2b953a27fe875c8394d05347a5d11d14.exe
4752	2b953a27fe875c8394d05347a5d11d14.exe
4752	2b953a27fe875c8394d05347a5d11d14.exe
4752	2b953a27fe875c8394d05347a5d11d14.exe
4752	2b953a27fe875c8394d05347a5d11d14.exe
4752	2b953a27fe875c8394d05347a5d11d14.exe
4752	2b953a27fe875c8394d05347a5d11d14.exe
4752	2b953a27fe875c8394d05347a5d11d14.exe
4752	2b953a27fe875c8394d05347a5d11d14.exe
4752	2b953a27fe875c8394d05347a5d11d14.exe
4752	2b953a27fe875c8394d05347a5d11d14.exe
4752	2b953a27fe875c8394d05347a5d11d14.exe
4752	2b953a27fe875c8394d05347a5d11d14.exe
4752	2b953a27fe875c8394d05347a5d11d14.exe
4752	2b953a27fe875c8394d05347a5d11d14.exe
4752	2b953a27fe875c8394d05347a5d11d14.exe
4752	2b953a27fe875c8394d05347a5d11d14.exe
4752	2b953a27fe875c8394d05347a5d11d14.exe
4752	2b953a27fe875c8394d05347a5d11d14.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

2b953a27fe875c8394d05347a5d11d14.exeFluxus Folder.exe

description	pid	process
Token: SeDebugPrivilege	4752	2b953a27fe875c8394d05347a5d11d14.exe
Token: SeDebugPrivilege	4988	Fluxus Folder.exe
Token: SeDebugPrivilege	4988	Fluxus Folder.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

2b953a27fe875c8394d05347a5d11d14.exe2b953a27fe875c8394d05347a5d11d14.execmd.execmd.exeFluxus Folder.exe

description	pid	process	target process
PID 900 wrote to memory of 4752	900	2b953a27fe875c8394d05347a5d11d14.exe	2b953a27fe875c8394d05347a5d11d14.exe
PID 900 wrote to memory of 4752	900	2b953a27fe875c8394d05347a5d11d14.exe	2b953a27fe875c8394d05347a5d11d14.exe
PID 900 wrote to memory of 4752	900	2b953a27fe875c8394d05347a5d11d14.exe	2b953a27fe875c8394d05347a5d11d14.exe
PID 900 wrote to memory of 4752	900	2b953a27fe875c8394d05347a5d11d14.exe	2b953a27fe875c8394d05347a5d11d14.exe
PID 900 wrote to memory of 4752	900	2b953a27fe875c8394d05347a5d11d14.exe	2b953a27fe875c8394d05347a5d11d14.exe
PID 900 wrote to memory of 4752	900	2b953a27fe875c8394d05347a5d11d14.exe	2b953a27fe875c8394d05347a5d11d14.exe
PID 900 wrote to memory of 4752	900	2b953a27fe875c8394d05347a5d11d14.exe	2b953a27fe875c8394d05347a5d11d14.exe
PID 900 wrote to memory of 4752	900	2b953a27fe875c8394d05347a5d11d14.exe	2b953a27fe875c8394d05347a5d11d14.exe
PID 4752 wrote to memory of 4748	4752	2b953a27fe875c8394d05347a5d11d14.exe	cmd.exe
PID 4752 wrote to memory of 4748	4752	2b953a27fe875c8394d05347a5d11d14.exe	cmd.exe
PID 4752 wrote to memory of 4748	4752	2b953a27fe875c8394d05347a5d11d14.exe	cmd.exe
PID 4752 wrote to memory of 4460	4752	2b953a27fe875c8394d05347a5d11d14.exe	cmd.exe
PID 4752 wrote to memory of 4460	4752	2b953a27fe875c8394d05347a5d11d14.exe	cmd.exe
PID 4752 wrote to memory of 4460	4752	2b953a27fe875c8394d05347a5d11d14.exe	cmd.exe
PID 4748 wrote to memory of 1804	4748	cmd.exe	schtasks.exe
PID 4748 wrote to memory of 1804	4748	cmd.exe	schtasks.exe
PID 4748 wrote to memory of 1804	4748	cmd.exe	schtasks.exe
PID 4460 wrote to memory of 244	4460	cmd.exe	timeout.exe
PID 4460 wrote to memory of 244	4460	cmd.exe	timeout.exe
PID 4460 wrote to memory of 244	4460	cmd.exe	timeout.exe
PID 4460 wrote to memory of 3276	4460	cmd.exe	Fluxus Folder.exe
PID 4460 wrote to memory of 3276	4460	cmd.exe	Fluxus Folder.exe
PID 4460 wrote to memory of 3276	4460	cmd.exe	Fluxus Folder.exe
PID 3276 wrote to memory of 4988	3276	Fluxus Folder.exe	Fluxus Folder.exe
PID 3276 wrote to memory of 4988	3276	Fluxus Folder.exe	Fluxus Folder.exe
PID 3276 wrote to memory of 4988	3276	Fluxus Folder.exe	Fluxus Folder.exe
PID 3276 wrote to memory of 4988	3276	Fluxus Folder.exe	Fluxus Folder.exe
PID 3276 wrote to memory of 4988	3276	Fluxus Folder.exe	Fluxus Folder.exe
PID 3276 wrote to memory of 4988	3276	Fluxus Folder.exe	Fluxus Folder.exe
PID 3276 wrote to memory of 4988	3276	Fluxus Folder.exe	Fluxus Folder.exe
PID 3276 wrote to memory of 4988	3276	Fluxus Folder.exe	Fluxus Folder.exe

C:\Users\Admin\AppData\Local\Temp\2b953a27fe875c8394d05347a5d11d14.exe
"C:\Users\Admin\AppData\Local\Temp\2b953a27fe875c8394d05347a5d11d14.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:900
- C:\Users\Admin\AppData\Local\Temp\2b953a27fe875c8394d05347a5d11d14.exe
  "C:\Users\Admin\AppData\Local\Temp\2b953a27fe875c8394d05347a5d11d14.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Fluxus Folder" /tr '"C:\Users\Admin\AppData\Roaming\Fluxus Folder.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4748
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Fluxus Folder" /tr '"C:\Users\Admin\AppData\Roaming\Fluxus Folder.exe"'
      4⤵
      Creates scheduled task(s)
      PID:1804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC091.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4460
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:244
  - - C:\Users\Admin\AppData\Roaming\Fluxus Folder.exe
      "C:\Users\Admin\AppData\Roaming\Fluxus Folder.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:3276
    - - C:\Users\Admin\AppData\Roaming\Fluxus Folder.exe
        
        "C:\Users\Admin\AppData\Roaming\Fluxus Folder.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2b953a27fe875c8394d05347a5d11d14.exe.log

Filesize
1KB

MD5
b5291f3dcf2c13784e09a057f2e43d13

SHA1
fbb72f4b04269e0d35b1d9c29d02d63dbc7ad07e

SHA256
ad995b51344d71019f96fc3a424de00256065daad8595ff599f6849c87ae75ce

SHA512
11c89caac425bccaa24e2bb24c6f2b4e6d6863278bf8a5304a42bb44475b08ca586e09143e7d5b14db7f1cd9adacd5358769e0d999dc348073431031067bd4d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC091.tmp.bat

Filesize
157B

MD5
9289447a458c876ec46a0c388f540d0e

SHA1
db4ed9e9bbbafe47bda3a5e4b819a05c199d0de2

SHA256
fc2acc8801d19edf1f1e55e0d2f44941e278f032696d60903e16e6d92e118484

SHA512
cf8bee891d319f745b718cd775071ac63c6d0323d3fbce72fc057e49c99d40fd360fd60ddb63fb50351549dce9bf24e1c07cf332a37d26c9700d27eef41ed821

Download Submit
C:\Users\Admin\AppData\Roaming\Fluxus Folder.exe

Filesize
109KB

MD5
2b953a27fe875c8394d05347a5d11d14

SHA1
c4976290e6ec103671e7709abbed1a92c7c9b0a2

SHA256
502d5f5c411a1eeec35a874336b32d35502abb31afd202ad66bd9b2bc341307f

SHA512
5e62c4f031a05d4b3d8bc21b65d9d784de8eb759e13fe4ca9069c1c3520a8b0dcca964e1e39a6c38267d488f46a9986beb2161468dc5bc4ad1ff7313485ddf6e

Download Submit
memory/900-10-0x00000000055B0000-0x00000000055CE000-memory.dmp

Filesize
120KB

Download
memory/900-14-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/900-5-0x0000000005640000-0x00000000056B6000-memory.dmp

Filesize
472KB

Download
memory/900-6-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/900-7-0x0000000074A8E000-0x0000000074A8F000-memory.dmp

Filesize
4KB

Download
memory/900-8-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/900-9-0x0000000005350000-0x0000000005370000-memory.dmp

Filesize
128KB

Download
memory/900-0-0x0000000074A8E000-0x0000000074A8F000-memory.dmp

Filesize
4KB

Download
memory/900-1-0x0000000000900000-0x0000000000922000-memory.dmp

Filesize
136KB

Download
memory/900-4-0x0000000005320000-0x000000000532A000-memory.dmp

Filesize
40KB

Download
memory/900-3-0x00000000053B0000-0x0000000005442000-memory.dmp

Filesize
584KB

Download
memory/900-2-0x0000000005960000-0x0000000005F04000-memory.dmp

Filesize
5.6MB

Download
memory/4752-16-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/4752-17-0x0000000005040000-0x00000000050DC000-memory.dmp

Filesize
624KB

Download
memory/4752-21-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/4752-15-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/4752-11-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads