asyncrat | 8f5dc039858f2425120283f32b08a688219ec1fed56dca56ef072807d4b41380

General

Target

65082ee4bb13d81f6011e9ebfbfd0e90_NeikiAnalytics.exe
Size

896KB
MD5

65082ee4bb13d81f6011e9ebfbfd0e90
SHA1

42af2f42d9b349438e20998f261e5bb92988fd7b
SHA256

8f5dc039858f2425120283f32b08a688219ec1fed56dca56ef072807d4b41380
SHA512

44a63aea9d0ee1b723d821aa77e5a699a4dcf4b548b799375dccea3f5b468a35e7904e4d2be976c69a295c5f76ac5f030f8f92db3a32aeca04611ce49c54b7e4
SSDEEP

12288:tySs6XN2uVSIuzIcCpTRJzkVwsvoXzMNnYW25+Hsp/MsDNFtH:ZxsXYW28Hfet

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:7771

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Suspicious use of SetThreadContext 1 IoCs

Processes:

65082ee4bb13d81f6011e9ebfbfd0e90_NeikiAnalytics.exe

description pid process target process

PID 1584 set thread context of 2780 1584 65082ee4bb13d81f6011e9ebfbfd0e90_NeikiAnalytics.exe InstallUtil.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

65082ee4bb13d81f6011e9ebfbfd0e90_NeikiAnalytics.exe

pid process

1584 65082ee4bb13d81f6011e9ebfbfd0e90_NeikiAnalytics.exe
1584 65082ee4bb13d81f6011e9ebfbfd0e90_NeikiAnalytics.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

65082ee4bb13d81f6011e9ebfbfd0e90_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 1584 65082ee4bb13d81f6011e9ebfbfd0e90_NeikiAnalytics.exe

description	pid	process	target process
PID 1584 set thread context of 2780	1584	65082ee4bb13d81f6011e9ebfbfd0e90_NeikiAnalytics.exe	InstallUtil.exe

pid	process
1584	65082ee4bb13d81f6011e9ebfbfd0e90_NeikiAnalytics.exe
1584	65082ee4bb13d81f6011e9ebfbfd0e90_NeikiAnalytics.exe

description	pid	process
Token: SeDebugPrivilege	1584	65082ee4bb13d81f6011e9ebfbfd0e90_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

65082ee4bb13d81f6011e9ebfbfd0e90_NeikiAnalytics.exe

description	pid	process	target process
PID 1584 wrote to memory of 2780	1584	65082ee4bb13d81f6011e9ebfbfd0e90_NeikiAnalytics.exe	InstallUtil.exe
PID 1584 wrote to memory of 2780	1584	65082ee4bb13d81f6011e9ebfbfd0e90_NeikiAnalytics.exe	InstallUtil.exe
PID 1584 wrote to memory of 2780	1584	65082ee4bb13d81f6011e9ebfbfd0e90_NeikiAnalytics.exe	InstallUtil.exe
PID 1584 wrote to memory of 2780	1584	65082ee4bb13d81f6011e9ebfbfd0e90_NeikiAnalytics.exe	InstallUtil.exe
PID 1584 wrote to memory of 2780	1584	65082ee4bb13d81f6011e9ebfbfd0e90_NeikiAnalytics.exe	InstallUtil.exe
PID 1584 wrote to memory of 2780	1584	65082ee4bb13d81f6011e9ebfbfd0e90_NeikiAnalytics.exe	InstallUtil.exe
PID 1584 wrote to memory of 2780	1584	65082ee4bb13d81f6011e9ebfbfd0e90_NeikiAnalytics.exe	InstallUtil.exe
PID 1584 wrote to memory of 2780	1584	65082ee4bb13d81f6011e9ebfbfd0e90_NeikiAnalytics.exe	InstallUtil.exe
PID 1584 wrote to memory of 2780	1584	65082ee4bb13d81f6011e9ebfbfd0e90_NeikiAnalytics.exe	InstallUtil.exe
PID 1584 wrote to memory of 2780	1584	65082ee4bb13d81f6011e9ebfbfd0e90_NeikiAnalytics.exe	InstallUtil.exe
PID 1584 wrote to memory of 2780	1584	65082ee4bb13d81f6011e9ebfbfd0e90_NeikiAnalytics.exe	InstallUtil.exe
PID 1584 wrote to memory of 2780	1584	65082ee4bb13d81f6011e9ebfbfd0e90_NeikiAnalytics.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\65082ee4bb13d81f6011e9ebfbfd0e90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\65082ee4bb13d81f6011e9ebfbfd0e90_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:2780

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1584-14-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/1584-1-0x0000000000C10000-0x0000000000CF6000-memory.dmp

Filesize
920KB

Download
memory/1584-2-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/1584-3-0x00000000005B0000-0x00000000005F4000-memory.dmp

Filesize
272KB

Download
memory/1584-4-0x000000007452E000-0x000000007452F000-memory.dmp

Filesize
4KB

Download
memory/1584-5-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/1584-6-0x00000000009B0000-0x00000000009CA000-memory.dmp

Filesize
104KB

Download
memory/1584-7-0x0000000000710000-0x0000000000716000-memory.dmp

Filesize
24KB

Download
memory/1584-8-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/1584-19-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/1584-0-0x000000007452E000-0x000000007452F000-memory.dmp

Filesize
4KB

Download
memory/2780-10-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2780-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2780-12-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2780-11-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2780-15-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2780-18-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2780-20-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/2780-9-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2780-16-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2780-21-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/2780-22-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download
memory/2780-23-0x0000000074520000-0x0000000074C0E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing