asyncrat | 9bc6e27c34e3b2cd3fef3fe683f34246c2e6049b4e7c0a046f2babf3a7412bba

Analysis

max time kernel
20s
max time network
22s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
22-05-2024 21:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PEGASUS FULL VERSION.exe
Size

6.8MB
MD5

327ba7af9427fdb450a0628a27ae26de
SHA1

26fab46989dc26bc9b152ccb983c80ed09863ab8
SHA256

9bc6e27c34e3b2cd3fef3fe683f34246c2e6049b4e7c0a046f2babf3a7412bba
SHA512

a13f3095f643428a4713a7c6c5792c8c83c0ac2c02600761b9479caf2fe3def763248be32c3da7ea76ad07463165fda0e4f8baaa33ea24930eac59a1c62ba7bf
SSDEEP

49152:fRjkwtZPgeWCKxgt/HPEp7osQ3ANHAwnZN0lDuABhTf90fNfRPZxrJJlA26TKF8P:Bkw8A

Score

10^/10

asyncrat rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

1 raw.githubusercontent.com
2 raw.githubusercontent.com
4 raw.githubusercontent.com
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

588 3020 WerFault.exe PEGASUS FULL VERSION.exe
2056 2440 WerFault.exe PEGASUS FULL VERSION.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PEGASUS FULL VERSION.exePEGASUS FULL VERSION.exe

description pid process

Token: SeDebugPrivilege 3020 PEGASUS FULL VERSION.exe
Token: SeDebugPrivilege 2440 PEGASUS FULL VERSION.exe

flow	ioc
1	raw.githubusercontent.com
2	raw.githubusercontent.com
4	raw.githubusercontent.com

pid	pid_target	process	target process
588	3020	WerFault.exe	PEGASUS FULL VERSION.exe
2056	2440	WerFault.exe	PEGASUS FULL VERSION.exe

description	pid	process
Token: SeDebugPrivilege	3020	PEGASUS FULL VERSION.exe
Token: SeDebugPrivilege	2440	PEGASUS FULL VERSION.exe

C:\Users\Admin\AppData\Local\Temp\PEGASUS FULL VERSION.exe
"C:\Users\Admin\AppData\Local\Temp\PEGASUS FULL VERSION.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3020
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 2032
  2⤵
  - Program crash
  PID:588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 3020 -ip 3020
1⤵
PID:492

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4160

C:\Users\Admin\AppData\Local\Temp\PEGASUS FULL VERSION.exe
"C:\Users\Admin\AppData\Local\Temp\PEGASUS FULL VERSION.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2440
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 1984
  2⤵
  - Program crash
  PID:2056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 2440 -ip 2440
1⤵
PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2440-6-0x0000000074850000-0x00000000748FB000-memory.dmp

Filesize
684KB

Download
memory/2440-7-0x0000000074850000-0x00000000748FB000-memory.dmp

Filesize
684KB

Download
memory/3020-0-0x000000007488E000-0x000000007488F000-memory.dmp

Filesize
4KB

Download
memory/3020-1-0x0000000000080000-0x0000000000750000-memory.dmp

Filesize
6.8MB

Download
memory/3020-2-0x00000000057B0000-0x0000000005D56000-memory.dmp

Filesize
5.6MB

Download
memory/3020-3-0x0000000005200000-0x0000000005292000-memory.dmp

Filesize
584KB

Download
memory/3020-4-0x0000000074880000-0x0000000075031000-memory.dmp

Filesize
7.7MB

Download
memory/3020-5-0x0000000074880000-0x0000000075031000-memory.dmp

Filesize
7.7MB

Download