asyncrat | 894a90bbfcbd16442d3b117f6b391c1f22b72d1aebafd0ff51a60df08b1e434d

General

Target

a5565d3428290bfc6c4a9bcca68c15ea.exe
Size

937KB
MD5

a5565d3428290bfc6c4a9bcca68c15ea
SHA1

28797c12ca5450fc854f773fb0c42414c0229fa8
SHA256

894a90bbfcbd16442d3b117f6b391c1f22b72d1aebafd0ff51a60df08b1e434d
SHA512

699f9c7266fc24b78bd44d026f7c4c98e613cde7b5d32efefa65dec1706ffac4f266b712760891cb45bcf6fae96880e9ce9b3246056778e78d682e32b333d7e4
SSDEEP

24576:uboifHo7t2xklCohhwbfIWyQZD/Og34dK:ubxfel3hyf1

Score

10^/10

asyncrat neq rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

neq

C2

goodone.loseyourip.com:6606

goodone.loseyourip.com:7707

goodone.loseyourip.com:8808

Mutex

AsyncMutex_adnocxxs

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious use of SetThreadContext 1 IoCs

Processes:

a5565d3428290bfc6c4a9bcca68c15ea.exe

description pid process target process

PID 1524 set thread context of 2612 1524 a5565d3428290bfc6c4a9bcca68c15ea.exe RegAsm.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2412 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

a5565d3428290bfc6c4a9bcca68c15ea.exeRegAsm.exe

pid process

1524 a5565d3428290bfc6c4a9bcca68c15ea.exe
1524 a5565d3428290bfc6c4a9bcca68c15ea.exe
1524 a5565d3428290bfc6c4a9bcca68c15ea.exe
2612 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a5565d3428290bfc6c4a9bcca68c15ea.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 1524 a5565d3428290bfc6c4a9bcca68c15ea.exe
Token: SeDebugPrivilege 2612 RegAsm.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid process

2612 RegAsm.exe

description	pid	process	target process
PID 1524 set thread context of 2612	1524	a5565d3428290bfc6c4a9bcca68c15ea.exe	RegAsm.exe

pid	process
2412	schtasks.exe

pid	process
1524	a5565d3428290bfc6c4a9bcca68c15ea.exe
1524	a5565d3428290bfc6c4a9bcca68c15ea.exe
1524	a5565d3428290bfc6c4a9bcca68c15ea.exe
2612	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1524	a5565d3428290bfc6c4a9bcca68c15ea.exe
Token: SeDebugPrivilege	2612	RegAsm.exe

pid	process
2612	RegAsm.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

a5565d3428290bfc6c4a9bcca68c15ea.exe

description	pid	process	target process
PID 1524 wrote to memory of 2548	1524	a5565d3428290bfc6c4a9bcca68c15ea.exe	RegAsm.exe
PID 1524 wrote to memory of 2548	1524	a5565d3428290bfc6c4a9bcca68c15ea.exe	RegAsm.exe
PID 1524 wrote to memory of 2548	1524	a5565d3428290bfc6c4a9bcca68c15ea.exe	RegAsm.exe
PID 1524 wrote to memory of 2548	1524	a5565d3428290bfc6c4a9bcca68c15ea.exe	RegAsm.exe
PID 1524 wrote to memory of 2548	1524	a5565d3428290bfc6c4a9bcca68c15ea.exe	RegAsm.exe
PID 1524 wrote to memory of 2548	1524	a5565d3428290bfc6c4a9bcca68c15ea.exe	RegAsm.exe
PID 1524 wrote to memory of 2548	1524	a5565d3428290bfc6c4a9bcca68c15ea.exe	RegAsm.exe
PID 1524 wrote to memory of 2556	1524	a5565d3428290bfc6c4a9bcca68c15ea.exe	RegAsm.exe
PID 1524 wrote to memory of 2556	1524	a5565d3428290bfc6c4a9bcca68c15ea.exe	RegAsm.exe
PID 1524 wrote to memory of 2556	1524	a5565d3428290bfc6c4a9bcca68c15ea.exe	RegAsm.exe
PID 1524 wrote to memory of 2556	1524	a5565d3428290bfc6c4a9bcca68c15ea.exe	RegAsm.exe
PID 1524 wrote to memory of 2556	1524	a5565d3428290bfc6c4a9bcca68c15ea.exe	RegAsm.exe
PID 1524 wrote to memory of 2556	1524	a5565d3428290bfc6c4a9bcca68c15ea.exe	RegAsm.exe
PID 1524 wrote to memory of 2556	1524	a5565d3428290bfc6c4a9bcca68c15ea.exe	RegAsm.exe
PID 1524 wrote to memory of 2592	1524	a5565d3428290bfc6c4a9bcca68c15ea.exe	RegAsm.exe
PID 1524 wrote to memory of 2592	1524	a5565d3428290bfc6c4a9bcca68c15ea.exe	RegAsm.exe
PID 1524 wrote to memory of 2592	1524	a5565d3428290bfc6c4a9bcca68c15ea.exe	RegAsm.exe
PID 1524 wrote to memory of 2592	1524	a5565d3428290bfc6c4a9bcca68c15ea.exe	RegAsm.exe
PID 1524 wrote to memory of 2592	1524	a5565d3428290bfc6c4a9bcca68c15ea.exe	RegAsm.exe
PID 1524 wrote to memory of 2592	1524	a5565d3428290bfc6c4a9bcca68c15ea.exe	RegAsm.exe
PID 1524 wrote to memory of 2592	1524	a5565d3428290bfc6c4a9bcca68c15ea.exe	RegAsm.exe
PID 1524 wrote to memory of 2612	1524	a5565d3428290bfc6c4a9bcca68c15ea.exe	RegAsm.exe
PID 1524 wrote to memory of 2612	1524	a5565d3428290bfc6c4a9bcca68c15ea.exe	RegAsm.exe
PID 1524 wrote to memory of 2612	1524	a5565d3428290bfc6c4a9bcca68c15ea.exe	RegAsm.exe
PID 1524 wrote to memory of 2612	1524	a5565d3428290bfc6c4a9bcca68c15ea.exe	RegAsm.exe
PID 1524 wrote to memory of 2612	1524	a5565d3428290bfc6c4a9bcca68c15ea.exe	RegAsm.exe
PID 1524 wrote to memory of 2612	1524	a5565d3428290bfc6c4a9bcca68c15ea.exe	RegAsm.exe
PID 1524 wrote to memory of 2612	1524	a5565d3428290bfc6c4a9bcca68c15ea.exe	RegAsm.exe
PID 1524 wrote to memory of 2612	1524	a5565d3428290bfc6c4a9bcca68c15ea.exe	RegAsm.exe
PID 1524 wrote to memory of 2612	1524	a5565d3428290bfc6c4a9bcca68c15ea.exe	RegAsm.exe
PID 1524 wrote to memory of 2612	1524	a5565d3428290bfc6c4a9bcca68c15ea.exe	RegAsm.exe
PID 1524 wrote to memory of 2612	1524	a5565d3428290bfc6c4a9bcca68c15ea.exe	RegAsm.exe
PID 1524 wrote to memory of 2612	1524	a5565d3428290bfc6c4a9bcca68c15ea.exe	RegAsm.exe
PID 1524 wrote to memory of 2412	1524	a5565d3428290bfc6c4a9bcca68c15ea.exe	schtasks.exe
PID 1524 wrote to memory of 2412	1524	a5565d3428290bfc6c4a9bcca68c15ea.exe	schtasks.exe
PID 1524 wrote to memory of 2412	1524	a5565d3428290bfc6c4a9bcca68c15ea.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a5565d3428290bfc6c4a9bcca68c15ea.exe
"C:\Users\Admin\AppData\Local\Temp\a5565d3428290bfc6c4a9bcca68c15ea.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:2548
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:2556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:2592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2612
- C:\Windows\system32\schtasks.exe
  "schtasks.exe" /Create /SC MINUTE /MO 14 /TN "AppTracker" /TR "C:\Users\Admin\AppData\Roaming\Ex64_Seeders\a5565d3428290bfc6c4a9bcca68c15ea.exe" /F
  2⤵
  - Creates scheduled task(s)
  PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1524-0-0x000007FEF5D33000-0x000007FEF5D34000-memory.dmp

Filesize
4KB

Download
memory/1524-1-0x0000000000A90000-0x0000000000B80000-memory.dmp

Filesize
960KB

Download
memory/1524-2-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

Filesize
9.9MB

Download
memory/1524-3-0x0000000000310000-0x000000000031A000-memory.dmp

Filesize
40KB

Download
memory/1524-19-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

Filesize
9.9MB

Download
memory/2612-15-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2612-17-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2612-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2612-10-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2612-8-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2612-6-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2612-4-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2612-13-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads