asyncrat | 894a90bbfcbd16442d3b117f6b391c1f22b72d1aebafd0ff51a60df08b1e434d

General

Target

a5565d3428290bfc6c4a9bcca68c15ea.exe
Size

937KB
MD5

a5565d3428290bfc6c4a9bcca68c15ea
SHA1

28797c12ca5450fc854f773fb0c42414c0229fa8
SHA256

894a90bbfcbd16442d3b117f6b391c1f22b72d1aebafd0ff51a60df08b1e434d
SHA512

699f9c7266fc24b78bd44d026f7c4c98e613cde7b5d32efefa65dec1706ffac4f266b712760891cb45bcf6fae96880e9ce9b3246056778e78d682e32b333d7e4
SSDEEP

24576:uboifHo7t2xklCohhwbfIWyQZD/Og34dK:ubxfel3hyf1

Score

10^/10

asyncrat neq rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

neq

C2

goodone.loseyourip.com:6606

goodone.loseyourip.com:7707

goodone.loseyourip.com:8808

Mutex

AsyncMutex_adnocxxs

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious use of SetThreadContext 1 IoCs

Processes:

a5565d3428290bfc6c4a9bcca68c15ea.exe

description pid process target process

PID 1740 set thread context of 3060 1740 a5565d3428290bfc6c4a9bcca68c15ea.exe RegAsm.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2604 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

RegAsm.exe

pid process

3060 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a5565d3428290bfc6c4a9bcca68c15ea.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 1740 a5565d3428290bfc6c4a9bcca68c15ea.exe
Token: SeDebugPrivilege 3060 RegAsm.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegAsm.exe

pid process

3060 RegAsm.exe

description	pid	process	target process
PID 1740 set thread context of 3060	1740	a5565d3428290bfc6c4a9bcca68c15ea.exe	RegAsm.exe

pid	process
2604	schtasks.exe

pid	process
3060	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1740	a5565d3428290bfc6c4a9bcca68c15ea.exe
Token: SeDebugPrivilege	3060	RegAsm.exe

pid	process
3060	RegAsm.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

a5565d3428290bfc6c4a9bcca68c15ea.exe

description	pid	process	target process
PID 1740 wrote to memory of 3060	1740	a5565d3428290bfc6c4a9bcca68c15ea.exe	RegAsm.exe
PID 1740 wrote to memory of 3060	1740	a5565d3428290bfc6c4a9bcca68c15ea.exe	RegAsm.exe
PID 1740 wrote to memory of 3060	1740	a5565d3428290bfc6c4a9bcca68c15ea.exe	RegAsm.exe
PID 1740 wrote to memory of 3060	1740	a5565d3428290bfc6c4a9bcca68c15ea.exe	RegAsm.exe
PID 1740 wrote to memory of 3060	1740	a5565d3428290bfc6c4a9bcca68c15ea.exe	RegAsm.exe
PID 1740 wrote to memory of 3060	1740	a5565d3428290bfc6c4a9bcca68c15ea.exe	RegAsm.exe
PID 1740 wrote to memory of 3060	1740	a5565d3428290bfc6c4a9bcca68c15ea.exe	RegAsm.exe
PID 1740 wrote to memory of 3060	1740	a5565d3428290bfc6c4a9bcca68c15ea.exe	RegAsm.exe
PID 1740 wrote to memory of 3060	1740	a5565d3428290bfc6c4a9bcca68c15ea.exe	RegAsm.exe
PID 1740 wrote to memory of 3060	1740	a5565d3428290bfc6c4a9bcca68c15ea.exe	RegAsm.exe
PID 1740 wrote to memory of 3060	1740	a5565d3428290bfc6c4a9bcca68c15ea.exe	RegAsm.exe
PID 1740 wrote to memory of 3060	1740	a5565d3428290bfc6c4a9bcca68c15ea.exe	RegAsm.exe
PID 1740 wrote to memory of 2604	1740	a5565d3428290bfc6c4a9bcca68c15ea.exe	schtasks.exe
PID 1740 wrote to memory of 2604	1740	a5565d3428290bfc6c4a9bcca68c15ea.exe	schtasks.exe
PID 1740 wrote to memory of 2604	1740	a5565d3428290bfc6c4a9bcca68c15ea.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a5565d3428290bfc6c4a9bcca68c15ea.exe
"C:\Users\Admin\AppData\Local\Temp\a5565d3428290bfc6c4a9bcca68c15ea.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3060
- C:\Windows\system32\schtasks.exe
  "schtasks.exe" /Create /SC MINUTE /MO 14 /TN "AppTracker" /TR "C:\Users\Admin\AppData\Roaming\Ex64_Seeders\a5565d3428290bfc6c4a9bcca68c15ea.exe" /F
  2⤵
  - Creates scheduled task(s)
  PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab254E.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
memory/1740-0-0x000007FEF5C73000-0x000007FEF5C74000-memory.dmp

Filesize
4KB

Download
memory/1740-1-0x0000000000EE0000-0x0000000000FD0000-memory.dmp

Filesize
960KB

Download
memory/1740-2-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

Filesize
9.9MB

Download
memory/1740-3-0x00000000001A0000-0x00000000001AA000-memory.dmp

Filesize
40KB

Download
memory/1740-19-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

Filesize
9.9MB

Download
memory/3060-17-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3060-15-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3060-13-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3060-10-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3060-6-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3060-8-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3060-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3060-4-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads