asyncrat | 99c18abc9774f9bc8aae3c9226e0b1b1ba96e188ab454c9bf95ae7d7093b4b57

General

Target

99c18abc9774f9bc8aae3c9226e0b1b1ba96e188ab454c9bf95ae7d7093b4b57.exe
Size

726KB
MD5

dd798a2b8fb0daf3b91fde8a450b873d
SHA1

6ae9d6ba1d4a4df1c19f76beb66f1cf067bde143
SHA256

99c18abc9774f9bc8aae3c9226e0b1b1ba96e188ab454c9bf95ae7d7093b4b57
SHA512

cef0a5895f57f98cd24dcc22d1693b1e8695b479daa35e7b59d03c5b4faa586e8e612db068d7414cd0dd9b5d64fdd48c04d68168d86a17caf12a2f1037f38a60
SSDEEP

12288:j0MDDRwl9uWD44DiV8zJBzYqXbbhwnH7BmF2ppVgcAVq0+A0x6y5DP:j9S9X04OVEBzYqXbCH7BmupVgFVq0oxJ

Score

10^/10

asyncrat gh0strat rat upx

Malware Config

Extracted

Family

asyncrat

C2

110.40.181.85:8848

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Gh0st RAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3044-12-0x0000000010000000-0x0000000010038000-memory.dmp	family_gh0strat
behavioral1/memory/3044-32-0x0000000000250000-0x000000000029B000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2724-25-0x00000000005F0000-0x0000000000606000-memory.dmp	family_asyncrat

Executes dropped EXE 2 IoCs

Processes:

csress.exewinhlp64.exe

pid process

3044 csress.exe
2724 winhlp64.exe
Loads dropped DLL 1 IoCs

Processes:

99c18abc9774f9bc8aae3c9226e0b1b1ba96e188ab454c9bf95ae7d7093b4b57.exe

pid process

2928 99c18abc9774f9bc8aae3c9226e0b1b1ba96e188ab454c9bf95ae7d7093b4b57.exe

pid	process
3044	csress.exe
2724	winhlp64.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2928-0-0x0000000000400000-0x00000000005E3000-memory.dmp	upx
\ProgramData\csress.exe	upx
behavioral1/memory/3044-8-0x0000000000250000-0x000000000029B000-memory.dmp	upx
behavioral1/memory/2928-30-0x0000000000400000-0x00000000005E3000-memory.dmp	upx
behavioral1/memory/3044-32-0x0000000000250000-0x000000000029B000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

Processes:

csress.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\ini.ini csress.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\ini.ini	csress.exe

Drops file in Windows directory 2 IoCs

Processes:

99c18abc9774f9bc8aae3c9226e0b1b1ba96e188ab454c9bf95ae7d7093b4b57.exe

description	ioc	process
File created	C:\Windows\peizhiwenjian.bin	99c18abc9774f9bc8aae3c9226e0b1b1ba96e188ab454c9bf95ae7d7093b4b57.exe
File created	C:\Windows\winhlp64.exe	99c18abc9774f9bc8aae3c9226e0b1b1ba96e188ab454c9bf95ae7d7093b4b57.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

winhlp64.execsress.exe

description	pid	process
Token: SeDebugPrivilege	2724	winhlp64.exe
Token: 33	3044	csress.exe
Token: SeIncBasePriorityPrivilege	3044	csress.exe
Token: 33	3044	csress.exe
Token: SeIncBasePriorityPrivilege	3044	csress.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

99c18abc9774f9bc8aae3c9226e0b1b1ba96e188ab454c9bf95ae7d7093b4b57.execsress.exewinhlp64.exe

pid	process
2928	99c18abc9774f9bc8aae3c9226e0b1b1ba96e188ab454c9bf95ae7d7093b4b57.exe
2928	99c18abc9774f9bc8aae3c9226e0b1b1ba96e188ab454c9bf95ae7d7093b4b57.exe
3044	csress.exe
2724	winhlp64.exe
2724	winhlp64.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

99c18abc9774f9bc8aae3c9226e0b1b1ba96e188ab454c9bf95ae7d7093b4b57.exe

description	pid	process	target process
PID 2928 wrote to memory of 3044	2928	99c18abc9774f9bc8aae3c9226e0b1b1ba96e188ab454c9bf95ae7d7093b4b57.exe	csress.exe
PID 2928 wrote to memory of 3044	2928	99c18abc9774f9bc8aae3c9226e0b1b1ba96e188ab454c9bf95ae7d7093b4b57.exe	csress.exe
PID 2928 wrote to memory of 3044	2928	99c18abc9774f9bc8aae3c9226e0b1b1ba96e188ab454c9bf95ae7d7093b4b57.exe	csress.exe
PID 2928 wrote to memory of 3044	2928	99c18abc9774f9bc8aae3c9226e0b1b1ba96e188ab454c9bf95ae7d7093b4b57.exe	csress.exe
PID 2928 wrote to memory of 2724	2928	99c18abc9774f9bc8aae3c9226e0b1b1ba96e188ab454c9bf95ae7d7093b4b57.exe	winhlp64.exe
PID 2928 wrote to memory of 2724	2928	99c18abc9774f9bc8aae3c9226e0b1b1ba96e188ab454c9bf95ae7d7093b4b57.exe	winhlp64.exe
PID 2928 wrote to memory of 2724	2928	99c18abc9774f9bc8aae3c9226e0b1b1ba96e188ab454c9bf95ae7d7093b4b57.exe	winhlp64.exe
PID 2928 wrote to memory of 2724	2928	99c18abc9774f9bc8aae3c9226e0b1b1ba96e188ab454c9bf95ae7d7093b4b57.exe	winhlp64.exe

C:\Users\Admin\AppData\Local\Temp\99c18abc9774f9bc8aae3c9226e0b1b1ba96e188ab454c9bf95ae7d7093b4b57.exe
"C:\Users\Admin\AppData\Local\Temp\99c18abc9774f9bc8aae3c9226e0b1b1ba96e188ab454c9bf95ae7d7093b4b57.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2928
- C:\ProgramData\csress.exe
  C:\ProgramData\csress.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3044
- C:\Windows\winhlp64.exe
  C:\Windows\winhlp64.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2724

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\peizhiwenjian.bin

Filesize
97KB

MD5
c0c626c5228a57c771cf277d31fc3e3c

SHA1
46fb713b6473a9c8ec4d96805d3a2494b5e1ef30

SHA256
bc26a610a3c5c6d1a9f0efabdac3f9b76f56f9d3e56ec6107d41dba752aab2dc

SHA512
1c71b186b8558d97559e5c2b5d403bbdd780fdaa39d6a054cc50e25123c139e966330040023e43d010dca4f0131c2e9fcf476a2be7819a7d72012b83852aaa51

Download Submit
C:\Windows\winhlp64.exe

Filesize
780KB

MD5
432c7dea11978943acb25a4583efe8dd

SHA1
d7ab2a22f2ddd9567ee7637e3f16893264b47dac

SHA256
605619a5b38fb84ee9d99620f82950cc68c07b8b84e4f20c31f223827980e5ee

SHA512
57f49200c986cfdbdd78dea48f675160207cdf828062aa6db46fd3c736eeffbfadac58e91075834b67cf29994c7d1e6482d6918bdd6ddcce5bd555be44f69639

Download Submit
\ProgramData\csress.exe

Filesize
148KB

MD5
ae17a0ecaa1c6bec0a80c577c9c6f32f

SHA1
1372d0dcc401f40239e088a98a9e47a3d797aa03

SHA256
0f9824f123dd0e6ab72f41fd215331e335a821d44fe5a95eaa6d48d4ffc7c292

SHA512
ad4df9afba08ace2b1a15c8cfd78d183aeb47cb21b6f6736d477c56b081aad2a9fea0ff9b4aa0d25154f672efd3cf0a885017b1fb451847db7c65902d6a5f785

Download Submit
memory/2724-29-0x0000000072E90000-0x000000007357E000-memory.dmp

Filesize
6.9MB

Download
memory/2724-28-0x0000000072E90000-0x000000007357E000-memory.dmp

Filesize
6.9MB

Download
memory/2724-35-0x0000000072E90000-0x000000007357E000-memory.dmp

Filesize
6.9MB

Download
memory/2724-34-0x0000000072E9E000-0x0000000072E9F000-memory.dmp

Filesize
4KB

Download
memory/2724-24-0x0000000072E9E000-0x0000000072E9F000-memory.dmp

Filesize
4KB

Download
memory/2724-25-0x00000000005F0000-0x0000000000606000-memory.dmp

Filesize
88KB

Download
memory/2724-27-0x0000000072E90000-0x000000007357E000-memory.dmp

Filesize
6.9MB

Download
memory/2724-26-0x0000000072E90000-0x000000007357E000-memory.dmp

Filesize
6.9MB

Download
memory/2928-0-0x0000000000400000-0x00000000005E3000-memory.dmp

Filesize
1.9MB

Download
memory/2928-30-0x0000000000400000-0x00000000005E3000-memory.dmp

Filesize
1.9MB

Download
memory/2928-31-0x0000000002250000-0x000000000229B000-memory.dmp

Filesize
300KB

Download
memory/2928-7-0x0000000002250000-0x000000000229B000-memory.dmp

Filesize
300KB

Download
memory/3044-12-0x0000000010000000-0x0000000010038000-memory.dmp

Filesize
224KB

Download
memory/3044-32-0x0000000000250000-0x000000000029B000-memory.dmp

Filesize
300KB

Download
memory/3044-8-0x0000000000250000-0x000000000029B000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads