asyncrat | ed96d46674a358fd03d9996721549bdeebaffe1547d0bffa2ffaf08d9289009e

Analysis

max time kernel
121s
max time network
164s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
30-05-2024 16:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b0e61d6cfe1df9b7406723ce49f605e.exe
Size

479KB
MD5

3b0e61d6cfe1df9b7406723ce49f605e
SHA1

b796a6c31edd70c485b5590f1639c76e1876deb8
SHA256

ed96d46674a358fd03d9996721549bdeebaffe1547d0bffa2ffaf08d9289009e
SHA512

9134a78f005c5054c0ce8b0be0a4448d3e0717a4df2e07f0b1812a49c90831c65203992632d530e1c03873d2c70caa33482001e76a775cb263d85ce0b99a0c10
SSDEEP

12288:wDR+Sb7gHCN1crY/kcinF6AwyOMQetsOUgGkrNc:4tb7gq1w9FbwyOMBPRGkrN

Score

10^/10

asyncrat danii rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7A

Botnet

DANII

danii.con-ip.com:6606

Mutex

jqqkbjyrndewhwcgsq

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Suspicious use of SetThreadContext 1 IoCs

Processes:

3b0e61d6cfe1df9b7406723ce49f605e.exe

description pid process target process

PID 2104 set thread context of 2728 2104 3b0e61d6cfe1df9b7406723ce49f605e.exe RegSvcs.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeDebugPrivilege 2728 RegSvcs.exe

description	pid	process	target process
PID 2104 set thread context of 2728	2104	3b0e61d6cfe1df9b7406723ce49f605e.exe	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	2728	RegSvcs.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

3b0e61d6cfe1df9b7406723ce49f605e.exe

description	pid	process	target process
PID 2104 wrote to memory of 2728	2104	3b0e61d6cfe1df9b7406723ce49f605e.exe	RegSvcs.exe
PID 2104 wrote to memory of 2728	2104	3b0e61d6cfe1df9b7406723ce49f605e.exe	RegSvcs.exe
PID 2104 wrote to memory of 2728	2104	3b0e61d6cfe1df9b7406723ce49f605e.exe	RegSvcs.exe
PID 2104 wrote to memory of 2728	2104	3b0e61d6cfe1df9b7406723ce49f605e.exe	RegSvcs.exe
PID 2104 wrote to memory of 2728	2104	3b0e61d6cfe1df9b7406723ce49f605e.exe	RegSvcs.exe
PID 2104 wrote to memory of 2728	2104	3b0e61d6cfe1df9b7406723ce49f605e.exe	RegSvcs.exe
PID 2104 wrote to memory of 2728	2104	3b0e61d6cfe1df9b7406723ce49f605e.exe	RegSvcs.exe
PID 2104 wrote to memory of 2728	2104	3b0e61d6cfe1df9b7406723ce49f605e.exe	RegSvcs.exe
PID 2104 wrote to memory of 2728	2104	3b0e61d6cfe1df9b7406723ce49f605e.exe	RegSvcs.exe
PID 2104 wrote to memory of 2728	2104	3b0e61d6cfe1df9b7406723ce49f605e.exe	RegSvcs.exe
PID 2104 wrote to memory of 2728	2104	3b0e61d6cfe1df9b7406723ce49f605e.exe	RegSvcs.exe
PID 2104 wrote to memory of 2728	2104	3b0e61d6cfe1df9b7406723ce49f605e.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\3b0e61d6cfe1df9b7406723ce49f605e.exe
"C:\Users\Admin\AppData\Local\Temp\3b0e61d6cfe1df9b7406723ce49f605e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2728

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2104-0-0x000000007458E000-0x000000007458F000-memory.dmp

Filesize
4KB

Download
memory/2104-1-0x0000000000CD0000-0x0000000000D4E000-memory.dmp

Filesize
504KB

Download
memory/2104-2-0x0000000074580000-0x0000000074C6E000-memory.dmp

Filesize
6.9MB

Download
memory/2104-3-0x00000000008A0000-0x00000000008B8000-memory.dmp

Filesize
96KB

Download
memory/2104-4-0x00000000009E0000-0x00000000009F0000-memory.dmp

Filesize
64KB

Download
memory/2104-5-0x00000000041C0000-0x0000000004214000-memory.dmp

Filesize
336KB

Download
memory/2104-6-0x000000007458E000-0x000000007458F000-memory.dmp

Filesize
4KB

Download
memory/2104-7-0x0000000074580000-0x0000000074C6E000-memory.dmp

Filesize
6.9MB

Download
memory/2104-19-0x0000000074580000-0x0000000074C6E000-memory.dmp

Filesize
6.9MB

Download
memory/2728-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2728-14-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2728-11-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2728-10-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2728-9-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2728-16-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2728-18-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2728-8-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2728-20-0x0000000074580000-0x0000000074C6E000-memory.dmp

Filesize
6.9MB

Download
memory/2728-21-0x0000000074580000-0x0000000074C6E000-memory.dmp

Filesize
6.9MB

Download
memory/2728-39-0x0000000074580000-0x0000000074C6E000-memory.dmp

Filesize
6.9MB

Download
memory/2728-40-0x0000000074580000-0x0000000074C6E000-memory.dmp

Filesize
6.9MB

Download