asyncrat | 6019a752eb6a130c3121fbcc23fe84ea8179374f3ce63e16009cbee672e5c469

Analysis

max time kernel
136s
max time network
149s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 23:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SolaraBootrapper.exe
Size

64KB
MD5

774797464cf5376bb757bbef621f0887
SHA1

4f2e33f1d643487db43c7a9482a2839cb9bc1944
SHA256

6019a752eb6a130c3121fbcc23fe84ea8179374f3ce63e16009cbee672e5c469
SHA512

04d08bdfd52165105afdca03efc46f9a899d9acfc241d7a1b93bdca3becea91f7cd84716863dab60e9bebaad1d2ad243f869bcf20e781a3037be931bbbb6a611
SSDEEP

1536:2mL6HVloCyy5nVwiGfMOw0weB90trw42jU23utLF9pWzn:3L+vyyQi8w0weE9QUHvkn

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

192.168.0.23:6606

192.168.0.23:7707

192.168.0.23:8808

Mutex

Anh14EOLKPzm

Attributes

delay
3
install
false
install_file
SolaraBootstrapper.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 560 set thread context of 2784	560	SolaraBootrapper.exe	29

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 560 wrote to memory of 2784	560	SolaraBootrapper.exe	29
PID 560 wrote to memory of 2784	560	SolaraBootrapper.exe	29
PID 560 wrote to memory of 2784	560	SolaraBootrapper.exe	29
PID 560 wrote to memory of 2784	560	SolaraBootrapper.exe	29
PID 560 wrote to memory of 2784	560	SolaraBootrapper.exe	29
PID 560 wrote to memory of 2784	560	SolaraBootrapper.exe	29
PID 560 wrote to memory of 2784	560	SolaraBootrapper.exe	29
PID 560 wrote to memory of 2784	560	SolaraBootrapper.exe	29
PID 560 wrote to memory of 2784	560	SolaraBootrapper.exe	29

C:\Users\Admin\AppData\Local\Temp\SolaraBootrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootrapper.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:560
- C:\Users\Admin\AppData\Local\Temp\SolaraBootrapper.exe
  "C:\Users\Admin\AppData\Local\Temp\SolaraBootrapper.exe"
  2⤵
  PID:2784

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/560-0-0x000000007477E000-0x000000007477F000-memory.dmp

Filesize
4KB

Download
memory/560-1-0x0000000000390000-0x00000000003A6000-memory.dmp

Filesize
88KB

Download
memory/560-2-0x0000000074770000-0x0000000074E5E000-memory.dmp

Filesize
6.9MB

Download
memory/560-3-0x000000007477E000-0x000000007477F000-memory.dmp

Filesize
4KB

Download
memory/560-4-0x0000000074770000-0x0000000074E5E000-memory.dmp

Filesize
6.9MB

Download
memory/560-5-0x00000000004B0000-0x00000000004C4000-memory.dmp

Filesize
80KB

Download
memory/560-19-0x0000000074770000-0x0000000074E5E000-memory.dmp

Filesize
6.9MB

Download
memory/2784-18-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2784-14-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2784-16-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2784-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2784-10-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2784-7-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2784-6-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2784-8-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2784-20-0x0000000074770000-0x0000000074E5E000-memory.dmp

Filesize
6.9MB

Download
memory/2784-21-0x0000000074770000-0x0000000074E5E000-memory.dmp

Filesize
6.9MB

Download
memory/2784-22-0x0000000074770000-0x0000000074E5E000-memory.dmp

Filesize
6.9MB

Download