asyncrat | 6019a752eb6a130c3121fbcc23fe84ea8179374f3ce63e16009cbee672e5c469

Analysis

max time kernel
129s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 23:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SolaraBootrapper.exe
Size

64KB
MD5

774797464cf5376bb757bbef621f0887
SHA1

4f2e33f1d643487db43c7a9482a2839cb9bc1944
SHA256

6019a752eb6a130c3121fbcc23fe84ea8179374f3ce63e16009cbee672e5c469
SHA512

04d08bdfd52165105afdca03efc46f9a899d9acfc241d7a1b93bdca3becea91f7cd84716863dab60e9bebaad1d2ad243f869bcf20e781a3037be931bbbb6a611
SSDEEP

1536:2mL6HVloCyy5nVwiGfMOw0weB90trw42jU23utLF9pWzn:3L+vyyQi8w0weE9QUHvkn

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

192.168.0.23:6606

192.168.0.23:7707

192.168.0.23:8808

Mutex

Anh14EOLKPzm

Attributes

delay
3
install
false
install_file
SolaraBootstrapper.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2892 set thread context of 1280	2892	SolaraBootrapper.exe	87

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 1280	2892	SolaraBootrapper.exe	87
PID 2892 wrote to memory of 1280	2892	SolaraBootrapper.exe	87
PID 2892 wrote to memory of 1280	2892	SolaraBootrapper.exe	87
PID 2892 wrote to memory of 1280	2892	SolaraBootrapper.exe	87
PID 2892 wrote to memory of 1280	2892	SolaraBootrapper.exe	87
PID 2892 wrote to memory of 1280	2892	SolaraBootrapper.exe	87
PID 2892 wrote to memory of 1280	2892	SolaraBootrapper.exe	87
PID 2892 wrote to memory of 1280	2892	SolaraBootrapper.exe	87

C:\Users\Admin\AppData\Local\Temp\SolaraBootrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootrapper.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Users\Admin\AppData\Local\Temp\SolaraBootrapper.exe
  "C:\Users\Admin\AppData\Local\Temp\SolaraBootrapper.exe"
  2⤵
  PID:1280

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SolaraBootrapper.exe.log

Filesize
1KB

MD5
b5291f3dcf2c13784e09a057f2e43d13

SHA1
fbb72f4b04269e0d35b1d9c29d02d63dbc7ad07e

SHA256
ad995b51344d71019f96fc3a424de00256065daad8595ff599f6849c87ae75ce

SHA512
11c89caac425bccaa24e2bb24c6f2b4e6d6863278bf8a5304a42bb44475b08ca586e09143e7d5b14db7f1cd9adacd5358769e0d999dc348073431031067bd4d4

Download Submit
memory/1280-10-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1280-16-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download
memory/1280-15-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download
memory/1280-13-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download
memory/2892-4-0x0000000005750000-0x000000000575A000-memory.dmp

Filesize
40KB

Download
memory/2892-6-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download
memory/2892-7-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download
memory/2892-8-0x0000000005740000-0x0000000005754000-memory.dmp

Filesize
80KB

Download
memory/2892-9-0x00000000058B0000-0x00000000058CE000-memory.dmp

Filesize
120KB

Download
memory/2892-5-0x0000000005810000-0x0000000005886000-memory.dmp

Filesize
472KB

Download
memory/2892-0-0x00000000745EE000-0x00000000745EF000-memory.dmp

Filesize
4KB

Download
memory/2892-3-0x00000000055A0000-0x0000000005632000-memory.dmp

Filesize
584KB

Download
memory/2892-14-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download
memory/2892-2-0x0000000005B50000-0x00000000060F4000-memory.dmp

Filesize
5.6MB

Download
memory/2892-1-0x0000000000BD0000-0x0000000000BE6000-memory.dmp

Filesize
88KB

Download