asyncrat | 4b2c10c568576e5c5c28924c9b97c7a4043c305659d09414ba81c292b129398f

Analysis

max time kernel
0s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
10/07/2024, 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SolaraB2.1.exe
Size

913KB
MD5

db39b0a64d84df3f0b7caf332ffd2046
SHA1

7d8d8f7a71974768c9e8d97e55ae1ffef976839e
SHA256

4b2c10c568576e5c5c28924c9b97c7a4043c305659d09414ba81c292b129398f
SHA512

e51e5939efe4f1799043fd9af4612b3443a59431237c36406675a7fae436936b735b940c77c0359e54edff4d59c2fcb9166819cf651ad7ef8100294e34269c58
SSDEEP

12288:m4D70cl1mzgHpbzEu8AgpQojA1j855xU9pHIRxSNN:me5/mzgH385QojA1j855xSHI

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

iraq-global.gl.at.ply.gg:3816

Mutex

KsnES@kNaa

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x000400000002aa96-4.dat	family_asyncrat

Executes dropped EXE 1 IoCs

pid	Process
2384	SOLARABOOSTRAPER.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 784 wrote to memory of 2384	784	SolaraB2.1.exe	78
PID 784 wrote to memory of 2384	784	SolaraB2.1.exe	78

C:\Users\Admin\AppData\Local\Temp\SolaraB2.1.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB2.1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:784
- C:\Users\Admin\AppData\Local\Temp\SOLARABOOSTRAPER.EXE
  "C:\Users\Admin\AppData\Local\Temp\SOLARABOOSTRAPER.EXE"
  2⤵
  - Executes dropped EXE
  PID:2384
- C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
  "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
  2⤵
  PID:4036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SOLARABOOSTRAPER.EXE

Filesize
63KB

MD5
3b5225e9debd675bb8eb5109eb4e8fb9

SHA1
1b6379a851c939d42ecbbab8420ac6a2e8bd19c5

SHA256
01274a851ee1ac9c1f61f97440e350842352e3f927e2a3de72511eee795e6f23

SHA512
cc26aa3457c6d7474def93e9c310193b9e7d20f451908eeb28491730eb2171bfc11b700f24aa633dbacd935775bb55755ff213109dc02559a55298cd3b2faf88

Download Submit
C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE

Filesize
797KB

MD5
36b62ba7d1b5e149a2c297f11e0417ee

SHA1
ce1b828476274375e632542c4842a6b002955603

SHA256
8353c5ace62fda6aba330fb3396e4aab11d7e0476f815666bd96a978724b9e0c

SHA512
fddec44631e7a800abf232648bbf417969cd5cc650f32c17b0cdc12a0a2afeb9a5dbf5c1f899bd2fa496bd22307bfc8d1237c94920fceafd84f47e13a6b98b94

Download Submit
memory/2384-20-0x00007FF875473000-0x00007FF875475000-memory.dmp

Filesize
8KB

Download
memory/2384-19-0x0000000000CE0000-0x0000000000CF6000-memory.dmp

Filesize
88KB

Download
memory/4036-24-0x000000007436E000-0x000000007436F000-memory.dmp

Filesize
4KB

Download
memory/4036-25-0x0000000000EE0000-0x0000000000FAE000-memory.dmp

Filesize
824KB

Download
memory/4036-26-0x0000000005E00000-0x00000000063A6000-memory.dmp

Filesize
5.6MB

Download