asyncrat | c9866af2cb943cbe5f4d971518d30ec93e686e8d8e31345fe0e923c0ec121603

Analysis

max time kernel
126s
max time network
137s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11/07/2024, 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9866af2cb943cbe5f4d971518d30ec93e686e8d8e31345fe0e923c0ec121603.exe
Size

2.6MB
MD5

dd007b6a486b6336cea0c9c2dfd307ca
SHA1

f9d1987deb32ae3b244ba8b281d3c75ea149979d
SHA256

c9866af2cb943cbe5f4d971518d30ec93e686e8d8e31345fe0e923c0ec121603
SHA512

210e997ec4e5b8c64539b19052e694fea48415f1100d0f1d2dae418f5a6e7ec032f9e328dbb7af6b299614b402b9ebc6720a256a3c058b177a830b78783a7dd4
SSDEEP

49152:CHV9arGDFfPHRi63T+reNM7I2BnJGQ2sqmsSql2ESrB6jPF:CHkGNPxT6r08p32m9G7SmF

Score

10^/10

asyncrat zzz6 persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

ZZZ6

andresarbosa2003.con-ip.com:4040

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\Neouopdwf = "C:\\Users\\Admin\\AppData\\Roaming\\Neouopdwf.exe"	c9866af2cb943cbe5f4d971518d30ec93e686e8d8e31345fe0e923c0ec121603.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1084 set thread context of 2176	1084	c9866af2cb943cbe5f4d971518d30ec93e686e8d8e31345fe0e923c0ec121603.exe	29

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1084	c9866af2cb943cbe5f4d971518d30ec93e686e8d8e31345fe0e923c0ec121603.exe
Token: SeDebugPrivilege	1084	c9866af2cb943cbe5f4d971518d30ec93e686e8d8e31345fe0e923c0ec121603.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1084 wrote to memory of 2176	1084	c9866af2cb943cbe5f4d971518d30ec93e686e8d8e31345fe0e923c0ec121603.exe	29
PID 1084 wrote to memory of 2176	1084	c9866af2cb943cbe5f4d971518d30ec93e686e8d8e31345fe0e923c0ec121603.exe	29
PID 1084 wrote to memory of 2176	1084	c9866af2cb943cbe5f4d971518d30ec93e686e8d8e31345fe0e923c0ec121603.exe	29
PID 1084 wrote to memory of 2176	1084	c9866af2cb943cbe5f4d971518d30ec93e686e8d8e31345fe0e923c0ec121603.exe	29
PID 1084 wrote to memory of 2176	1084	c9866af2cb943cbe5f4d971518d30ec93e686e8d8e31345fe0e923c0ec121603.exe	29
PID 1084 wrote to memory of 2176	1084	c9866af2cb943cbe5f4d971518d30ec93e686e8d8e31345fe0e923c0ec121603.exe	29
PID 1084 wrote to memory of 2176	1084	c9866af2cb943cbe5f4d971518d30ec93e686e8d8e31345fe0e923c0ec121603.exe	29
PID 1084 wrote to memory of 2176	1084	c9866af2cb943cbe5f4d971518d30ec93e686e8d8e31345fe0e923c0ec121603.exe	29
PID 1084 wrote to memory of 2176	1084	c9866af2cb943cbe5f4d971518d30ec93e686e8d8e31345fe0e923c0ec121603.exe	29

C:\Users\Admin\AppData\Local\Temp\c9866af2cb943cbe5f4d971518d30ec93e686e8d8e31345fe0e923c0ec121603.exe
"C:\Users\Admin\AppData\Local\Temp\c9866af2cb943cbe5f4d971518d30ec93e686e8d8e31345fe0e923c0ec121603.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Users\Admin\AppData\Local\Temp\c9866af2cb943cbe5f4d971518d30ec93e686e8d8e31345fe0e923c0ec121603.exe
  "C:\Users\Admin\AppData\Local\Temp\c9866af2cb943cbe5f4d971518d30ec93e686e8d8e31345fe0e923c0ec121603.exe"
  2⤵
  PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1084-0-0x000000007432E000-0x000000007432F000-memory.dmp

Filesize
4KB

Download
memory/1084-1-0x0000000000200000-0x00000000004A4000-memory.dmp

Filesize
2.6MB

Download
memory/1084-2-0x0000000004F70000-0x0000000005192000-memory.dmp

Filesize
2.1MB

Download
memory/1084-3-0x0000000074320000-0x0000000074A0E000-memory.dmp

Filesize
6.9MB

Download
memory/1084-8-0x0000000004F70000-0x000000000518C000-memory.dmp

Filesize
2.1MB

Download
memory/1084-4-0x0000000004F70000-0x000000000518C000-memory.dmp

Filesize
2.1MB

Download
memory/1084-17-0x0000000004F70000-0x000000000518C000-memory.dmp

Filesize
2.1MB

Download
memory/1084-5-0x0000000004F70000-0x000000000518C000-memory.dmp

Filesize
2.1MB

Download
memory/1084-23-0x0000000004F70000-0x000000000518C000-memory.dmp

Filesize
2.1MB

Download
memory/1084-21-0x0000000004F70000-0x000000000518C000-memory.dmp

Filesize
2.1MB

Download
memory/1084-19-0x0000000004F70000-0x000000000518C000-memory.dmp

Filesize
2.1MB

Download
memory/1084-15-0x0000000004F70000-0x000000000518C000-memory.dmp

Filesize
2.1MB

Download
memory/1084-25-0x0000000004F70000-0x000000000518C000-memory.dmp

Filesize
2.1MB

Download
memory/1084-13-0x0000000004F70000-0x000000000518C000-memory.dmp

Filesize
2.1MB

Download
memory/1084-29-0x0000000004F70000-0x000000000518C000-memory.dmp

Filesize
2.1MB

Download
memory/1084-33-0x0000000004F70000-0x000000000518C000-memory.dmp

Filesize
2.1MB

Download
memory/1084-31-0x0000000004F70000-0x000000000518C000-memory.dmp

Filesize
2.1MB

Download
memory/1084-39-0x0000000004F70000-0x000000000518C000-memory.dmp

Filesize
2.1MB

Download
memory/1084-41-0x0000000004F70000-0x000000000518C000-memory.dmp

Filesize
2.1MB

Download
memory/1084-37-0x0000000004F70000-0x000000000518C000-memory.dmp

Filesize
2.1MB

Download
memory/1084-35-0x0000000004F70000-0x000000000518C000-memory.dmp

Filesize
2.1MB

Download
memory/1084-27-0x0000000004F70000-0x000000000518C000-memory.dmp

Filesize
2.1MB

Download
memory/1084-11-0x0000000004F70000-0x000000000518C000-memory.dmp

Filesize
2.1MB

Download
memory/1084-9-0x0000000004F70000-0x000000000518C000-memory.dmp

Filesize
2.1MB

Download
memory/1084-43-0x0000000004F70000-0x000000000518C000-memory.dmp

Filesize
2.1MB

Download
memory/1084-45-0x0000000004F70000-0x000000000518C000-memory.dmp

Filesize
2.1MB

Download
memory/1084-47-0x0000000004F70000-0x000000000518C000-memory.dmp

Filesize
2.1MB

Download
memory/1084-65-0x0000000004F70000-0x000000000518C000-memory.dmp

Filesize
2.1MB

Download
memory/1084-51-0x0000000004F70000-0x000000000518C000-memory.dmp

Filesize
2.1MB

Download
memory/1084-67-0x0000000004F70000-0x000000000518C000-memory.dmp

Filesize
2.1MB

Download
memory/1084-63-0x0000000004F70000-0x000000000518C000-memory.dmp

Filesize
2.1MB

Download
memory/1084-61-0x0000000004F70000-0x000000000518C000-memory.dmp

Filesize
2.1MB

Download
memory/1084-59-0x0000000004F70000-0x000000000518C000-memory.dmp

Filesize
2.1MB

Download
memory/1084-57-0x0000000004F70000-0x000000000518C000-memory.dmp

Filesize
2.1MB

Download
memory/1084-55-0x0000000004F70000-0x000000000518C000-memory.dmp

Filesize
2.1MB

Download
memory/1084-4890-0x0000000074320000-0x0000000074A0E000-memory.dmp

Filesize
6.9MB

Download
memory/1084-53-0x0000000004F70000-0x000000000518C000-memory.dmp

Filesize
2.1MB

Download
memory/1084-49-0x0000000004F70000-0x000000000518C000-memory.dmp

Filesize
2.1MB

Download
memory/1084-4892-0x0000000004C20000-0x0000000004C6C000-memory.dmp

Filesize
304KB

Download
memory/1084-4891-0x0000000004BC0000-0x0000000004C1C000-memory.dmp

Filesize
368KB

Download
memory/1084-4893-0x000000007432E000-0x000000007432F000-memory.dmp

Filesize
4KB

Download
memory/1084-4894-0x0000000074320000-0x0000000074A0E000-memory.dmp

Filesize
6.9MB

Download
memory/1084-4895-0x0000000074320000-0x0000000074A0E000-memory.dmp

Filesize
6.9MB

Download
memory/1084-4896-0x0000000004C90000-0x0000000004CE4000-memory.dmp

Filesize
336KB

Download
memory/1084-4914-0x0000000074320000-0x0000000074A0E000-memory.dmp

Filesize
6.9MB

Download
memory/2176-4915-0x0000000074320000-0x0000000074A0E000-memory.dmp

Filesize
6.9MB

Download
memory/2176-4913-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/2176-4916-0x0000000074320000-0x0000000074A0E000-memory.dmp

Filesize
6.9MB

Download
memory/2176-4917-0x0000000074320000-0x0000000074A0E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads