asyncrat | 9ffd34002e905f8d59ad45529e48afb206c1ba4eed0e70afd3bead6f846419ea

Resubmissions

13-07-2024 00:36

240713-ax9cwsxgnm 10

13-07-2024 00:25

240713-aqngvaxdrp 10

Analysis

max time kernel
91s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
13-07-2024 00:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ComSvcConfig.exe
Size

91KB
MD5

531a8b9dcacc1caf586fc3c54d5b0d5c
SHA1

33544df2d37910946f323b185447b2602b5df73c
SHA256

f42dccf9d4ccc4e8c4ff16ec291d75d2c89a9ff09896fa39575abe4f1193d62d
SHA512

08123799a24f5332283df02b270d7746c2d3a736667b5b030005f793c892ff35d026dcf7bed9eb927a6b67fae983c01b5ec3fabec50707b4b48f4ee71f58a5d2
SSDEEP

1536:kMdVnKe6rNBEgHEB3uZaYx/2AAuAFQO+xZYhii/RoYy9B5Ilu67KhkFkTit:kMd9MNKoSAZbZQiCRoYy9B5Ilu67Kh/+

Score

10^/10

asyncrat y rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

20.199.8.16:1726

Mutex

eYLuHMmPZK7A

Attributes

delay
3
install
false
install_file
SeacrhIndexer
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2632 set thread context of 2268	2632	ComSvcConfig.exe	78
PID 2784 set thread context of 4640	2784	ComSvcConfig.exe	85

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2268	RegAsm.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 2268	2632	ComSvcConfig.exe	78
PID 2632 wrote to memory of 2268	2632	ComSvcConfig.exe	78
PID 2632 wrote to memory of 2268	2632	ComSvcConfig.exe	78
PID 2632 wrote to memory of 2268	2632	ComSvcConfig.exe	78
PID 2632 wrote to memory of 2268	2632	ComSvcConfig.exe	78
PID 2632 wrote to memory of 2268	2632	ComSvcConfig.exe	78
PID 2632 wrote to memory of 2268	2632	ComSvcConfig.exe	78
PID 2632 wrote to memory of 2268	2632	ComSvcConfig.exe	78
PID 2784 wrote to memory of 4640	2784	ComSvcConfig.exe	85
PID 2784 wrote to memory of 4640	2784	ComSvcConfig.exe	85
PID 2784 wrote to memory of 4640	2784	ComSvcConfig.exe	85
PID 2784 wrote to memory of 4640	2784	ComSvcConfig.exe	85
PID 2784 wrote to memory of 4640	2784	ComSvcConfig.exe	85
PID 2784 wrote to memory of 4640	2784	ComSvcConfig.exe	85
PID 2784 wrote to memory of 4640	2784	ComSvcConfig.exe	85
PID 2784 wrote to memory of 4640	2784	ComSvcConfig.exe	85

C:\Users\Admin\AppData\Local\Temp\ComSvcConfig.exe
"C:\Users\Admin\AppData\Local\Temp\ComSvcConfig.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  #system32
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2268

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5020

C:\Users\Admin\AppData\Local\Temp\ComSvcConfig.exe
"C:\Users\Admin\AppData\Local\Temp\ComSvcConfig.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  #system32
  2⤵
  PID:4640

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ComSvcConfig.exe.log

Filesize
226B

MD5
1294de804ea5400409324a82fdc7ec59

SHA1
9a39506bc6cadf99c1f2129265b610c69d1518f7

SHA256
494398ec6108c68573c366c96aae23d35e7f9bdbb440a4aab96e86fcad5871d0

SHA512
033905cc5b4d0c0ffab2138da47e3223765146fa751c9f84b199284b653a04874c32a23aae577d2e06ce6c6b34fec62331b5fc928e3baf68dc53263ecdfa10c1

Download Submit
memory/2268-7-0x0000000005500000-0x000000000559C000-memory.dmp

Filesize
624KB

Download
memory/2268-2-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2268-5-0x00000000749B0000-0x0000000075161000-memory.dmp

Filesize
7.7MB

Download
memory/2268-6-0x00000000749B0000-0x0000000075161000-memory.dmp

Filesize
7.7MB

Download
memory/2268-8-0x0000000005B50000-0x00000000060F6000-memory.dmp

Filesize
5.6MB

Download
memory/2268-9-0x0000000005610000-0x0000000005676000-memory.dmp

Filesize
408KB

Download
memory/2268-13-0x00000000749B0000-0x0000000075161000-memory.dmp

Filesize
7.7MB

Download
memory/2268-15-0x00000000749B0000-0x0000000075161000-memory.dmp

Filesize
7.7MB

Download
memory/2632-4-0x00000000749B0000-0x0000000075161000-memory.dmp

Filesize
7.7MB

Download
memory/2632-0-0x00000000749BE000-0x00000000749BF000-memory.dmp

Filesize
4KB

Download
memory/2632-1-0x00000000008A0000-0x00000000008BE000-memory.dmp

Filesize
120KB

Download
memory/2632-12-0x00000000749B0000-0x0000000075161000-memory.dmp

Filesize
7.7MB

Download