asyncrat | 85156af07c7d1ac58dfa6d0e0c5d3866b4d57c73c88c466db204e15ffa72888a

Analysis

max time kernel
30s
max time network
25s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
14-07-2024 08:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SolaraB.exe
Size

129KB
MD5

4eed882d9e46f1270ed2121d00429189
SHA1

6adfbe0b4e8b83da1cb6d2a696cfa359c1d31176
SHA256

85156af07c7d1ac58dfa6d0e0c5d3866b4d57c73c88c466db204e15ffa72888a
SHA512

e8babe8e239c4da4e82f87d2677bef7b4032ffdddaae9dcd4694ef1f0902c053c6c7966ce1cf0c756334d2c936ee3a5600ce704de9aa0b414a33f55599f1e349
SSDEEP

3072:bMSncRzAOQKhp5LrUwk4XqdPbIGbb02NOgzY+mZgv:ASncRlvhbLrUwk4Xq1bIkbJNNU

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

always-assessment.gl.at.ply.gg:13857

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x00090000000233f2-5.dat	family_asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	SolaraB.exe

Executes dropped EXE 2 IoCs

pid	Process
1196	SOLARAB2.EXE
2856	SOLARABOOTSTRAPPER.EXE

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
18	raw.githubusercontent.com
19	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2856	SOLARABOOTSTRAPPER.EXE
2856	SOLARABOOTSTRAPPER.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2856	SOLARABOOTSTRAPPER.EXE
Token: SeDebugPrivilege	1196	SOLARAB2.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 1196	2808	SolaraB.exe	86
PID 2808 wrote to memory of 1196	2808	SolaraB.exe	86
PID 2808 wrote to memory of 2856	2808	SolaraB.exe	87
PID 2808 wrote to memory of 2856	2808	SolaraB.exe	87
PID 2808 wrote to memory of 2856	2808	SolaraB.exe	87

C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Users\Admin\AppData\Local\Temp\SOLARAB2.EXE
  "C:\Users\Admin\AppData\Local\Temp\SOLARAB2.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1196
- C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
  "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SOLARAB2.EXE

Filesize
63KB

MD5
bd1e1e60ef8d8793e0de2c2a3a780323

SHA1
aa70c34bfa689b6bceb76bc611bc4d5fabaf2736

SHA256
460639c9065ff4b1f8e230a102d0874a8af55e06b0bb0cae8f079634bc2eeb51

SHA512
d2df82350130db317ec3e69ee5d83b24d8119a8634b57bb4a4d461e3d324c0654fabd89db493754e8e760e005648615d2cc9b84b50b51e45d641378111230100

Download Submit
C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE

Filesize
13KB

MD5
6557bd5240397f026e675afb78544a26

SHA1
839e683bf68703d373b6eac246f19386bb181713

SHA256
a7fecfc225dfdd4e14dcd4d1b4ba1b9f8e4d1984f1cdd8cda3a9987e5d53c239

SHA512
f2399d34898a4c0c201372d2dd084ee66a66a1c3eae949e568421fe7edada697468ef81f4fcab2afd61eaf97bcb98d6ade2d97295e2f674e93116d142e892e97

Download Submit
memory/1196-29-0x00007FFC1C3BF000-0x00007FFC1C3C0000-memory.dmp

Filesize
4KB

Download
memory/1196-20-0x00007FFBFE153000-0x00007FFBFE155000-memory.dmp

Filesize
8KB

Download
memory/1196-28-0x000000001AD80000-0x000000001AD90000-memory.dmp

Filesize
64KB

Download
memory/1196-21-0x0000000000230000-0x0000000000246000-memory.dmp

Filesize
88KB

Download
memory/1196-33-0x000000001AD80000-0x000000001AD90000-memory.dmp

Filesize
64KB

Download
memory/2856-24-0x0000000074C4E000-0x0000000074C4F000-memory.dmp

Filesize
4KB

Download
memory/2856-25-0x0000000000E40000-0x0000000000E4A000-memory.dmp

Filesize
40KB

Download
memory/2856-26-0x0000000003160000-0x000000000316A000-memory.dmp

Filesize
40KB

Download
memory/2856-27-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download
memory/2856-30-0x0000000074C4E000-0x0000000074C4F000-memory.dmp

Filesize
4KB

Download
memory/2856-32-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download