asyncrat | 85156af07c7d1ac58dfa6d0e0c5d3866b4d57c73c88c466db204e15ffa72888a

Analysis

max time kernel
24s
max time network
38s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
14-07-2024 09:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SolaraB.exe
Size

129KB
MD5

4eed882d9e46f1270ed2121d00429189
SHA1

6adfbe0b4e8b83da1cb6d2a696cfa359c1d31176
SHA256

85156af07c7d1ac58dfa6d0e0c5d3866b4d57c73c88c466db204e15ffa72888a
SHA512

e8babe8e239c4da4e82f87d2677bef7b4032ffdddaae9dcd4694ef1f0902c053c6c7966ce1cf0c756334d2c936ee3a5600ce704de9aa0b414a33f55599f1e349
SSDEEP

3072:bMSncRzAOQKhp5LrUwk4XqdPbIGbb02NOgzY+mZgv:ASncRlvhbLrUwk4Xq1bIkbJNNU

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

always-assessment.gl.at.ply.gg:13857

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000c000000016d28-2.dat	family_asyncrat

Executes dropped EXE 2 IoCs

pid	Process
2316	SOLARAB2.EXE
2384	SOLARABOOTSTRAPPER.EXE

Loads dropped DLL 2 IoCs

pid	Process
2292	SolaraB.exe
2292	SolaraB.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2384	SOLARABOOTSTRAPPER.EXE
2384	SOLARABOOTSTRAPPER.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2384	SOLARABOOTSTRAPPER.EXE
Token: SeDebugPrivilege	2316	SOLARAB2.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2316	2292	SolaraB.exe	30
PID 2292 wrote to memory of 2316	2292	SolaraB.exe	30
PID 2292 wrote to memory of 2316	2292	SolaraB.exe	30
PID 2292 wrote to memory of 2316	2292	SolaraB.exe	30
PID 2292 wrote to memory of 2384	2292	SolaraB.exe	31
PID 2292 wrote to memory of 2384	2292	SolaraB.exe	31
PID 2292 wrote to memory of 2384	2292	SolaraB.exe	31
PID 2292 wrote to memory of 2384	2292	SolaraB.exe	31

C:\Users\Admin\AppData\Local\Temp\SolaraB.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Local\Temp\SOLARAB2.EXE
  "C:\Users\Admin\AppData\Local\Temp\SOLARAB2.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2316
- C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE
  "C:\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab2EA1.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
\Users\Admin\AppData\Local\Temp\SOLARAB2.EXE

Filesize
63KB

MD5
bd1e1e60ef8d8793e0de2c2a3a780323

SHA1
aa70c34bfa689b6bceb76bc611bc4d5fabaf2736

SHA256
460639c9065ff4b1f8e230a102d0874a8af55e06b0bb0cae8f079634bc2eeb51

SHA512
d2df82350130db317ec3e69ee5d83b24d8119a8634b57bb4a4d461e3d324c0654fabd89db493754e8e760e005648615d2cc9b84b50b51e45d641378111230100

Download Submit
\Users\Admin\AppData\Local\Temp\SOLARABOOTSTRAPPER.EXE

Filesize
13KB

MD5
6557bd5240397f026e675afb78544a26

SHA1
839e683bf68703d373b6eac246f19386bb181713

SHA256
a7fecfc225dfdd4e14dcd4d1b4ba1b9f8e4d1984f1cdd8cda3a9987e5d53c239

SHA512
f2399d34898a4c0c201372d2dd084ee66a66a1c3eae949e568421fe7edada697468ef81f4fcab2afd61eaf97bcb98d6ade2d97295e2f674e93116d142e892e97

Download Submit
memory/2316-12-0x000007FEF5423000-0x000007FEF5424000-memory.dmp

Filesize
4KB

Download
memory/2316-14-0x0000000000D90000-0x0000000000DA6000-memory.dmp

Filesize
88KB

Download
memory/2316-32-0x000007FEF5423000-0x000007FEF5424000-memory.dmp

Filesize
4KB

Download
memory/2384-15-0x00000000003E0000-0x00000000003EA000-memory.dmp

Filesize
40KB

Download