asyncrat | 336fae3f009b86bac7ab40db44ea36cb624c68f6edafcc5fe9d07f2f9d4ef9d9

General

Target

6b4f89fbf1279dceeead559f678d68c0N.exe
Size

266KB
MD5

6b4f89fbf1279dceeead559f678d68c0
SHA1

e87fea96d79a173387899646256e8a4054a82571
SHA256

336fae3f009b86bac7ab40db44ea36cb624c68f6edafcc5fe9d07f2f9d4ef9d9
SHA512

4541d72623e19ca1800c5f92ea34dd4ef0edb7a6dc7787f8314e45420ffff10a0d945fa3f8e54cf900686780ab9dda662a978326633c0e53f5e83e85446bae7d
SSDEEP

3072:WdvzDqxs8ORikgogWfiuRXd3YmSffdTKXNXANewGBvskX1pWA/s2:WFzDqa86hV6uRRqX1evPlwAE2

Score

10^/10

asyncrat persistence rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Contains code to disable Windows Defender 5 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/2800-31-0x0000000000400000-0x0000000000430000-memory.dmp	disable_win_def
behavioral1/memory/2800-30-0x0000000000400000-0x0000000000430000-memory.dmp	disable_win_def
behavioral1/memory/2800-34-0x0000000000400000-0x0000000000430000-memory.dmp	disable_win_def
behavioral1/memory/2800-35-0x0000000000400000-0x0000000000430000-memory.dmp	disable_win_def
behavioral1/memory/2800-36-0x0000000000400000-0x0000000000430000-memory.dmp	disable_win_def

Executes dropped EXE 1 IoCs

pid	Process
2792	HiPatchService.exe

Loads dropped DLL 1 IoCs

pid	Process
2556	6b4f89fbf1279dceeead559f678d68c0N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\HiPatch = "C:\\Users\\Admin\\AppData\\Roaming\\HiPatch\\HiPatchService.exe"	6b4f89fbf1279dceeead559f678d68c0N.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2792 set thread context of 2800	2792	HiPatchService.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2800	RegAsm.exe
2800	RegAsm.exe
2800	RegAsm.exe
2800	RegAsm.exe
2800	RegAsm.exe
2800	RegAsm.exe
2800	RegAsm.exe
2800	RegAsm.exe
2800	RegAsm.exe
2800	RegAsm.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 2792	2556	6b4f89fbf1279dceeead559f678d68c0N.exe	29
PID 2556 wrote to memory of 2792	2556	6b4f89fbf1279dceeead559f678d68c0N.exe	29
PID 2556 wrote to memory of 2792	2556	6b4f89fbf1279dceeead559f678d68c0N.exe	29
PID 2556 wrote to memory of 2792	2556	6b4f89fbf1279dceeead559f678d68c0N.exe	29
PID 2556 wrote to memory of 2792	2556	6b4f89fbf1279dceeead559f678d68c0N.exe	29
PID 2556 wrote to memory of 2792	2556	6b4f89fbf1279dceeead559f678d68c0N.exe	29
PID 2556 wrote to memory of 2792	2556	6b4f89fbf1279dceeead559f678d68c0N.exe	29
PID 2556 wrote to memory of 2976	2556	6b4f89fbf1279dceeead559f678d68c0N.exe	30
PID 2556 wrote to memory of 2976	2556	6b4f89fbf1279dceeead559f678d68c0N.exe	30
PID 2556 wrote to memory of 2976	2556	6b4f89fbf1279dceeead559f678d68c0N.exe	30
PID 2556 wrote to memory of 2976	2556	6b4f89fbf1279dceeead559f678d68c0N.exe	30
PID 2556 wrote to memory of 2976	2556	6b4f89fbf1279dceeead559f678d68c0N.exe	30
PID 2556 wrote to memory of 2976	2556	6b4f89fbf1279dceeead559f678d68c0N.exe	30
PID 2556 wrote to memory of 2976	2556	6b4f89fbf1279dceeead559f678d68c0N.exe	30
PID 2792 wrote to memory of 2800	2792	HiPatchService.exe	32
PID 2792 wrote to memory of 2800	2792	HiPatchService.exe	32
PID 2792 wrote to memory of 2800	2792	HiPatchService.exe	32
PID 2792 wrote to memory of 2800	2792	HiPatchService.exe	32
PID 2792 wrote to memory of 2800	2792	HiPatchService.exe	32
PID 2792 wrote to memory of 2800	2792	HiPatchService.exe	32
PID 2792 wrote to memory of 2800	2792	HiPatchService.exe	32
PID 2792 wrote to memory of 2800	2792	HiPatchService.exe	32
PID 2792 wrote to memory of 2800	2792	HiPatchService.exe	32
PID 2792 wrote to memory of 2800	2792	HiPatchService.exe	32
PID 2792 wrote to memory of 2800	2792	HiPatchService.exe	32
PID 2792 wrote to memory of 2800	2792	HiPatchService.exe	32

C:\Users\Admin\AppData\Local\Temp\6b4f89fbf1279dceeead559f678d68c0N.exe
"C:\Users\Admin\AppData\Local\Temp\6b4f89fbf1279dceeead559f678d68c0N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.exe
  "C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.bat""
  2⤵
  PID:2976

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.bat

Filesize
213B

MD5
0955cb4b691d44b37f8b6fad48a33b8e

SHA1
9dae759ae014cc124ab6eed7c8035788c124ae4a

SHA256
9092dbb1ca1767d1966b7f79349dd95a802a68248251bf070c0f1d74d5681d71

SHA512
08b868a028c1e8d29ed643416850df16f58d44668f9193b46bd3934965e5617a0a4015fc52815c5456023dbde01023450d295b76d936a936f26b602e764b0235

Download Submit
\Users\Admin\AppData\Roaming\HiPatch\HiPatchService.exe

Filesize
266KB

MD5
cf4e7f165fd6ae64504fa84b4c011b02

SHA1
71ebebe12e4e82b706f00bd087b58f604d61f8c6

SHA256
f7bde54f0c251610bb6b7b11c042924227188f6d2c6b45a53bda8bd660e82d32

SHA512
c27ebc0da992b3bb943d2ad465ea9b608b7cc15f4c847457c4610b310c667dac83b10e5f97b8fb99b958cdb87e5a0f7ade35e6c3d04a715e88bc5e5ba72557c3

Download Submit
memory/2556-23-0x0000000074D90000-0x000000007547E000-memory.dmp

Filesize
6.9MB

Download
memory/2556-2-0x00000000005B0000-0x00000000005BA000-memory.dmp

Filesize
40KB

Download
memory/2556-1-0x0000000000C90000-0x0000000000CD6000-memory.dmp

Filesize
280KB

Download
memory/2556-0-0x0000000074D9E000-0x0000000074D9F000-memory.dmp

Filesize
4KB

Download
memory/2556-3-0x0000000074D90000-0x000000007547E000-memory.dmp

Filesize
6.9MB

Download
memory/2792-37-0x0000000074D90000-0x000000007547E000-memory.dmp

Filesize
6.9MB

Download
memory/2792-21-0x00000000000A0000-0x00000000000E6000-memory.dmp

Filesize
280KB

Download
memory/2792-22-0x0000000074D90000-0x000000007547E000-memory.dmp

Filesize
6.9MB

Download
memory/2800-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2800-31-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2800-30-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2800-34-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2800-35-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2800-27-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2800-36-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2800-25-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads