asyncrat | ee3a8b076aed6d3f4dd52056b6fbcf62455a9258600b8e520551df9305dfb9fa

General

Target

ee3a8b076aed6d3f4dd52056b6fbcf62455a9258600b8e520551df9305dfb9fa.exe
Size

1.2MB
MD5

5c4e8e94fdb71b3ff3a21f09ac5139a3
SHA1

423a608f65cddad090bf6d157ab8b24ac033f105
SHA256

ee3a8b076aed6d3f4dd52056b6fbcf62455a9258600b8e520551df9305dfb9fa
SHA512

23962f4feb869e2fcfaad80386def9b13ed431cc4184e56a9a131169ae589a8bb399dd949640d098d942b6d38bf9b9b9f4cbd91f887b6e1a445d80874e946e33
SSDEEP

24576:QUNxvqF6FGYJf6yjNQpNONZNlTX5PlGPgquLEIWxUc7N11QaSYx7GqFT:QUNxvC6FGYJf6yjNQpNONZnTX5PlGPgY

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

Default

C2

anahowaanaa.ddnsfree.com:1111

Mutex

AsyncMutex_6SI8OkSS5

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutoHotkeyU64.exe	AutoHotkeyU64.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutoHotkeyU64.exe	AutoHotkeyU64.exe

Executes dropped EXE 1 IoCs

pid	Process
820	AutoHotkeyU64.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 820 set thread context of 1752	820	AutoHotkeyU64.exe	88

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1752	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1752	AppLaunch.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4744	ee3a8b076aed6d3f4dd52056b6fbcf62455a9258600b8e520551df9305dfb9fa.exe
4744	ee3a8b076aed6d3f4dd52056b6fbcf62455a9258600b8e520551df9305dfb9fa.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4744	ee3a8b076aed6d3f4dd52056b6fbcf62455a9258600b8e520551df9305dfb9fa.exe
4744	ee3a8b076aed6d3f4dd52056b6fbcf62455a9258600b8e520551df9305dfb9fa.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1752	AppLaunch.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 820	4744	ee3a8b076aed6d3f4dd52056b6fbcf62455a9258600b8e520551df9305dfb9fa.exe	87
PID 4744 wrote to memory of 820	4744	ee3a8b076aed6d3f4dd52056b6fbcf62455a9258600b8e520551df9305dfb9fa.exe	87
PID 820 wrote to memory of 1752	820	AutoHotkeyU64.exe	88
PID 820 wrote to memory of 1752	820	AutoHotkeyU64.exe	88
PID 820 wrote to memory of 1752	820	AutoHotkeyU64.exe	88
PID 820 wrote to memory of 1752	820	AutoHotkeyU64.exe	88
PID 820 wrote to memory of 1752	820	AutoHotkeyU64.exe	88
PID 820 wrote to memory of 1752	820	AutoHotkeyU64.exe	88
PID 820 wrote to memory of 1752	820	AutoHotkeyU64.exe	88
PID 820 wrote to memory of 1752	820	AutoHotkeyU64.exe	88

C:\Users\Admin\AppData\Local\Temp\ee3a8b076aed6d3f4dd52056b6fbcf62455a9258600b8e520551df9305dfb9fa.exe
"C:\Users\Admin\AppData\Local\Temp\ee3a8b076aed6d3f4dd52056b6fbcf62455a9258600b8e520551df9305dfb9fa.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Users\Admin\Documents\AutoHotkeyU64.exe
  C:\Users\Admin\Documents\AutoHotkeyU64.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:820
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\AutoHotkeyU64.ahk

Filesize
6KB

MD5
50b2fd640a95e3caf440bc3d8249c846

SHA1
46c7bd930438868a415b836b6aff4ca27cdf66f7

SHA256
d01e36c121b947001a82255fa8c767084daa0cee5f10f7816036aa87e2f4da9e

SHA512
a38b6b5bd38199bb08359750edc98c7d78f02f235ca530837ee2e5b6b6349bd96b132512e6db7f85da895f9ee4db3a791a97c59e4f543e9558dda02fa8797fa6

Download Submit
C:\Users\Admin\Documents\AutoHotkeyU64.exe

Filesize
1.3MB

MD5
2d0600fe2b1b3bdc45d833ca32a37fdb

SHA1
e9a7411bfef54050de3b485833556f84cabd6e41

SHA256
effdea83c6b7a1dc2ce9e9d40e91dfd59bed9fcbd580903423648b7ca97d9696

SHA512
9891cd6d2140c3a5c20d5c2d6600f3655df437b99b09ae0f9daf1983190dc73385cc87f02508997bb696ac921eee43fccdf1dc210cc602938807bdb062ce1703

Download Submit
C:\Users\Admin\Documents\str.txt

Filesize
206KB

MD5
5faebcef5aa3a89fd67a311f470bd7ae

SHA1
6b406724e0addfd21d39c5b7b004bc5548c1f4d0

SHA256
3f63892d771615d05ab2b884369f8dea2e0a36a2704ab2009762ed1f33892aff

SHA512
d54dfb9a54e5ac92468397a94e393022802be65312d317d660fcb70c00ea91b23fc1167a9bca0b5c83dcb3a18fc9b1677bf82bb00de888a8631fec103b19e337

Download Submit
C:\Users\Admin\Documents\test.zip

Filesize
659KB

MD5
ecfff2ef9131457dced515713825041d

SHA1
3709b6fddcdd2c30ad2b79d617264f8f94c52b96

SHA256
c2205bea1e3cc1adba1b40c00f810b6927bbe3d2c373973f8a62c39acb4320c7

SHA512
c24cf73b42663bb6aacc5b1d3f8b5853be659eed264fc6b1e05d9d999995a0c70b100b4c4b147b56f17195ac5d9cd219b2119234d33887d9e98807824d417e6d

Download Submit
memory/1752-59-0x000000007451E000-0x000000007451F000-memory.dmp

Filesize
4KB

Download
memory/1752-60-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1752-61-0x0000000074510000-0x0000000074CC0000-memory.dmp

Filesize
7.7MB

Download
memory/1752-62-0x0000000005800000-0x0000000005DA4000-memory.dmp

Filesize
5.6MB

Download
memory/1752-63-0x0000000005430000-0x00000000054C2000-memory.dmp

Filesize
584KB

Download
memory/1752-64-0x0000000005420000-0x000000000542A000-memory.dmp

Filesize
40KB

Download
memory/1752-65-0x000000007451E000-0x000000007451F000-memory.dmp

Filesize
4KB

Download
memory/1752-66-0x0000000074510000-0x0000000074CC0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing