asyncrat | 7ad9611f4eae105eabc514ca347523bfa2b78df84cf150700548b9378a6fc9e8

General

Target

b4036abc4db97f5aaae8672f3f32d5d0N.exe
Size

47KB
MD5

b4036abc4db97f5aaae8672f3f32d5d0
SHA1

bdbfb245db7f59322b0a499b47e52a2a56170c41
SHA256

7ad9611f4eae105eabc514ca347523bfa2b78df84cf150700548b9378a6fc9e8
SHA512

2fdfe4d723d659886932eeb5b7e07ee0e0266be32ebea778543c2c83f7d034278eee3a6e1b31b84c0639f88b49dbc8bc8177113a18bebf5c72f870951782a70f
SSDEEP

768:EuEk9THvkHCWU0neImo2q8aIteX0IRi37IPIVUVw0bn5QmPWQpyCEzwSVT8BDZPx:EuEk9THc726oIRaBVUVbbn5QG9cjzwcu

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

196.87.121.175:6606

196.87.121.175:7707

196.87.121.175:8808

196.87.121.175:80

Mutex

0KVP9OnBTs5j

Attributes

delay
3
install
true
install_file
rttr.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0005000000011c2f-15.dat	family_asyncrat

Executes dropped EXE 1 IoCs

pid	Process
2816	rttr.exe

Loads dropped DLL 1 IoCs

pid	Process
2656	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2872	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3064	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2448	b4036abc4db97f5aaae8672f3f32d5d0N.exe
2448	b4036abc4db97f5aaae8672f3f32d5d0N.exe
2448	b4036abc4db97f5aaae8672f3f32d5d0N.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2448	b4036abc4db97f5aaae8672f3f32d5d0N.exe
Token: SeDebugPrivilege	2816	rttr.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2692	2448	b4036abc4db97f5aaae8672f3f32d5d0N.exe	31
PID 2448 wrote to memory of 2692	2448	b4036abc4db97f5aaae8672f3f32d5d0N.exe	31
PID 2448 wrote to memory of 2692	2448	b4036abc4db97f5aaae8672f3f32d5d0N.exe	31
PID 2448 wrote to memory of 2692	2448	b4036abc4db97f5aaae8672f3f32d5d0N.exe	31
PID 2448 wrote to memory of 2656	2448	b4036abc4db97f5aaae8672f3f32d5d0N.exe	33
PID 2448 wrote to memory of 2656	2448	b4036abc4db97f5aaae8672f3f32d5d0N.exe	33
PID 2448 wrote to memory of 2656	2448	b4036abc4db97f5aaae8672f3f32d5d0N.exe	33
PID 2448 wrote to memory of 2656	2448	b4036abc4db97f5aaae8672f3f32d5d0N.exe	33
PID 2656 wrote to memory of 2872	2656	cmd.exe	36
PID 2656 wrote to memory of 2872	2656	cmd.exe	36
PID 2656 wrote to memory of 2872	2656	cmd.exe	36
PID 2656 wrote to memory of 2872	2656	cmd.exe	36
PID 2692 wrote to memory of 3064	2692	cmd.exe	35
PID 2692 wrote to memory of 3064	2692	cmd.exe	35
PID 2692 wrote to memory of 3064	2692	cmd.exe	35
PID 2692 wrote to memory of 3064	2692	cmd.exe	35
PID 2656 wrote to memory of 2816	2656	cmd.exe	37
PID 2656 wrote to memory of 2816	2656	cmd.exe	37
PID 2656 wrote to memory of 2816	2656	cmd.exe	37
PID 2656 wrote to memory of 2816	2656	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\b4036abc4db97f5aaae8672f3f32d5d0N.exe
"C:\Users\Admin\AppData\Local\Temp\b4036abc4db97f5aaae8672f3f32d5d0N.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "rttr" /tr '"C:\Users\Admin\AppData\Roaming\rttr.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "rttr" /tr '"C:\Users\Admin\AppData\Roaming\rttr.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3064
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp170A.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2872
- - C:\Users\Admin\AppData\Roaming\rttr.exe
    "C:\Users\Admin\AppData\Roaming\rttr.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp170A.tmp.bat

Filesize
148B

MD5
a38ac353519a31c0b8ae67ca734733c0

SHA1
7f31cc427063fb781f1c7a9810042efa25713d98

SHA256
8697332628748e7253c6ba81eba0cc6214c797ed0e9ee713b67c45c9e8519d76

SHA512
527c9c097be73607f5357583720264ac3aee047fea9a06c80005693d4bf57087e96c3767db3019fb616347d302523a81673c9e04690bfa274b092d13841f1240

Download Submit
C:\Users\Admin\AppData\Roaming\rttr.exe

Filesize
47KB

MD5
b4036abc4db97f5aaae8672f3f32d5d0

SHA1
bdbfb245db7f59322b0a499b47e52a2a56170c41

SHA256
7ad9611f4eae105eabc514ca347523bfa2b78df84cf150700548b9378a6fc9e8

SHA512
2fdfe4d723d659886932eeb5b7e07ee0e0266be32ebea778543c2c83f7d034278eee3a6e1b31b84c0639f88b49dbc8bc8177113a18bebf5c72f870951782a70f

Download Submit
memory/2448-0-0x0000000074D1E000-0x0000000074D1F000-memory.dmp

Filesize
4KB

Download
memory/2448-1-0x0000000000DD0000-0x0000000000DE2000-memory.dmp

Filesize
72KB

Download
memory/2448-2-0x0000000074D10000-0x00000000753FE000-memory.dmp

Filesize
6.9MB

Download
memory/2448-12-0x0000000074D10000-0x00000000753FE000-memory.dmp

Filesize
6.9MB

Download
memory/2816-16-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads