asyncrat | 4e6ae5fd4a54e6497b36ef81536f9c1f94f11cf13b164dec4d466feb0ea2d262

General

Target

ExtremeDumper-x64.exe
Size

1.7MB
MD5

d80005f7cff14a06d50cb6d363fdf2e9
SHA1

74ed3f842c6ae54a647c5af5fa9456e9c19b9cc5
SHA256

4e6ae5fd4a54e6497b36ef81536f9c1f94f11cf13b164dec4d466feb0ea2d262
SHA512

6679fe68ae7478c00a9ff4948eee7bf36ab7004ae3afd888fccba7b88df493504876afa48ed55e4163c235808c5fa67d4ef30f132bb5d88c7bc1c42196aa86ae
SSDEEP

49152:peBSdEv60XsKmSE02hrzFqVRqnc2vbu3:6jv5TRM1nc2ju

Score

10^/10

asyncrat 1 discovery rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

1

C2

paris-itself.gl.at.ply.gg:49485

147.185.221.20:49485

Mutex

DAC4G8C1tEM2

Attributes

delay
3
install
true
install_file
System.exe
install_folder
%Temp%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000a00000001227b-6.dat	family_asyncrat

Executes dropped EXE 2 IoCs

pid	Process
2832	System.exe
2656	ExtremeDumper.exe

Loads dropped DLL 1 IoCs

pid	Process
2656	ExtremeDumper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	System.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2656	ExtremeDumper.exe
2656	ExtremeDumper.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2656	ExtremeDumper.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2832	System.exe
Token: SeDebugPrivilege	2832	System.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2832	2176	ExtremeDumper-x64.exe	31
PID 2176 wrote to memory of 2832	2176	ExtremeDumper-x64.exe	31
PID 2176 wrote to memory of 2832	2176	ExtremeDumper-x64.exe	31
PID 2176 wrote to memory of 2832	2176	ExtremeDumper-x64.exe	31
PID 2176 wrote to memory of 2656	2176	ExtremeDumper-x64.exe	32
PID 2176 wrote to memory of 2656	2176	ExtremeDumper-x64.exe	32
PID 2176 wrote to memory of 2656	2176	ExtremeDumper-x64.exe	32

C:\Users\Admin\AppData\Local\Temp\ExtremeDumper-x64.exe
"C:\Users\Admin\AppData\Local\Temp\ExtremeDumper-x64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Users\Admin\AppData\Local\Temp\System.exe
  "C:\Users\Admin\AppData\Local\Temp\System.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2832
- C:\Users\Admin\AppData\Local\Temp\ExtremeDumper.exe
  "C:\Users\Admin\AppData\Local\Temp\ExtremeDumper.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ExtremeDumper.exe

Filesize
1.7MB

MD5
58db100b228ff17f83726d4c2738990e

SHA1
d69bfa9ddb32de1999760e8b3b3236bc8934d66c

SHA256
f407b67a008fc2186329d5feffe830f7eead7a11f3b169d0d90099495edfcf2e

SHA512
e845a62e00fcb8305ab0ceececec73a2d46a490c04370742290398f5e568ba4cf43bc1caa0529405e9ee07c021a05109873271278a8c45eec67ad409dd670f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.exe

Filesize
48KB

MD5
c1319ad0a8606516a8f05b9cbb50bc6f

SHA1
c723b2ccf1945480c0a3adb26555b39888a960aa

SHA256
19d29a9df522600a3a301ebed388ae367f330d5a22b18548af3b244e26d6cc05

SHA512
e2e524ddeaa483d2bca5177bc87348484f27619b64f2f18edd7d9f939a22ce194b54855281096a74c08c3fc7409ca92d5e2d3e87dca28395093d36fcf0861b77

Download Submit
\Users\Admin\AppData\Local\Temp\Costura\CFA0B0B143E4C50194769B9A2552FFEF\64\extremedumper.loaderhook.dll

Filesize
211KB

MD5
2e40ed16499ba8ff681b9bfe8263cef8

SHA1
f89f7d11dc028bb3fa1437b0d0de1affec35f8a1

SHA256
3577492fff8cd1dfdfae86f74e3d77a1aa672b49d18838355ce2a5bf86363f47

SHA512
2f47d4a9f7ec6a7f7eaf605e571c85ba16b4421df9a15c801502af6488287f9ed6c5e7f3c2b29ae2b4f6169252d9ac9a7b91bc666557fa1501347b7de36493a1

Download Submit
memory/2176-0-0x000007FEF4FE3000-0x000007FEF4FE4000-memory.dmp

Filesize
4KB

Download
memory/2176-1-0x0000000000CB0000-0x0000000000E6C000-memory.dmp

Filesize
1.7MB

Download
memory/2176-12-0x000007FEF4FE0000-0x000007FEF59CC000-memory.dmp

Filesize
9.9MB

Download
memory/2656-14-0x00000000012D0000-0x000000000147E000-memory.dmp

Filesize
1.7MB

Download
memory/2656-20-0x0000000000430000-0x0000000000456000-memory.dmp

Filesize
152KB

Download
memory/2656-21-0x00000000005F0000-0x0000000000600000-memory.dmp

Filesize
64KB

Download
memory/2832-19-0x0000000000A30000-0x0000000000A42000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing