asyncrat | 9188647a8083afb376f0205e254e20d977c43f7adb69d148ab6197a386304fa5

Analysis

max time kernel
7s
max time network
9s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
03-08-2024 03:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Polymorphic.exe
Size

261KB
MD5

804b13b01618556c482fbc22c006ea50
SHA1

818a456902411c04e0a3313343c49f40ca6f4230
SHA256

9188647a8083afb376f0205e254e20d977c43f7adb69d148ab6197a386304fa5
SHA512

8b52be9b0398779edede6e94deafd0ca605dd0cc12e36d4e2abf6fb4f292a0135c8b72e4816b26a41e92d453ab02ba54f73b44312798447a6c3f8d25f34080b6
SSDEEP

6144:VfxOlLF56irZVUjR2AoRA6TQhoIU3/IN/3gKXAs/oyaq:n67rTU0zA6EeIUv1KXAC

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

127.0.0.1:8848

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/1628-3-0x000001B247AF0000-0x000001B247B06000-memory.dmp	family_asyncrat

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1628	Polymorphic.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1056	MiniSearchHost.exe

C:\Users\Admin\AppData\Local\Temp\Polymorphic.exe
"C:\Users\Admin\AppData\Local\Temp\Polymorphic.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1056

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
06f54da138064bcb87a50ea5796be0bc

SHA1
149614dcc0cc8a15d12e042639d53d364b692f5a

SHA256
fd00cc98658581a6d166ce94e14f68079c4a2948db69e5ac60755ac8c50c1f50

SHA512
530073a003f19a93945cc2d663cd395744c98b3d8377ed6fbc237be0b42b7ec23544fe149435e3d5d47b8d385c2a9bd1e2605222bbe2df0d3233edf10550202d

Download Submit
memory/1628-0-0x000001B246130000-0x000001B24614A000-memory.dmp

Filesize
104KB

Download
memory/1628-1-0x00007FF63FF5A000-0x00007FF63FF5B000-memory.dmp

Filesize
4KB

Download
memory/1628-2-0x00007FF63FF40000-0x00007FF63FF85000-memory.dmp

Filesize
276KB

Download
memory/1628-3-0x000001B247AF0000-0x000001B247B06000-memory.dmp

Filesize
88KB

Download