asyncrat | f4876b06da96639271728c1c65aff064d45de3307a09f17d04686c0bf410bcc7

General

Target

f4876b06da96639271728c1c65aff064d45de3307a09f17d04686c0bf410bcc7.exe
Size

48KB
MD5

a41754aa9cfd098e0f31fce03ab38166
SHA1

22946a1c7828ab7a5f218b6a815350fc0e1d1c1b
SHA256

f4876b06da96639271728c1c65aff064d45de3307a09f17d04686c0bf410bcc7
SHA512

5cc51386415d49e6d4c87111f6674347568047ad3420f8095559f0d077b5f7593506a34d4877765563ff0feccf50c9d1b7501452ab7dc6ce611768571d248cd9
SSDEEP

768:UVNYu9bVIILoech+ri0telDSN+iV08YbygeQVzZE3GdvEgK/JvZVc6KN:UVG7Z0tKDs4zb1lVzZEEnkJvZVclN

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

Mutex

DcRatMutex_qwqdanchun

Attributes

c2_url_file
https://Pastebin.com/raw/fevFJe98
delay
1
install
true
install_file
nigger.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x00080000000120cd-14.dat	family_asyncrat

Executes dropped EXE 1 IoCs

pid	Process
1916	nigger.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
5	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2864	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2592	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2772	f4876b06da96639271728c1c65aff064d45de3307a09f17d04686c0bf410bcc7.exe
2772	f4876b06da96639271728c1c65aff064d45de3307a09f17d04686c0bf410bcc7.exe
2772	f4876b06da96639271728c1c65aff064d45de3307a09f17d04686c0bf410bcc7.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2772	f4876b06da96639271728c1c65aff064d45de3307a09f17d04686c0bf410bcc7.exe
Token: SeDebugPrivilege	1916	nigger.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 2800	2772	f4876b06da96639271728c1c65aff064d45de3307a09f17d04686c0bf410bcc7.exe	30
PID 2772 wrote to memory of 2800	2772	f4876b06da96639271728c1c65aff064d45de3307a09f17d04686c0bf410bcc7.exe	30
PID 2772 wrote to memory of 2800	2772	f4876b06da96639271728c1c65aff064d45de3307a09f17d04686c0bf410bcc7.exe	30
PID 2772 wrote to memory of 2240	2772	f4876b06da96639271728c1c65aff064d45de3307a09f17d04686c0bf410bcc7.exe	31
PID 2772 wrote to memory of 2240	2772	f4876b06da96639271728c1c65aff064d45de3307a09f17d04686c0bf410bcc7.exe	31
PID 2772 wrote to memory of 2240	2772	f4876b06da96639271728c1c65aff064d45de3307a09f17d04686c0bf410bcc7.exe	31
PID 2240 wrote to memory of 2864	2240	cmd.exe	34
PID 2240 wrote to memory of 2864	2240	cmd.exe	34
PID 2240 wrote to memory of 2864	2240	cmd.exe	34
PID 2800 wrote to memory of 2592	2800	cmd.exe	35
PID 2800 wrote to memory of 2592	2800	cmd.exe	35
PID 2800 wrote to memory of 2592	2800	cmd.exe	35
PID 2240 wrote to memory of 1916	2240	cmd.exe	36
PID 2240 wrote to memory of 1916	2240	cmd.exe	36
PID 2240 wrote to memory of 1916	2240	cmd.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f4876b06da96639271728c1c65aff064d45de3307a09f17d04686c0bf410bcc7.exe
"C:\Users\Admin\AppData\Local\Temp\f4876b06da96639271728c1c65aff064d45de3307a09f17d04686c0bf410bcc7.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "nigger" /tr '"C:\Users\Admin\AppData\Roaming\nigger.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "nigger" /tr '"C:\Users\Admin\AppData\Roaming\nigger.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2592
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp6D34.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2864
- - C:\Users\Admin\AppData\Roaming\nigger.exe
    "C:\Users\Admin\AppData\Roaming\nigger.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6D34.tmp.bat

Filesize
150B

MD5
fa5ea14ba60426b26ac7640cfca112d2

SHA1
d795a64f5c0ec15a0820e17ba6aefc82435748d8

SHA256
f864da90fd68a39aaf887ba6b0eabc9b526ae5cf0f985265b5128c1730e675ea

SHA512
0f6a83b26bba8f4fc568b5c457c6c36d014d5418f50f1f2d270a70591f8a1ace6b950769b2f60e9523e90cabc4421519b8548a127c069f56055edd2cd53c5760

Download Submit
C:\Users\Admin\AppData\Roaming\nigger.exe

Filesize
48KB

MD5
a41754aa9cfd098e0f31fce03ab38166

SHA1
22946a1c7828ab7a5f218b6a815350fc0e1d1c1b

SHA256
f4876b06da96639271728c1c65aff064d45de3307a09f17d04686c0bf410bcc7

SHA512
5cc51386415d49e6d4c87111f6674347568047ad3420f8095559f0d077b5f7593506a34d4877765563ff0feccf50c9d1b7501452ab7dc6ce611768571d248cd9

Download Submit
memory/1916-16-0x0000000000370000-0x0000000000382000-memory.dmp

Filesize
72KB

Download
memory/2772-0-0x000007FEF5AC3000-0x000007FEF5AC4000-memory.dmp

Filesize
4KB

Download
memory/2772-1-0x00000000013D0000-0x00000000013E2000-memory.dmp

Filesize
72KB

Download
memory/2772-2-0x000007FEF5AC0000-0x000007FEF64AC000-memory.dmp

Filesize
9.9MB

Download
memory/2772-11-0x000007FEF5AC0000-0x000007FEF64AC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads