asyncrat | db504171c7ece47c2ca76a9bf4343b98a4196fec57f74430729b57c180fc219a

Analysis

max time kernel
134s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db504171c7ece47c2ca76a9bf4343b98a4196fec57f74430729b57c180fc219a.exe
Size

77KB
MD5

8e358be8819281482ce33f1d3335a2d5
SHA1

5e787f0d977c44edd0f65be22fb996be82223603
SHA256

db504171c7ece47c2ca76a9bf4343b98a4196fec57f74430729b57c180fc219a
SHA512

3ea7d496d0806354de3da51fca9681c6a2c9b3d77d54ac5db4cc58e2d7c4334274080a990c954e3cea601385d9a0d05c4bf758d614a2f535cd69525c92cdeb82
SSDEEP

1536:5huKQkz01I8B3HqJSlb70neUI3pqKmY7:H9z0e8BGSlb7Bkz

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

v1.0.8

Botnet

Default

38.91.118.194:7415

Mutex

qccopvsmryslxi

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4736	db504171c7ece47c2ca76a9bf4343b98a4196fec57f74430729b57c180fc219a.exe
4736	db504171c7ece47c2ca76a9bf4343b98a4196fec57f74430729b57c180fc219a.exe
4736	db504171c7ece47c2ca76a9bf4343b98a4196fec57f74430729b57c180fc219a.exe
4736	db504171c7ece47c2ca76a9bf4343b98a4196fec57f74430729b57c180fc219a.exe
4736	db504171c7ece47c2ca76a9bf4343b98a4196fec57f74430729b57c180fc219a.exe
4736	db504171c7ece47c2ca76a9bf4343b98a4196fec57f74430729b57c180fc219a.exe
4736	db504171c7ece47c2ca76a9bf4343b98a4196fec57f74430729b57c180fc219a.exe
4736	db504171c7ece47c2ca76a9bf4343b98a4196fec57f74430729b57c180fc219a.exe
4736	db504171c7ece47c2ca76a9bf4343b98a4196fec57f74430729b57c180fc219a.exe
4736	db504171c7ece47c2ca76a9bf4343b98a4196fec57f74430729b57c180fc219a.exe
4736	db504171c7ece47c2ca76a9bf4343b98a4196fec57f74430729b57c180fc219a.exe
4736	db504171c7ece47c2ca76a9bf4343b98a4196fec57f74430729b57c180fc219a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4736	db504171c7ece47c2ca76a9bf4343b98a4196fec57f74430729b57c180fc219a.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4736	db504171c7ece47c2ca76a9bf4343b98a4196fec57f74430729b57c180fc219a.exe

C:\Users\Admin\AppData\Local\Temp\db504171c7ece47c2ca76a9bf4343b98a4196fec57f74430729b57c180fc219a.exe
"C:\Users\Admin\AppData\Local\Temp\db504171c7ece47c2ca76a9bf4343b98a4196fec57f74430729b57c180fc219a.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4736-0-0x00007FFC19133000-0x00007FFC19135000-memory.dmp

Filesize
8KB

Download
memory/4736-1-0x000001B6C1730000-0x000001B6C174A000-memory.dmp

Filesize
104KB

Download
memory/4736-3-0x00007FFC19130000-0x00007FFC19BF1000-memory.dmp

Filesize
10.8MB

Download
memory/4736-6-0x00007FFC19130000-0x00007FFC19BF1000-memory.dmp

Filesize
10.8MB

Download
memory/4736-8-0x00007FFC19130000-0x00007FFC19BF1000-memory.dmp

Filesize
10.8MB

Download
memory/4736-9-0x00007FFC19133000-0x00007FFC19135000-memory.dmp

Filesize
8KB

Download
memory/4736-10-0x00007FFC19130000-0x00007FFC19BF1000-memory.dmp

Filesize
10.8MB

Download
memory/4736-11-0x00007FFC19130000-0x00007FFC19BF1000-memory.dmp

Filesize
10.8MB

Download
memory/4736-12-0x00007FFC19130000-0x00007FFC19BF1000-memory.dmp

Filesize
10.8MB

Download