asyncrat | fcd2f84729c38492a75276de4928249813d41f10d0ec9234f3b986d995d9a248

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2024, 22:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Infected.exe
Size

63KB
MD5

c53199aed02697610c0cdb99d192e4d2
SHA1

faae42b52f7bee675e65dce52427cb7230c6640d
SHA256

fcd2f84729c38492a75276de4928249813d41f10d0ec9234f3b986d995d9a248
SHA512

00d7a1301b4f7a5aead4ac0f24aeec92b7cffc996e1496001dad9b7b7f2ce499be4825712b904a2e4f08cbe419516e6c195d7c5c957d495f8cc3d2c1acbb3522
SSDEEP

768:IFxqDQZYpAO78iOC8A+Xu7azcBRL5JTk1+T4KSBGHmDbD/ph0oXbpJ09QypuzSuh:8qMGAvkdSJYUbdh9Ry8WuDdpqKmY7

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:1704

127.0.0.1:34207

fivilob146-22229.portmap.host:1704

fivilob146-22229.portmap.host:34207

fivilob146-22085.portmap.host:1704

fivilob146-22085.portmap.host:34207

photography-stopping.gl.at.ply.gg:1704

photography-stopping.gl.at.ply.gg:34207

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3564	timeout.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2868	Infected.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 4600	2868	Infected.exe	97
PID 2868 wrote to memory of 4600	2868	Infected.exe	97
PID 4600 wrote to memory of 3564	4600	cmd.exe	99
PID 4600 wrote to memory of 3564	4600	cmd.exe	99

C:\Users\Admin\AppData\Local\Temp\Infected.exe
"C:\Users\Admin\AppData\Local\Temp\Infected.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5C15.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4600
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3564

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5C15.tmp.bat

Filesize
160B

MD5
bb87938bd6b6df37203a76dbfe1f6909

SHA1
ae2d763454337569f37b735c423de8cde1067108

SHA256
83029db9ec3290422e79ff7bcd6da07383ed26e2f978d3b13eb1c1a75439e8aa

SHA512
39557b498729ba4a2acca064454990c22cba656a22a37c5f991fd9c0138300eea4f8a52dce307e3ea8e879e67e9e9780fb535ed457615fa9f525bd0b4c89b9ef

Download Submit
memory/2868-0-0x00007FFBA6ED3000-0x00007FFBA6ED5000-memory.dmp

Filesize
8KB

Download
memory/2868-1-0x00000000003B0000-0x00000000003C6000-memory.dmp

Filesize
88KB

Download
memory/2868-2-0x00007FFBA6ED0000-0x00007FFBA7991000-memory.dmp

Filesize
10.8MB

Download
memory/2868-3-0x00007FFBA6ED0000-0x00007FFBA7991000-memory.dmp

Filesize
10.8MB

Download
memory/2868-4-0x00007FFBA6ED0000-0x00007FFBA7991000-memory.dmp

Filesize
10.8MB

Download
memory/2868-7-0x000000001C900000-0x000000001C976000-memory.dmp

Filesize
472KB

Download
memory/2868-8-0x000000001AF30000-0x000000001AFE2000-memory.dmp

Filesize
712KB

Download
memory/2868-9-0x000000001AFE0000-0x000000001AFFE000-memory.dmp

Filesize
120KB

Download
memory/2868-14-0x00007FFBA6ED0000-0x00007FFBA7991000-memory.dmp

Filesize
10.8MB

Download