asyncrat | 16a2abe3f4f2c005e206318caf37a366e0084fa8ca8561f3642fa0b4f2f04a7e

General

Target

SecuriteInfo.com.Win64.MalwareX-gen.27060.exe
Size

29KB
MD5

e40eb702f369e5decfb33b3d78bd4b0c
SHA1

3de25a909a7d8f20aaa4d9aba60aeb501c247f86
SHA256

16a2abe3f4f2c005e206318caf37a366e0084fa8ca8561f3642fa0b4f2f04a7e
SHA512

d015925072810f6ec5044ead32efc8ed6bee2d533c39915ceb526edce20edbc7fd3447423bd6ec608478eb87fdc70c9ad6dcce8b00b8328206adc9294137b60f
SSDEEP

384:pWIooQkbZYGM0D4DTrMiRShFRDwSH3I6ELjTo0z2d6GHnGtI4qk9QlEM69+j5P0u:nQFGM0D4DKF9wHmhAvP9Ql369aR0

Score

10^/10

asyncrat runtimebroker rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

RuntimeBroker

C2

37.18.62.18:8060

Mutex

RuntimeBroker.exe

Attributes

delay
1
install
false
install_file
RuntimeBroker.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe	family_asyncrat

Downloads MZ/PE file

Executes dropped EXE 15 IoCs

Processes:

RuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe

pid	process
4164	RuntimeBroker.exe
452	RuntimeBroker.exe
4900	RuntimeBroker.exe
1576	RuntimeBroker.exe
3892	RuntimeBroker.exe
2748	RuntimeBroker.exe
4340	RuntimeBroker.exe
2896	RuntimeBroker.exe
712	RuntimeBroker.exe
4160	RuntimeBroker.exe
1232	RuntimeBroker.exe
4108	RuntimeBroker.exe
1636	RuntimeBroker.exe
4900	RuntimeBroker.exe
4264	RuntimeBroker.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

17 raw.githubusercontent.com
18 raw.githubusercontent.com

flow	ioc
17	raw.githubusercontent.com
18	raw.githubusercontent.com

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

SecuriteInfo.com.Win64.MalwareX-gen.27060.exe

description	pid	process	target process
PID 1544 wrote to memory of 4164	1544	SecuriteInfo.com.Win64.MalwareX-gen.27060.exe	RuntimeBroker.exe
PID 1544 wrote to memory of 4164	1544	SecuriteInfo.com.Win64.MalwareX-gen.27060.exe	RuntimeBroker.exe
PID 1544 wrote to memory of 452	1544	SecuriteInfo.com.Win64.MalwareX-gen.27060.exe	RuntimeBroker.exe
PID 1544 wrote to memory of 452	1544	SecuriteInfo.com.Win64.MalwareX-gen.27060.exe	RuntimeBroker.exe
PID 1544 wrote to memory of 4900	1544	SecuriteInfo.com.Win64.MalwareX-gen.27060.exe	RuntimeBroker.exe
PID 1544 wrote to memory of 4900	1544	SecuriteInfo.com.Win64.MalwareX-gen.27060.exe	RuntimeBroker.exe
PID 1544 wrote to memory of 1576	1544	SecuriteInfo.com.Win64.MalwareX-gen.27060.exe	RuntimeBroker.exe
PID 1544 wrote to memory of 1576	1544	SecuriteInfo.com.Win64.MalwareX-gen.27060.exe	RuntimeBroker.exe
PID 1544 wrote to memory of 3892	1544	SecuriteInfo.com.Win64.MalwareX-gen.27060.exe	RuntimeBroker.exe
PID 1544 wrote to memory of 3892	1544	SecuriteInfo.com.Win64.MalwareX-gen.27060.exe	RuntimeBroker.exe
PID 1544 wrote to memory of 2748	1544	SecuriteInfo.com.Win64.MalwareX-gen.27060.exe	RuntimeBroker.exe
PID 1544 wrote to memory of 2748	1544	SecuriteInfo.com.Win64.MalwareX-gen.27060.exe	RuntimeBroker.exe
PID 1544 wrote to memory of 4340	1544	SecuriteInfo.com.Win64.MalwareX-gen.27060.exe	RuntimeBroker.exe
PID 1544 wrote to memory of 4340	1544	SecuriteInfo.com.Win64.MalwareX-gen.27060.exe	RuntimeBroker.exe
PID 1544 wrote to memory of 2896	1544	SecuriteInfo.com.Win64.MalwareX-gen.27060.exe	RuntimeBroker.exe
PID 1544 wrote to memory of 2896	1544	SecuriteInfo.com.Win64.MalwareX-gen.27060.exe	RuntimeBroker.exe
PID 1544 wrote to memory of 712	1544	SecuriteInfo.com.Win64.MalwareX-gen.27060.exe	RuntimeBroker.exe
PID 1544 wrote to memory of 712	1544	SecuriteInfo.com.Win64.MalwareX-gen.27060.exe	RuntimeBroker.exe
PID 1544 wrote to memory of 4160	1544	SecuriteInfo.com.Win64.MalwareX-gen.27060.exe	RuntimeBroker.exe
PID 1544 wrote to memory of 4160	1544	SecuriteInfo.com.Win64.MalwareX-gen.27060.exe	RuntimeBroker.exe
PID 1544 wrote to memory of 1232	1544	SecuriteInfo.com.Win64.MalwareX-gen.27060.exe	RuntimeBroker.exe
PID 1544 wrote to memory of 1232	1544	SecuriteInfo.com.Win64.MalwareX-gen.27060.exe	RuntimeBroker.exe
PID 1544 wrote to memory of 4108	1544	SecuriteInfo.com.Win64.MalwareX-gen.27060.exe	RuntimeBroker.exe
PID 1544 wrote to memory of 4108	1544	SecuriteInfo.com.Win64.MalwareX-gen.27060.exe	RuntimeBroker.exe
PID 1544 wrote to memory of 1636	1544	SecuriteInfo.com.Win64.MalwareX-gen.27060.exe	RuntimeBroker.exe
PID 1544 wrote to memory of 1636	1544	SecuriteInfo.com.Win64.MalwareX-gen.27060.exe	RuntimeBroker.exe
PID 1544 wrote to memory of 4900	1544	SecuriteInfo.com.Win64.MalwareX-gen.27060.exe	RuntimeBroker.exe
PID 1544 wrote to memory of 4900	1544	SecuriteInfo.com.Win64.MalwareX-gen.27060.exe	RuntimeBroker.exe
PID 1544 wrote to memory of 4264	1544	SecuriteInfo.com.Win64.MalwareX-gen.27060.exe	RuntimeBroker.exe
PID 1544 wrote to memory of 4264	1544	SecuriteInfo.com.Win64.MalwareX-gen.27060.exe	RuntimeBroker.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.MalwareX-gen.27060.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.MalwareX-gen.27060.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1544

C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
2⤵
- Executes dropped EXE
PID:4164

C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
2⤵
- Executes dropped EXE
PID:452

C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
2⤵
- Executes dropped EXE
PID:4900

C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
2⤵
- Executes dropped EXE
PID:1576

C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
2⤵
- Executes dropped EXE
PID:3892

C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
2⤵
- Executes dropped EXE
PID:2748

C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
2⤵
- Executes dropped EXE
PID:4340

C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
2⤵
- Executes dropped EXE
PID:2896

C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
2⤵
- Executes dropped EXE
PID:712

C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
2⤵
- Executes dropped EXE
PID:4160

C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
2⤵
- Executes dropped EXE
PID:1232

C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
2⤵
- Executes dropped EXE
PID:4108

C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
2⤵
- Executes dropped EXE
PID:1636

C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
2⤵
- Executes dropped EXE
PID:4900

C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
2⤵
- Executes dropped EXE
PID:4264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe

Filesize
48KB

MD5
2c417b524aed1da84f185711e5a478f1

SHA1
48380b5cd38eb374f4b439552e84bca400d2008b

SHA256
8b703cd3353ca564a01ba71e1bd9a60f8dc0fa3ac8e93747a5adcdb04ce7c79b

SHA512
2032760a9625b3862dead17143bdc35926a68d7054ba96159123fc45e8ec12553e0c4ff8808f1ecc71ee3660b0c4bbc95b137363b4b5cd94d2e86dd7bfc4eb23

Download Submit
memory/452-22-0x00007FFE4D240000-0x00007FFE4DD01000-memory.dmp

Filesize
10.8MB

Download
memory/452-23-0x00007FFE4D240000-0x00007FFE4DD01000-memory.dmp

Filesize
10.8MB

Download
memory/4164-19-0x00007FFE4D593000-0x00007FFE4D595000-memory.dmp

Filesize
8KB

Download
memory/4164-20-0x0000000000F10000-0x0000000000F22000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads