asyncrat | 4e3c1838cf97be19c84a844b47eb093fb6e05854b971c07b86a561b50e1c29cc

General

Target

4e3c1838cf97be19c84a844b47eb093fb6e05854b971c07b86a561b50e1c29ccN.exe
Size

2.0MB
MD5

7204fe5140619c24c146489ea3544da0
SHA1

a0c4a3fcc6262839d2ea132c12eb4c7fc7b5ac37
SHA256

4e3c1838cf97be19c84a844b47eb093fb6e05854b971c07b86a561b50e1c29cc
SHA512

b52b5eded7b0937572ad989c061ee4bd839d3d966ddf45382984c5f32f008cb2653b58502bf34eeb3681797c246cbd31430d33a91eb56c0fa611162c80641dc5
SSDEEP

49152:sfU4Uj2Did0yksUsdR4/pgCXp0q++yTun33DhZVBIcLJHC85zR61xg1:sfUbaS0EtdR4/pgfq++yT633DvVBIsCS

Score

10^/10

asyncrat server8 discovery rat

Malware Config

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

Server8

C2

asmby.duckdns.org:52350

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Executes dropped EXE 3 IoCs

Processes:

4e3c1838cf97be19c84a844b47eb093fb6e05854b971c07b86a561b50e1c29ccN.exeSenseCE.exeSenseCE.exe

pid process

4796 4e3c1838cf97be19c84a844b47eb093fb6e05854b971c07b86a561b50e1c29ccN.exe
1520 SenseCE.exe
2156 SenseCE.exe
Loads dropped DLL 3 IoCs

Processes:

4e3c1838cf97be19c84a844b47eb093fb6e05854b971c07b86a561b50e1c29ccN.exeSenseCE.exeSenseCE.exe

pid process

4796 4e3c1838cf97be19c84a844b47eb093fb6e05854b971c07b86a561b50e1c29ccN.exe
1520 SenseCE.exe
2156 SenseCE.exe

pid	process
4796	4e3c1838cf97be19c84a844b47eb093fb6e05854b971c07b86a561b50e1c29ccN.exe
1520	SenseCE.exe
2156	SenseCE.exe

pid	process
4796	4e3c1838cf97be19c84a844b47eb093fb6e05854b971c07b86a561b50e1c29ccN.exe
1520	SenseCE.exe
2156	SenseCE.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

SenseCE.execmd.exe

description	pid	process	target process
PID 2156 set thread context of 1860	2156	SenseCE.exe	cmd.exe
PID 1860 set thread context of 1820	1860	cmd.exe	MSBuild.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

4e3c1838cf97be19c84a844b47eb093fb6e05854b971c07b86a561b50e1c29ccN.exe4e3c1838cf97be19c84a844b47eb093fb6e05854b971c07b86a561b50e1c29ccN.execmd.exeMSBuild.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4e3c1838cf97be19c84a844b47eb093fb6e05854b971c07b86a561b50e1c29ccN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4e3c1838cf97be19c84a844b47eb093fb6e05854b971c07b86a561b50e1c29ccN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

SenseCE.exeSenseCE.execmd.exe

pid process

1520 SenseCE.exe
2156 SenseCE.exe
2156 SenseCE.exe
1860 cmd.exe
1860 cmd.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

SenseCE.execmd.exe

pid process

2156 SenseCE.exe
1860 cmd.exe
1860 cmd.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description pid process

Token: SeDebugPrivilege 1820 MSBuild.exe

pid	process
1520	SenseCE.exe
2156	SenseCE.exe
2156	SenseCE.exe
1860	cmd.exe
1860	cmd.exe

pid	process
2156	SenseCE.exe
1860	cmd.exe
1860	cmd.exe

description	pid	process
Token: SeDebugPrivilege	1820	MSBuild.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

4e3c1838cf97be19c84a844b47eb093fb6e05854b971c07b86a561b50e1c29ccN.exe4e3c1838cf97be19c84a844b47eb093fb6e05854b971c07b86a561b50e1c29ccN.exeSenseCE.exeSenseCE.execmd.exe

description	pid	process	target process
PID 3680 wrote to memory of 4796	3680	4e3c1838cf97be19c84a844b47eb093fb6e05854b971c07b86a561b50e1c29ccN.exe	4e3c1838cf97be19c84a844b47eb093fb6e05854b971c07b86a561b50e1c29ccN.exe
PID 3680 wrote to memory of 4796	3680	4e3c1838cf97be19c84a844b47eb093fb6e05854b971c07b86a561b50e1c29ccN.exe	4e3c1838cf97be19c84a844b47eb093fb6e05854b971c07b86a561b50e1c29ccN.exe
PID 3680 wrote to memory of 4796	3680	4e3c1838cf97be19c84a844b47eb093fb6e05854b971c07b86a561b50e1c29ccN.exe	4e3c1838cf97be19c84a844b47eb093fb6e05854b971c07b86a561b50e1c29ccN.exe
PID 4796 wrote to memory of 1520	4796	4e3c1838cf97be19c84a844b47eb093fb6e05854b971c07b86a561b50e1c29ccN.exe	SenseCE.exe
PID 4796 wrote to memory of 1520	4796	4e3c1838cf97be19c84a844b47eb093fb6e05854b971c07b86a561b50e1c29ccN.exe	SenseCE.exe
PID 1520 wrote to memory of 2156	1520	SenseCE.exe	SenseCE.exe
PID 1520 wrote to memory of 2156	1520	SenseCE.exe	SenseCE.exe
PID 2156 wrote to memory of 1860	2156	SenseCE.exe	cmd.exe
PID 2156 wrote to memory of 1860	2156	SenseCE.exe	cmd.exe
PID 2156 wrote to memory of 1860	2156	SenseCE.exe	cmd.exe
PID 2156 wrote to memory of 1860	2156	SenseCE.exe	cmd.exe
PID 1860 wrote to memory of 1820	1860	cmd.exe	MSBuild.exe
PID 1860 wrote to memory of 1820	1860	cmd.exe	MSBuild.exe
PID 1860 wrote to memory of 1820	1860	cmd.exe	MSBuild.exe
PID 1860 wrote to memory of 1820	1860	cmd.exe	MSBuild.exe
PID 1860 wrote to memory of 1820	1860	cmd.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\4e3c1838cf97be19c84a844b47eb093fb6e05854b971c07b86a561b50e1c29ccN.exe
"C:\Users\Admin\AppData\Local\Temp\4e3c1838cf97be19c84a844b47eb093fb6e05854b971c07b86a561b50e1c29ccN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3680

C:\Windows\Temp\{3F9C1F7D-5298-43AB-A139-BF6B4A22ECCA}\.cr\4e3c1838cf97be19c84a844b47eb093fb6e05854b971c07b86a561b50e1c29ccN.exe
"C:\Windows\Temp\{3F9C1F7D-5298-43AB-A139-BF6B4A22ECCA}\.cr\4e3c1838cf97be19c84a844b47eb093fb6e05854b971c07b86a561b50e1c29ccN.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\4e3c1838cf97be19c84a844b47eb093fb6e05854b971c07b86a561b50e1c29ccN.exe" -burn.filehandle.attached=536 -burn.filehandle.self=532
2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4796

C:\Windows\Temp\{0D58BD27-2A53-42D6-B8EF-3CE73A515260}\.ba\SenseCE.exe
"C:\Windows\Temp\{0D58BD27-2A53-42D6-B8EF-3CE73A515260}\.ba\SenseCE.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1520

C:\Users\Admin\AppData\Roaming\Mp_beacon_test\SenseCE.exe
C:\Users\Admin\AppData\Roaming\Mp_beacon_test\SenseCE.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
5⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5ef79381

Filesize
777KB

MD5
1e169495a2709fdfe5d23c127d4af507

SHA1
3b7bfdcc9e393368ebc2f1bac451cb0a4a50fc2d

SHA256
9b7cc2adc860c7eff3f55ed2d6c84b8c8aaadbd742e84aefe29b639934617f91

SHA512
49904b6829518e17a8459a7ed9cffc5546be7d95257d9d7a9fcdbc15c0870a0c93fcea968c87c6caa5be4736c53bd44413889c4281c2061d96802f75cf52889e

Download Submit
C:\Windows\Temp\{0D58BD27-2A53-42D6-B8EF-3CE73A515260}\.ba\Bagwash.dll

Filesize
708KB

MD5
99bbabb42d43b56dfaf5b418e281f90e

SHA1
d5ba68d0741b22b3d9f44662a3c6dc6aa17ab843

SHA256
82d306f378f515c2b44236246f7d9ecaed90c5b91fda4532982e79350bc6cab9

SHA512
a4119255a54849f3e8b7c3ce1acde14ed2a3dfa1a10e570cd5104e95728924bf6d1deba7a13d223cdf20ae2fb40357e684e7814a6419c72171ad19787fc91ad4

Download Submit
C:\Windows\Temp\{0D58BD27-2A53-42D6-B8EF-3CE73A515260}\.ba\MpGear.dll

Filesize
592KB

MD5
f7097d29a199f55b33e42107dcb4d0a1

SHA1
d11cbbccb8cfd2bb2276bce7419d2ee9ad82551f

SHA256
c712edb84c5949a87cabc05c064b402351172ec8fbf6a7378ce8d12a7d03e807

SHA512
8c92609f78d36b8af76b4ab563f600e1d03a068c5f46859f522d8a0b747e7d643b950c8428adab425ec1756da0dd2b82cfd246ada20751763e0ec3c5192112c5

Download Submit
C:\Windows\Temp\{0D58BD27-2A53-42D6-B8EF-3CE73A515260}\.ba\SenseCE.exe

Filesize
1.6MB

MD5
8f0717916432e1e4f3313c8ebde55210

SHA1
41456cd9c3b66cfb22f9bbeefb6750cce516bf3a

SHA256
8dc4d5deef19fb4da195c270819a6ee283b67408fc9ee187216a0ce80ee61bab

SHA512
d1c4696541ec1d8d44e820902828bfbbd16afbb9c4a251080fc62262fbf879b268ed0fff80ea84aacdc58f424c516a979bb8fa82f0dfe920d71cad92f17bcfee

Download Submit
C:\Windows\Temp\{0D58BD27-2A53-42D6-B8EF-3CE73A515260}\.ba\ond

Filesize
58KB

MD5
8a02f80920ceea7f6435f403e3944ac8

SHA1
47d93c51f48b7b302eddc9d6721b61445df36613

SHA256
5be0fb9dcb4132c1c7ea90fbd2ae66c70022f2f8812681b9810a1b6b8f7714f2

SHA512
e20bd8a33c3701053142c8196bbe19212999df69112e3252a9d8742dddf377c8a8f0985fbbd7125d78f8475e657adec3dca5ff22b0137a37ff94cae51a057c8c

Download Submit
C:\Windows\Temp\{0D58BD27-2A53-42D6-B8EF-3CE73A515260}\.ba\piqfvld

Filesize
535KB

MD5
6bb403fa903db48a19879659958fd9ca

SHA1
40f746e046156ddac3f0ca32379fbf53c81a23b0

SHA256
a6c0855fce117edbbcfec9db83bbe13b129b98288c3566941bfeecc46d83df53

SHA512
41f5b258221348d722a63c59e2acc7cb235f216742d66676417cbf698937c44bbe5bbe59cf792fbdac3fab5aa49c74a0c1e1b787480e4f3393e7cff07e30de5b

Download Submit
C:\Windows\Temp\{3F9C1F7D-5298-43AB-A139-BF6B4A22ECCA}\.cr\4e3c1838cf97be19c84a844b47eb093fb6e05854b971c07b86a561b50e1c29ccN.exe

Filesize
2.0MB

MD5
7204fe5140619c24c146489ea3544da0

SHA1
a0c4a3fcc6262839d2ea132c12eb4c7fc7b5ac37

SHA256
4e3c1838cf97be19c84a844b47eb093fb6e05854b971c07b86a561b50e1c29cc

SHA512
b52b5eded7b0937572ad989c061ee4bd839d3d966ddf45382984c5f32f008cb2653b58502bf34eeb3681797c246cbd31430d33a91eb56c0fa611162c80641dc5

Download Submit
memory/1520-19-0x00007FF901530000-0x00007FF9016A2000-memory.dmp

Filesize
1.4MB

Download
memory/1820-40-0x0000000073230000-0x0000000074484000-memory.dmp

Filesize
18.3MB

Download
memory/1820-43-0x0000000000C10000-0x0000000000C26000-memory.dmp

Filesize
88KB

Download
memory/1860-35-0x00007FF91FB10000-0x00007FF91FD05000-memory.dmp

Filesize
2.0MB

Download
memory/1860-38-0x0000000074CB0000-0x0000000074E2B000-memory.dmp

Filesize
1.5MB

Download
memory/2156-31-0x00007FF901530000-0x00007FF9016A2000-memory.dmp

Filesize
1.4MB

Download
memory/2156-32-0x00007FF901530000-0x00007FF9016A2000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads