asyncrat | c81b0cd26f92c566a1619d8a740da1e7ffa3e3d605fccccb5f3b3a075fb9e8cb

Analysis

max time kernel
49s
max time network
42s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
17-11-2024 20:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

juepta.7z
Size

18KB
MD5

a577c95fba2b8becd8f4fb963f25cb22
SHA1

01f874c1abc88cf0eea294ca7265ba9f8d7ff033
SHA256

c81b0cd26f92c566a1619d8a740da1e7ffa3e3d605fccccb5f3b3a075fb9e8cb
SHA512

b2e1e51a108526e29e6edfa4342f10df0765159c16ba3d6a77dc2e68f78d849b19ebf9e602f09fa7d57911d0f256c1d9bfad35dde3b57307b675a35ef0781507
SSDEEP

384:rB+8b/oGiZ3Z5+D4wbdA4M99yFUI5I1XqX6p0242vSKF/LZe1VFnIbS:l+8b/0LmNy9Kye6pP42vlDc1TmS

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:4782

127.0.0.1:3425

Cristopher11sa-62565.portmap.host:6606

Cristopher11sa-62565.portmap.host:7707

Cristopher11sa-62565.portmap.host:8808

Cristopher11sa-62565.portmap.host:4782

Cristopher11sa-62565.portmap.host:3425

190.104.116.8:6606

190.104.116.8:7707

190.104.116.8:8808

190.104.116.8:4782

190.104.116.8:3425

azxq0ap.localto.net:6606

azxq0ap.localto.net:7707

azxq0ap.localto.net:8808

azxq0ap.localto.net:4782

azxq0ap.localto.net:3425

Mutex

E2qgtjRHaRSi

Attributes

delay
3
install
false
install_file
Java updater.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\juepta.exe	family_asyncrat

Executes dropped EXE 2 IoCs

Processes:

juepta.exejuepta.exe

pid process

3792 juepta.exe
2556 juepta.exe

pid	process
3792	juepta.exe
2556	juepta.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

juepta.exejuepta.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	juepta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	juepta.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

736 7zFM.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

7zFM.exe

description pid process

Token: SeRestorePrivilege 736 7zFM.exe
Token: 35 736 7zFM.exe
Token: SeSecurityPrivilege 736 7zFM.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

7zFM.exe

pid process

736 7zFM.exe
736 7zFM.exe

pid	process
736	7zFM.exe

description	pid	process
Token: SeRestorePrivilege	736	7zFM.exe
Token: 35	736	7zFM.exe
Token: SeSecurityPrivilege	736	7zFM.exe

pid	process
736	7zFM.exe
736	7zFM.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\juepta.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:736

C:\Users\Admin\Desktop\juepta.exe
"C:\Users\Admin\Desktop\juepta.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3792

C:\Users\Admin\Desktop\juepta.exe
"C:\Users\Admin\Desktop\juepta.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\juepta.exe

Filesize
45KB

MD5
f5f5c83965ddca843cc1aaf6e8a708b9

SHA1
491eddac26eeb7d9ea491cbf16ba241fcbd60ba8

SHA256
cd6b375afc5bc9712d70713c229efe8d51084675ca7e06d77c673cff01b6c69a

SHA512
f1243de2f0b7ce3f559e090ebf441143ac3642114b753d27bb0d9648d07c67480ddebe9ac458c302b8c90a94ae48a4869e5f90141444de5ec444ac9ec8eab12b

Download Submit
memory/2556-10-0x00000000747C0000-0x0000000074F71000-memory.dmp

Filesize
7.7MB

Download
memory/2556-12-0x00000000747C0000-0x0000000074F71000-memory.dmp

Filesize
7.7MB

Download
memory/3792-4-0x00000000747CE000-0x00000000747CF000-memory.dmp

Filesize
4KB

Download
memory/3792-5-0x0000000000010000-0x0000000000022000-memory.dmp

Filesize
72KB

Download
memory/3792-6-0x00000000747C0000-0x0000000074F71000-memory.dmp

Filesize
7.7MB

Download
memory/3792-7-0x00000000747CE000-0x00000000747CF000-memory.dmp

Filesize
4KB

Download
memory/3792-8-0x00000000747C0000-0x0000000074F71000-memory.dmp

Filesize
7.7MB

Download