asyncrat | 224e4c17a089090cca9119d71fb2334fb15acf48bc92ea3e932c90c5ff3e769d

General

Target

file.exe
Size

187KB
MD5

0b963852688f37c062548d7ccf610b07
SHA1

698aefe85ccc31f42215ca1df14faf02bb36f17e
SHA256

224e4c17a089090cca9119d71fb2334fb15acf48bc92ea3e932c90c5ff3e769d
SHA512

8c8c833ecccb0c3d010899c7e7f934d41b592888f29c34d94955bb7db5956d513fb38126aa1dce7e41e65cf84efd91a8e023c7f26e3445d98eb40b4ca8773528
SSDEEP

3072:o0WJGrmn/HDUOvme0a3dTp9bhHRR0QJ8cNh/z7Aij9K:2z/HDexaRp9btRR02xgij

Score

10^/10

asyncrat nightingale collection credential_access execution rat spyware stealer

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Nightingale family
nightingale
Nightingale stealer
Nightingale stealer is an information stealer written in C#.
stealer nightingale

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2232-2-0x0000000000860000-0x0000000000892000-memory.dmp	family_asyncrat

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

file.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	file.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	file.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	file.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2876 powershell.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

7 pastebin.com
8 pastebin.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 ip-api.com

flow	ioc
7	pastebin.com
8	pastebin.com

flow	ioc
10	ip-api.com

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exefile.exe

pid	process
2876	powershell.exe
2128	powershell.exe
2232	file.exe
2232	file.exe
2232	file.exe
2232	file.exe
2232	file.exe
2232	file.exe
2232	file.exe
2232	file.exe
2232	file.exe
2232	file.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

file.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2232 file.exe
Token: SeDebugPrivilege 2876 powershell.exe
Token: SeDebugPrivilege 2128 powershell.exe

description	pid	process
Token: SeDebugPrivilege	2232	file.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

file.exe

description	pid	process	target process
PID 2232 wrote to memory of 2876	2232	file.exe	powershell.exe
PID 2232 wrote to memory of 2876	2232	file.exe	powershell.exe
PID 2232 wrote to memory of 2876	2232	file.exe	powershell.exe
PID 2232 wrote to memory of 2128	2232	file.exe	powershell.exe
PID 2232 wrote to memory of 2128	2232	file.exe	powershell.exe
PID 2232 wrote to memory of 2128	2232	file.exe	powershell.exe

outlook_office_path 1 IoCs

Processes:

file.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	file.exe

outlook_win_path 1 IoCs

Processes:

file.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	file.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2128

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab7DBA.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBB87.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6Y2WKW8YT6H931LYDFSL.temp

Filesize
7KB

MD5
f04a3d39bc83fe0d5a551a55a9468661

SHA1
8eb556339930e5ead347000ec0db9fe853b6b9a5

SHA256
5b0b2ccb02299de16bb5fcc8881abcd968d0f39b2d8a937fd0da9722729fcf14

SHA512
334385bf4c69490886405a5829163f6a2b5fcb4989af6e835521c4f0cd192a9ace8f8ff605f24b102045d460e4e9b86888e6e6aa905f43291788b69675adb7bb

Download Submit
memory/2128-54-0x0000000002910000-0x0000000002918000-memory.dmp

Filesize
32KB

Download
memory/2128-53-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download
memory/2232-3-0x000007FEF5E20000-0x000007FEF680C000-memory.dmp

Filesize
9.9MB

Download
memory/2232-5-0x000007FEF5E20000-0x000007FEF680C000-memory.dmp

Filesize
9.9MB

Download
memory/2232-22-0x0000000002240000-0x0000000002280000-memory.dmp

Filesize
256KB

Download
memory/2232-4-0x000007FEF5E23000-0x000007FEF5E24000-memory.dmp

Filesize
4KB

Download
memory/2232-0-0x000007FEF5E23000-0x000007FEF5E24000-memory.dmp

Filesize
4KB

Download
memory/2232-2-0x0000000000860000-0x0000000000892000-memory.dmp

Filesize
200KB

Download
memory/2232-1-0x000000013F6B0000-0x000000013F6E4000-memory.dmp

Filesize
208KB

Download
memory/2876-45-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/2876-46-0x000000001B760000-0x000000001BA42000-memory.dmp

Filesize
2.9MB

Download
memory/2876-47-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads