asyncrat | bd195ee5812dc58ee5b9b758dd441c5109a49bea4318d220febc8ab56d62df27

General

Target

bd195ee5812dc58ee5b9b758dd441c5109a49bea4318d220febc8ab56d62df27.exe
Size

6.2MB
MD5

2f656ac986d1b22de2356fc4586cd819
SHA1

e36341cdc70b4d761ba4ac77e117e1fab0a95ce3
SHA256

bd195ee5812dc58ee5b9b758dd441c5109a49bea4318d220febc8ab56d62df27
SHA512

dabcb2e594897a5b8f30b84d1f0437d46e224c6d9efd825d2a66a3ee64d206e8706eec474e00ec623ba89d34b9cdd33a626283910879d5d0ad6f5efcfc5fcc7d
SSDEEP

196608:xaq5c7YF6mvdsCncW4njQthsiHzy7kZPRJZJJ9yh:PWIPvaCncbnKhs57Wr

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

34.92.223.98:4449

Mutex

xetwktjowgokrxw

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/3736-26-0x0000023BF7310000-0x0000023BF7328000-memory.dmp	family_asyncrat

Loads dropped DLL 4 IoCs

pid	Process
3736	bd195ee5812dc58ee5b9b758dd441c5109a49bea4318d220febc8ab56d62df27.exe
3736	bd195ee5812dc58ee5b9b758dd441c5109a49bea4318d220febc8ab56d62df27.exe
3736	bd195ee5812dc58ee5b9b758dd441c5109a49bea4318d220febc8ab56d62df27.exe
3736	bd195ee5812dc58ee5b9b758dd441c5109a49bea4318d220febc8ab56d62df27.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3736	bd195ee5812dc58ee5b9b758dd441c5109a49bea4318d220febc8ab56d62df27.exe
3736	bd195ee5812dc58ee5b9b758dd441c5109a49bea4318d220febc8ab56d62df27.exe
3736	bd195ee5812dc58ee5b9b758dd441c5109a49bea4318d220febc8ab56d62df27.exe
3736	bd195ee5812dc58ee5b9b758dd441c5109a49bea4318d220febc8ab56d62df27.exe
3736	bd195ee5812dc58ee5b9b758dd441c5109a49bea4318d220febc8ab56d62df27.exe
3736	bd195ee5812dc58ee5b9b758dd441c5109a49bea4318d220febc8ab56d62df27.exe
3736	bd195ee5812dc58ee5b9b758dd441c5109a49bea4318d220febc8ab56d62df27.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3736	bd195ee5812dc58ee5b9b758dd441c5109a49bea4318d220febc8ab56d62df27.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3736	bd195ee5812dc58ee5b9b758dd441c5109a49bea4318d220febc8ab56d62df27.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 3736	1016	bd195ee5812dc58ee5b9b758dd441c5109a49bea4318d220febc8ab56d62df27.exe	83
PID 1016 wrote to memory of 3736	1016	bd195ee5812dc58ee5b9b758dd441c5109a49bea4318d220febc8ab56d62df27.exe	83

C:\Users\Admin\AppData\Local\Temp\bd195ee5812dc58ee5b9b758dd441c5109a49bea4318d220febc8ab56d62df27.exe
"C:\Users\Admin\AppData\Local\Temp\bd195ee5812dc58ee5b9b758dd441c5109a49bea4318d220febc8ab56d62df27.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Users\Admin\AppData\Local\Temp\bd195ee5812dc58ee5b9b758dd441c5109a49bea4318d220febc8ab56d62df27.exe
  "C:\Users\Admin\AppData\Local\Temp\bd195ee5812dc58ee5b9b758dd441c5109a49bea4318d220febc8ab56d62df27.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3736

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI10162\VCRUNTIME140.dll

Filesize
94KB

MD5
a87575e7cf8967e481241f13940ee4f7

SHA1
879098b8a353a39e16c79e6479195d43ce98629e

SHA256
ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e

SHA512
e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10162\_ctypes.pyd

Filesize
116KB

MD5
41a9708af86ae3ebc358e182f67b0fb2

SHA1
accab901e2746f7da03fab8301f81a737b6cc180

SHA256
0bd4ed11f2fb097f235b62eb26a00c0cb16815bbf90ab29f191af823a9fed8cf

SHA512
835f9aa33fdfbb096c31f8ac9a50db9fac35918fc78bce03dae55ea917f738a41f01aee4234a5a91ffa5bdbbd8e529399205592eb0cae3224552c35c098b7843

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10162\base_library.zip

Filesize
1.0MB

MD5
893787b24dedc5367f7f580cfbf53ac8

SHA1
c98a0be31eae3988e2f74a12ae1729f9b030ab88

SHA256
8a17720e3f66ac5facf7be3503cba0c05577f4fe4d7a9e58adb573abfed283b5

SHA512
6232e2f32d75799696a4a5d1a76ea3b6854f4271f2a8ddd6956a2c0b74b3ae08ecca7ca52f6166e184239d3656b16243ede52b0ac9c58408e8494b8421f512f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10162\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10162\python310.dll

Filesize
4.2MB

MD5
c6c37b848273e2509a7b25abe8bf2410

SHA1
b27cfbd31336da1e9b1f90e8f649a27154411d03

SHA256
b7a7f3707beab109b66de3e340e3022dd83c3a18f444feb9e982c29cf23c29b8

SHA512
222ad791304963a4b8c1c6055e02c0c4c47fce2bb404bd4f89c022ff9706e29ca6fa36c72350fbf296c8a0e3e48e3756f969c003dd1eb056cd026efe0b7eba40

Download Submit
memory/3736-24-0x0000023BF0EB0000-0x0000023BF0ECC000-memory.dmp

Filesize
112KB

Download
memory/3736-25-0x00007FFF602A3000-0x00007FFF602A5000-memory.dmp

Filesize
8KB

Download
memory/3736-26-0x0000023BF7310000-0x0000023BF7328000-memory.dmp

Filesize
96KB

Download
memory/3736-28-0x00007FFF602A0000-0x00007FFF60D61000-memory.dmp

Filesize
10.8MB

Download
memory/3736-29-0x00007FFF602A0000-0x00007FFF60D61000-memory.dmp

Filesize
10.8MB

Download
memory/3736-30-0x00007FFF602A3000-0x00007FFF602A5000-memory.dmp

Filesize
8KB

Download
memory/3736-31-0x00007FFF602A0000-0x00007FFF60D61000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing