asyncrat | de7605348e00fa74f915deddaaeb39e85e37d65758e3ab7b3e16b1c4d8934d74

General

Target

RCG_48293729372.rar
Size

410KB
MD5

7ddf39aab483493ce577416732d4bc5b
SHA1

f900811f8d631f85f981eff4d9c976d83d6a296b
SHA256

de7605348e00fa74f915deddaaeb39e85e37d65758e3ab7b3e16b1c4d8934d74
SHA512

976e5691714f2dda72301eaf0897c52a1ec1d06d3af2a5039b3d685f75625aff74c640f9c06d523d5413e1607cbeeeee85c570ec40439624a20826350590d2e8
SSDEEP

6144:F0i/EsJ9XhQI6g5dMa/79m6Oc/hRN0uYDS+G5i8TXQkk0gsHHysDXMpJHxfFz1g/:FrpLhzjY8B4kF+G538kZFSsD8bH3+2A

Score

10^/10

asyncrat zcoopor-llega discovery rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

ZCOOPOR-LLEGA

C2

8529pt.4cloud.click:8529

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Executes dropped EXE 1 IoCs

pid	Process
2660	RCG_48293729372..exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2660 set thread context of 2852	2660	RCG_48293729372..exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RCG_48293729372..exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2188	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2188	7zFM.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	2188	7zFM.exe
Token: 35	2188	7zFM.exe
Token: SeSecurityPrivilege	2188	7zFM.exe
Token: SeDebugPrivilege	2852	csc.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2188	7zFM.exe
2188	7zFM.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2660	2188	7zFM.exe	30
PID 2188 wrote to memory of 2660	2188	7zFM.exe	30
PID 2188 wrote to memory of 2660	2188	7zFM.exe	30
PID 2188 wrote to memory of 2660	2188	7zFM.exe	30
PID 2660 wrote to memory of 2852	2660	RCG_48293729372..exe	31
PID 2660 wrote to memory of 2852	2660	RCG_48293729372..exe	31
PID 2660 wrote to memory of 2852	2660	RCG_48293729372..exe	31
PID 2660 wrote to memory of 2852	2660	RCG_48293729372..exe	31
PID 2660 wrote to memory of 2852	2660	RCG_48293729372..exe	31
PID 2660 wrote to memory of 2852	2660	RCG_48293729372..exe	31

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RCG_48293729372.rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Local\Temp\7zOC88AC527\RCG_48293729372..exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC88AC527\RCG_48293729372..exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zOC88AC527\RCG_48293729372..exe

Filesize
945KB

MD5
9b54e790a4bf5db73e90b08c94eb542a

SHA1
f60455f1338a85bbdc365e4714c184f75e8d383a

SHA256
716c50de230f15003dcac3de58c98751e012d8e39f42423b1de4d69e8fd847ad

SHA512
abe695847b0ef7eb050c01772088174375b62d4f32ae2da08bee840832b07827607da99caa43e0b1b78ecbb9c542a84815550f6bfc7fbd4faa0f6d36348e98c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5AB0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
memory/2660-20-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2660-14-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2660-13-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2660-12-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2660-19-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2660-11-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2852-17-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2852-15-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/2852-22-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/2852-21-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/2852-18-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing