asyncrat | 0130b240236c6705dd2d464db286f43ad43b827179e229c1ac7dd61b3bb2fcd8

General

Target

cf2166bcce3d3cd77cd9dc91d33f1d10c084ae31a6adbf542e24a43cdcd2314d.exe
Size

28.6MB
MD5

9116c5fb992227e6c738307d2de17552
SHA1

110741c697079bb7355a3650c5d86ba7c1f908e6
SHA256

cf2166bcce3d3cd77cd9dc91d33f1d10c084ae31a6adbf542e24a43cdcd2314d
SHA512

bb127bb1e23dd6da2040dd1c1ee7be1c7b481b2d4636af4f07f1b9449dd445400d431c99b019a86b6ae7d99ffee05f16cb304a99a29006fdff3e36d760c6ea11
SSDEEP

393216:esT23WtehI4MPAfu5FFYeQCs88zvwJMO:1aUFbFzr8zvKM

Score

10^/10

asyncrat discovery rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf2166bcce3d3cd77cd9dc91d33f1d10c084ae31a6adbf542e24a43cdcd2314d.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2760	2880	cf2166bcce3d3cd77cd9dc91d33f1d10c084ae31a6adbf542e24a43cdcd2314d.exe	30
PID 2880 wrote to memory of 2760	2880	cf2166bcce3d3cd77cd9dc91d33f1d10c084ae31a6adbf542e24a43cdcd2314d.exe	30
PID 2880 wrote to memory of 2760	2880	cf2166bcce3d3cd77cd9dc91d33f1d10c084ae31a6adbf542e24a43cdcd2314d.exe	30
PID 2880 wrote to memory of 2760	2880	cf2166bcce3d3cd77cd9dc91d33f1d10c084ae31a6adbf542e24a43cdcd2314d.exe	30
PID 2760 wrote to memory of 2672	2760	csc.exe	32
PID 2760 wrote to memory of 2672	2760	csc.exe	32
PID 2760 wrote to memory of 2672	2760	csc.exe	32
PID 2760 wrote to memory of 2672	2760	csc.exe	32

C:\Users\Admin\AppData\Local\Temp\cf2166bcce3d3cd77cd9dc91d33f1d10c084ae31a6adbf542e24a43cdcd2314d.exe
"C:\Users\Admin\AppData\Local\Temp\cf2166bcce3d3cd77cd9dc91d33f1d10c084ae31a6adbf542e24a43cdcd2314d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o424cf22\o424cf22.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C2D.tmp" "c:\Users\Admin\AppData\Local\Temp\o424cf22\CSC7E5BE029192C4690BD246C105EFC9972.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4C2D.tmp

Filesize
1KB

MD5
c10a45abd2c009960ea61cbd97ae4c85

SHA1
773a0cab5ca5def91b7ecb324cf909cc92d9b095

SHA256
493c5cf6325ecfd4d0b210fe87974714c020d40ff6c4cb1d51188b0febb35424

SHA512
6b0a58139c434125356f03f8e48bfd39ddf187030b0aba846119203a9ad9fb4e2acd0362073856baf6aa8c5d618df208d0c05776311928d5acd75076bb7383da

Download Submit
C:\Users\Admin\AppData\Local\Temp\o424cf22\o424cf22.dll

Filesize
37KB

MD5
ec12c769a64d414b878918b078901266

SHA1
2632187439b29e1766a6b6dc076b010851dcd78e

SHA256
600578bb4c925d825ee3eb1353295ee6fe7672dc1260bb6bc17e52dba3b30888

SHA512
9155b4008253580e76eafe98917b351a07eadd6d36cfc269a6cd2030e4291623b5751b92ff3d9b7e4a08be57919829e516e958a02b2821e1a1a2ffeafc9fcdc9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o424cf22\CSC7E5BE029192C4690BD246C105EFC9972.TMP

Filesize
652B

MD5
80fbbf2955fea0f0469b7cf5f30c0ae4

SHA1
035f68e995bbbe7a4d515623ece743493ef4f8f2

SHA256
fcb09f1f14084c0a36a81fc6024a366e902d6cb0ea2a6f65d741bfc1249c1ce7

SHA512
2f44616870b2402aa97975b0b16c8eccf2eb4040af4718fac98336a7e6591565b1c4a9e7a3f7e86c87d1dc6303a3336a53654fe542c1814c2b178f52385293a5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o424cf22\o424cf22.0.cs

Filesize
69KB

MD5
89db3c484506b3962f7c8fc952345895

SHA1
f19f78cfda729460904f3f30784613eeac4f84aa

SHA256
b7477c309b505136d72caefab0814677a5ee09d5ed0a0b4a7ebbc6136a534004

SHA512
1e9f00b4389a6ce6ff1c28628ceb4d6fcd68604e8bc64c91ea3ff4f46986a8b384079e02ac2ee6da851bb875467769edca3a57a71962e8feb7d04abe3c76a3fc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o424cf22\o424cf22.cmdline

Filesize
439B

MD5
803be05a2d786e18c56a7103ea6112b1

SHA1
56ca429bb83e3c3e0214f6f8194c75905f649b65

SHA256
69420a3e4df2220494dd6ce3ff66d40c2ae5d8b698eec28440ec3f1f16264d44

SHA512
6525246b200c1a5f7d70246e9922b538ad5e06da97f002d5fd0e8eda3514dcb8fed1787792cadb0e63613e4815cb6f96fa2055d89d2c8ca629440538b9c7769a

Download Submit
memory/2880-0-0x0000000074DCE000-0x0000000074DCF000-memory.dmp

Filesize
4KB

Download
memory/2880-1-0x0000000000280000-0x0000000001F1A000-memory.dmp

Filesize
28.6MB

Download
memory/2880-4-0x0000000074DC0000-0x00000000754AE000-memory.dmp

Filesize
6.9MB

Download
memory/2880-15-0x0000000002040000-0x0000000002050000-memory.dmp

Filesize
64KB

Download
memory/2880-17-0x0000000074DCE000-0x0000000074DCF000-memory.dmp

Filesize
4KB

Download
memory/2880-18-0x0000000074DC0000-0x00000000754AE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing