asyncrat | 0130b240236c6705dd2d464db286f43ad43b827179e229c1ac7dd61b3bb2fcd8

General

Target

cf2166bcce3d3cd77cd9dc91d33f1d10c084ae31a6adbf542e24a43cdcd2314d.exe
Size

28.6MB
MD5

9116c5fb992227e6c738307d2de17552
SHA1

110741c697079bb7355a3650c5d86ba7c1f908e6
SHA256

cf2166bcce3d3cd77cd9dc91d33f1d10c084ae31a6adbf542e24a43cdcd2314d
SHA512

bb127bb1e23dd6da2040dd1c1ee7be1c7b481b2d4636af4f07f1b9449dd445400d431c99b019a86b6ae7d99ffee05f16cb304a99a29006fdff3e36d760c6ea11
SSDEEP

393216:esT23WtehI4MPAfu5FFYeQCs88zvwJMO:1aUFbFzr8zvKM

Score

10^/10

asyncrat discovery rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2820	4912	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf2166bcce3d3cd77cd9dc91d33f1d10c084ae31a6adbf542e24a43cdcd2314d.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4912 wrote to memory of 4972	4912	cf2166bcce3d3cd77cd9dc91d33f1d10c084ae31a6adbf542e24a43cdcd2314d.exe	83
PID 4912 wrote to memory of 4972	4912	cf2166bcce3d3cd77cd9dc91d33f1d10c084ae31a6adbf542e24a43cdcd2314d.exe	83
PID 4912 wrote to memory of 4972	4912	cf2166bcce3d3cd77cd9dc91d33f1d10c084ae31a6adbf542e24a43cdcd2314d.exe	83
PID 4972 wrote to memory of 4284	4972	csc.exe	85
PID 4972 wrote to memory of 4284	4972	csc.exe	85
PID 4972 wrote to memory of 4284	4972	csc.exe	85

C:\Users\Admin\AppData\Local\Temp\cf2166bcce3d3cd77cd9dc91d33f1d10c084ae31a6adbf542e24a43cdcd2314d.exe
"C:\Users\Admin\AppData\Local\Temp\cf2166bcce3d3cd77cd9dc91d33f1d10c084ae31a6adbf542e24a43cdcd2314d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3drlzhts\3drlzhts.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES80B9.tmp" "c:\Users\Admin\AppData\Local\Temp\3drlzhts\CSC60D98794C3754733A227528CE76E14.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4284
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 1200
  2⤵
  - Program crash
  PID:2820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4912 -ip 4912
1⤵
PID:1220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3drlzhts\3drlzhts.dll

Filesize
37KB

MD5
9b15661b94612bdbd86312b2809c2ace

SHA1
20fb0d0676843720f33ac32485ca37088fce4cbf

SHA256
f528c4c69276c30b298a70e46139e3c7def0bed650cb8f6806d180885a183e6c

SHA512
6ca6ebb3c1ba7ddf3f50dd734764712a279e080b7b3a8b5efd01de5ced680beace29055fd92ccc6391b4af21e8ae568a79b8c8027cc710b11dcdf6582855a650

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES80B9.tmp

Filesize
1KB

MD5
4115ac09b35eb6e1689c00021e141e21

SHA1
e3b14fa99a02b0cff68880bc1900db0934a50cfc

SHA256
3dc3818b3f0a3300812727373592307853c79a38912212e9e6de209df5a88a8d

SHA512
c0ade9b80061a02acbbd041db74a4a213cd3e5f32237375b4ad31d4b1b02ffe79604fd57cfd884078dbf81a7a37ca95f43807befe1b709402a299b33b664017c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3drlzhts\3drlzhts.0.cs

Filesize
69KB

MD5
89db3c484506b3962f7c8fc952345895

SHA1
f19f78cfda729460904f3f30784613eeac4f84aa

SHA256
b7477c309b505136d72caefab0814677a5ee09d5ed0a0b4a7ebbc6136a534004

SHA512
1e9f00b4389a6ce6ff1c28628ceb4d6fcd68604e8bc64c91ea3ff4f46986a8b384079e02ac2ee6da851bb875467769edca3a57a71962e8feb7d04abe3c76a3fc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3drlzhts\3drlzhts.cmdline

Filesize
439B

MD5
eceb310ce54e0ca0a30709c88d15fdbb

SHA1
c2e79c761e6fa3c107d9b6fc90ea86b3616512ce

SHA256
0ec110032d5ab17f902a31e16c0303ded112d31fecbcb410ba690c6c4d957838

SHA512
8cb86ed10ef30d96c87179e62eb226d335ca4803c2bdefadea6b46e8b465e7839a9d84df3bf1a3082c92e0277f6a7d06cf49dca61b0965259e3b58309d2b29e1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3drlzhts\CSC60D98794C3754733A227528CE76E14.TMP

Filesize
652B

MD5
d58614e8556984fbfcd5c1a8cf4a43b3

SHA1
50565d212a17ecd98d4639fa9a895d63647c4684

SHA256
0ba4e6592028180796368aa7ee82ed6edff50847895b3550e9d2b6ea54754986

SHA512
9061ad16c8c5b00ea120f7215ff2d211a6c9b6ca6139a88aa217e1647ac899f4d129f94ce9271a5e935ec3691f5dcec002b83a62acdd94a309edc951b51bdd12

Download Submit
memory/4912-3-0x0000000006F60000-0x0000000006FF2000-memory.dmp

Filesize
584KB

Download
memory/4912-6-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/4912-0-0x000000007474E000-0x000000007474F000-memory.dmp

Filesize
4KB

Download
memory/4912-2-0x00000000073C0000-0x0000000007964000-memory.dmp

Filesize
5.6MB

Download
memory/4912-1-0x00000000008C0000-0x000000000255A000-memory.dmp

Filesize
28.6MB

Download
memory/4912-17-0x0000000006F30000-0x0000000006F40000-memory.dmp

Filesize
64KB

Download
memory/4912-19-0x0000000007270000-0x00000000072D6000-memory.dmp

Filesize
408KB

Download
memory/4912-20-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/4912-21-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing