asyncrat | 903947bf4167c5b0ee718bb5312f38f2d2fc3a204303ee4deacf15df547ed1a4

Analysis

max time kernel
94s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-01-2025 08:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

903947bf4167c5b0ee718bb5312f38f2d2fc3a204303ee4deacf15df547ed1a4N.exe
Size

2.5MB
MD5

976905ed4b4f65242e608e94b975d240
SHA1

13a95b9ed2f9f7379848dac24ccbd027c23b61d1
SHA256

903947bf4167c5b0ee718bb5312f38f2d2fc3a204303ee4deacf15df547ed1a4
SHA512

aaa1fec13230f369a70310bfa50c26173e4955070da02f259c6479537efb26b27bba4ef2a0ff28d0e0322ecbbe323187c80bf96a7497804fab8f9a7ef0be6b72
SSDEEP

24576:MJl++6A0PHb+DC/KhZZHuG67h9np42UhTwNIa0rkZmFfgIr3K8tmgTNDTql7vzyX:Mq+6A0qWQTwNKJgEbtp6l7vzj8z

Score

10^/10

asyncrat botnet rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

botnet

127.0.0.1:8848

213.32.110.214:8848

Mutex

Bw6q7EX6pdIsLygvQDa8AHHMuX7rT6dI

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x0007000000023c78-4.dat	family_asyncrat

Executes dropped EXE 1 IoCs

pid	Process
1412	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1412	InstallUtil.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3620 wrote to memory of 1412	3620	903947bf4167c5b0ee718bb5312f38f2d2fc3a204303ee4deacf15df547ed1a4N.exe	83
PID 3620 wrote to memory of 1412	3620	903947bf4167c5b0ee718bb5312f38f2d2fc3a204303ee4deacf15df547ed1a4N.exe	83
PID 3620 wrote to memory of 1252	3620	903947bf4167c5b0ee718bb5312f38f2d2fc3a204303ee4deacf15df547ed1a4N.exe	91
PID 3620 wrote to memory of 1252	3620	903947bf4167c5b0ee718bb5312f38f2d2fc3a204303ee4deacf15df547ed1a4N.exe	91

C:\Users\Admin\AppData\Local\Temp\903947bf4167c5b0ee718bb5312f38f2d2fc3a204303ee4deacf15df547ed1a4N.exe
"C:\Users\Admin\AppData\Local\Temp\903947bf4167c5b0ee718bb5312f38f2d2fc3a204303ee4deacf15df547ed1a4N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3620
- C:\Users\Admin\AppData\Roaming\InstallUtil.exe
  C:\Users\Admin\AppData\Roaming\InstallUtil.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\e13be51d68b2197d.bat
  2⤵
  PID:1252

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e13be51d68b2197d.bat

Filesize
250B

MD5
1edbfee8e97d6b189c97ea28b5a1701b

SHA1
4e16eac8c233710386febdaf2652691a8e106675

SHA256
034f6001905cf5d40370ae5b08683559498a35fc90f0943df699d5d0d2bb8f97

SHA512
bacd01de9052a4765d04537e218f6c56f845bd03e161bc1ba2e700e03f1608e7ba6fe62b63378d38f533b47c03694a4c4fc0fc5eb54bcc4e59fdb2d8f67aa1ab

Download Submit
C:\Users\Admin\AppData\Roaming\InstallUtil.exe

Filesize
47KB

MD5
9e297d54593f6796c019ecc82a153deb

SHA1
390ce09cceed3c7d52cfbdbbf8adc5977d0b3efb

SHA256
ec9c835a31bff47554acfb4a4a7bce2b1101a93a2f312459a23227dd6885e062

SHA512
8718fb3f1fc741ca6c2310e473a157898468c88e3a4bdbba404bff05407a627965fdb4248106b5b2a8638f7258f220a4d9150fde94df679a726b18a4121f0fc1

Download Submit
memory/1412-7-0x0000000000CE0000-0x0000000000CF2000-memory.dmp

Filesize
72KB

Download
memory/1412-6-0x00007FFB07753000-0x00007FFB07755000-memory.dmp

Filesize
8KB

Download
memory/1412-8-0x00007FFB07750000-0x00007FFB08211000-memory.dmp

Filesize
10.8MB

Download
memory/1412-11-0x00007FFB07750000-0x00007FFB08211000-memory.dmp

Filesize
10.8MB

Download
memory/1412-12-0x00007FFB07750000-0x00007FFB08211000-memory.dmp

Filesize
10.8MB

Download
memory/1412-13-0x00007FFB07750000-0x00007FFB08211000-memory.dmp

Filesize
10.8MB

Download