asyncrat | 370d953f40c47ff2b764c5c60372e80e14cf972361425205a4caa47b02d6bca4

Analysis

max time kernel
117s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2025 22:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

370d953f40c47ff2b764c5c60372e80e14cf972361425205a4caa47b02d6bca4N.exe
Size

481KB
MD5

aa1a6e03fa0867632db3cf96b97358f0
SHA1

fe90a165a0fc03272a512d2afb0190519e65fa7c
SHA256

370d953f40c47ff2b764c5c60372e80e14cf972361425205a4caa47b02d6bca4
SHA512

6232c7e656023cc5b6e0965b975d5ee65dafd437435147d9cdb975108d00bc506c5c5cc7a403432fdef71697659a4102fe3c60e71c4d3f535f34808c30319e31
SSDEEP

6144:4ygCJK8O9BPkCGvkQENothciEohCzkNiPXF5QD01QZGjPmXIUFx6vf0vQUr6aice:PbThCsoj+h8kNe15y01ioOLafyQAN2

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

0.0.1

Botnet

Default

45.144.139.127:8000

Mutex

sdkkhfsdhoihwwhfkjshdf12qw

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2588	370d953f40c47ff2b764c5c60372e80e14cf972361425205a4caa47b02d6bca4N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 5064	2588	370d953f40c47ff2b764c5c60372e80e14cf972361425205a4caa47b02d6bca4N.exe	82
PID 2588 wrote to memory of 5064	2588	370d953f40c47ff2b764c5c60372e80e14cf972361425205a4caa47b02d6bca4N.exe	82
PID 5064 wrote to memory of 4272	5064	cmd.exe	84
PID 5064 wrote to memory of 4272	5064	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\370d953f40c47ff2b764c5c60372e80e14cf972361425205a4caa47b02d6bca4N.exe
"C:\Users\Admin\AppData\Local\Temp\370d953f40c47ff2b764c5c60372e80e14cf972361425205a4caa47b02d6bca4N.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Windows\system32\cmd.exe
  "cmd" /c "curl -s https://myip.ipip.net/"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5064
- - C:\Windows\system32\curl.exe
    curl -s https://myip.ipip.net/
    3⤵
    PID:4272

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2588-1-0x00007FF9DB583000-0x00007FF9DB585000-memory.dmp

Filesize
8KB

Download
memory/2588-2-0x0000024086150000-0x0000024086164000-memory.dmp

Filesize
80KB

Download
memory/2588-3-0x00007FF9DB580000-0x00007FF9DC041000-memory.dmp

Filesize
10.8MB

Download
memory/2588-4-0x00007FF9DB583000-0x00007FF9DB585000-memory.dmp

Filesize
8KB

Download
memory/2588-5-0x00007FF9DB580000-0x00007FF9DC041000-memory.dmp

Filesize
10.8MB

Download