asyncrat | bd948aeb2b607b34e8d32f22b9e5aee402057adebae4a2e0c70bd666e688f1f8

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

asyncrat stealc default qqtalk discovery rat stealer

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:8080

127.0.0.1:18274

6.tcp.eu.ngrok.io:6606

6.tcp.eu.ngrok.io:7707

6.tcp.eu.ngrok.io:8808

6.tcp.eu.ngrok.io:8080

6.tcp.eu.ngrok.io:18274

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

stealc

Botnet

QQtalk

C2

http://154.216.17.90

Attributes

url_path
/a48146f6763ef3af.php

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0004000000004ed7-124.dat	family_asyncrat

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
2700	drop1.exe
396	aaa%20(3).exe
1484	kisloyat.exe

Loads dropped DLL 5 IoCs

pid	Process
772	4363463463464363463463463.exe
772	4363463463464363463463463.exe
772	4363463463464363463463463.exe
772	4363463463464363463463463.exe
772	4363463463464363463463463.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
12	raw.githubusercontent.com
13	raw.githubusercontent.com
19	6.tcp.eu.ngrok.io
30	6.tcp.eu.ngrok.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aaa%20(3).exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	772	4363463463464363463463463.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 772 wrote to memory of 2700	772	4363463463464363463463463.exe	32
PID 772 wrote to memory of 2700	772	4363463463464363463463463.exe	32
PID 772 wrote to memory of 2700	772	4363463463464363463463463.exe	32
PID 772 wrote to memory of 2700	772	4363463463464363463463463.exe	32
PID 772 wrote to memory of 396	772	4363463463464363463463463.exe	34
PID 772 wrote to memory of 396	772	4363463463464363463463463.exe	34
PID 772 wrote to memory of 396	772	4363463463464363463463463.exe	34
PID 772 wrote to memory of 396	772	4363463463464363463463463.exe	34
PID 772 wrote to memory of 1484	772	4363463463464363463463463.exe	35
PID 772 wrote to memory of 1484	772	4363463463464363463463463.exe	35
PID 772 wrote to memory of 1484	772	4363463463464363463463463.exe	35
PID 772 wrote to memory of 1484	772	4363463463464363463463463.exe	35

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:772
- C:\Users\Admin\AppData\Local\Temp\Files\drop1.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\drop1.exe"
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Users\Admin\AppData\Local\Temp\Files\aaa%20(3).exe
  "C:\Users\Admin\AppData\Local\Temp\Files\aaa%20(3).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:396
- C:\Users\Admin\AppData\Local\Temp\Files\kisloyat.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\kisloyat.exe"
  2⤵
  - Executes dropped EXE
  PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabE4B6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE4D8.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\Files\aaa%20(3).exe

Filesize
45KB

MD5
8123d15bb6100a19ac103b4ec3d592bf

SHA1
713d2344beb28d34864768e7b2c0463044bdc014

SHA256
68e92585378abdd8a5e6ba42c20a66558ebbcc964c08ba3ce56d020568ebf16d

SHA512
ca048fc1aa53af7b517c2b894e038ed7e413690f2a9e9838c0a5624f9530b20ec8ca22c8d99b8b7ed1e049753970880ee047de984557e2e6c28a55ba2c974351

Download Submit
\Users\Admin\AppData\Local\Temp\Files\drop1.exe

Filesize
1.2MB

MD5
c401a019b5a9e44646577f8922e1014e

SHA1
3406d945b0283bb6337a7490198b00cd1df278a2

SHA256
31ebf7219722b8c908a914b2b08c5d03140af8b0cef6c96152e458dc82301c0a

SHA512
f1306e3e015f005af3675f53ff17015b4cdc4484d13690a04842fa8ab9e7037c68e2e53c90176d7fff36c8a2faf50864d09fb89609466d5d89d7f11783f9250f

Download Submit
\Users\Admin\AppData\Local\Temp\Files\kisloyat.exe

Filesize
239KB

MD5
aa002f082380ecd12dedf0c0190081e1

SHA1
a2e34bc5223abec43d9c8cff74643de5b15a4d5c

SHA256
f5626994c08eff435ab529331b58a140cd0eb780acd4ffe175e7edd70a0bf63c

SHA512
7062de1f87b9a70ed4b57b7f0fa1d0be80f20248b59ef5dec97badc006c7f41bcd5f42ca45d2eac31f62f192773ed2ca3bdb8d17ccedea91c6f2d7d45f887692

Download Submit
memory/396-129-0x0000000000B70000-0x0000000000B82000-memory.dmp

Filesize
72KB

Download
memory/396-179-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/396-130-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/772-66-0x00000000744DE000-0x00000000744DF000-memory.dmp

Filesize
4KB

Download
memory/772-2-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/772-67-0x00000000744D0000-0x0000000074BBE000-memory.dmp

Filesize
6.9MB

Download
memory/772-0-0x00000000744DE000-0x00000000744DF000-memory.dmp

Filesize
4KB

Download
memory/772-176-0x0000000006730000-0x0000000006980000-memory.dmp

Filesize
2.3MB

Download
memory/772-175-0x0000000006730000-0x0000000006980000-memory.dmp

Filesize
2.3MB

Download
memory/772-1-0x0000000000100000-0x0000000000108000-memory.dmp

Filesize
32KB

Download
memory/772-181-0x0000000006730000-0x0000000006980000-memory.dmp

Filesize
2.3MB

Download
memory/772-182-0x0000000006730000-0x0000000006980000-memory.dmp

Filesize
2.3MB

Download
memory/1484-178-0x0000000000EA0000-0x00000000010F0000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads