asyncrat | dde26455983823755879ad9bc5340a020cb8d87352f1174114286357c0f4f3e9

General

Target

Rechnung 57698020 nicht korrekt.pdf/Rechnung 57698020 nicht korrekt.pdf_____________________________.exe
Size

1.0MB
MD5

bb8693c961ba55d38f76a77494a37dd0
SHA1

e656b1f51305aeb01fc5ae141e8db999c7a15496
SHA256

fce0542aa373126205c1c38161dd9adefc05844e616b9bd0fa49d595e634c407
SHA512

00813fd03ead3448adb7c2e0f4fe543229188d09a98199cbdde0d630fb5983de94b75d4182ea0bc6bdfc247e5d13f56e2efdba1ae39ce58ebfd41ce6b7052d9c
SSDEEP

24576:+u6J33O0c+JY5UZ+XC0kGso6Fauk1Yi8fMM6WY:Qu0c++OCvkGs9Fa91Yii5Y

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

5.253.247.7:4114

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\incalculability.vbs	incalculability.exe

Executes dropped EXE 1 IoCs

pid	Process
4028	incalculability.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000300000001e64b-13.dat	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4028 set thread context of 4516	4028	incalculability.exe	90

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rechnung 57698020 nicht korrekt.pdf_____________________________.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	incalculability.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4028	incalculability.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4516	RegSvcs.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3340	Rechnung 57698020 nicht korrekt.pdf_____________________________.exe
3340	Rechnung 57698020 nicht korrekt.pdf_____________________________.exe
4028	incalculability.exe
4028	incalculability.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
3340	Rechnung 57698020 nicht korrekt.pdf_____________________________.exe
3340	Rechnung 57698020 nicht korrekt.pdf_____________________________.exe
4028	incalculability.exe
4028	incalculability.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3340 wrote to memory of 4028	3340	Rechnung 57698020 nicht korrekt.pdf_____________________________.exe	89
PID 3340 wrote to memory of 4028	3340	Rechnung 57698020 nicht korrekt.pdf_____________________________.exe	89
PID 3340 wrote to memory of 4028	3340	Rechnung 57698020 nicht korrekt.pdf_____________________________.exe	89
PID 4028 wrote to memory of 4516	4028	incalculability.exe	90
PID 4028 wrote to memory of 4516	4028	incalculability.exe	90
PID 4028 wrote to memory of 4516	4028	incalculability.exe	90
PID 4028 wrote to memory of 4516	4028	incalculability.exe	90

C:\Users\Admin\AppData\Local\Temp\Rechnung 57698020 nicht korrekt.pdf\Rechnung 57698020 nicht korrekt.pdf_____________________________.exe
"C:\Users\Admin\AppData\Local\Temp\Rechnung 57698020 nicht korrekt.pdf\Rechnung 57698020 nicht korrekt.pdf_____________________________.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3340
- C:\Users\Admin\AppData\Local\Idonna\incalculability.exe
  "C:\Users\Admin\AppData\Local\Temp\Rechnung 57698020 nicht korrekt.pdf\Rechnung 57698020 nicht korrekt.pdf_____________________________.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4028
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\Rechnung 57698020 nicht korrekt.pdf\Rechnung 57698020 nicht korrekt.pdf_____________________________.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Idonna\incalculability.exe

Filesize
1.0MB

MD5
bb8693c961ba55d38f76a77494a37dd0

SHA1
e656b1f51305aeb01fc5ae141e8db999c7a15496

SHA256
fce0542aa373126205c1c38161dd9adefc05844e616b9bd0fa49d595e634c407

SHA512
00813fd03ead3448adb7c2e0f4fe543229188d09a98199cbdde0d630fb5983de94b75d4182ea0bc6bdfc247e5d13f56e2efdba1ae39ce58ebfd41ce6b7052d9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hurtling

Filesize
63KB

MD5
b959eb57f0d08151889bc052328afa4c

SHA1
8e5b9c3e3aee4ff2613a811fdb5e810532b3fb12

SHA256
8b3e0024e388fa04bf6ed06d4d4e8c990e6849d9ba9ddd1ae26efbe77c0b55db

SHA512
a6780a7aa945ea0e09bb1de39978a585711288f0611057d52be6e360a2917e4429be08e668fe7fc64430fb3980cf630e2fd66b1a5f04aa6783c597ce498036a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\recomplete

Filesize
29KB

MD5
a8d81d9e6fe6dc09c4aa663ae5a000d5

SHA1
f645dbb701ae63c5728642f5e0ec6534e3d47dee

SHA256
fee6dc1fade4be8273223de5ba6cae4ab2b5e282eb8d09f23fcd59b5d94cdd2b

SHA512
5a6eab1a0a7f280458fa8a79630505bff49853800895123d98d1676f723b8a7a4e0c0e93f79c4c3a78f1ca06c01177d2dba43b098d82d5919074cce654e0de11

Download Submit
memory/3340-10-0x00000000011D0000-0x00000000011D4000-memory.dmp

Filesize
16KB

Download
memory/4516-30-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/4516-29-0x0000000074CAE000-0x0000000074CAF000-memory.dmp

Filesize
4KB

Download
memory/4516-28-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4516-31-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/4516-34-0x0000000005CB0000-0x0000000005D4C000-memory.dmp

Filesize
624KB

Download
memory/4516-35-0x0000000006300000-0x00000000068A4000-memory.dmp

Filesize
5.6MB

Download
memory/4516-36-0x0000000005DC0000-0x0000000005E26000-memory.dmp

Filesize
408KB

Download
memory/4516-37-0x0000000074CAE000-0x0000000074CAF000-memory.dmp

Filesize
4KB

Download
memory/4516-38-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/4516-39-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing