asyncrat | 7edcc97fec5079a8347d739c83644f66a3e282986088d699efe7e94444f86812

General

Target

7edcc97fec5079a8347d739c83644f66a3e282986088d699efe7e94444f86812.exe
Size

5.5MB
MD5

709d2065bfe98aa917e6a5fedd15074c
SHA1

3158f97acb91272f5d441e83ce4a297a2a82d06a
SHA256

7edcc97fec5079a8347d739c83644f66a3e282986088d699efe7e94444f86812
SHA512

86b41341361231600160593cd64dd146365178d16d579d2d25bd4a3b1e46f6a4dff2abb4a2f6b173bf1374c5fdac0586b68a61d17f89c31a24ee0d8dbfbb4a63
SSDEEP

98304:ztbJemtb8kZFqgNxAzN+zyN126fNQT9LhT/tjuAT8qC4ohjPAKoPqU9kYg:pJemtbtpN2fNcxLhztj3T8VlAKkOf

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

LoaderPanel

Botnet

Default

C2

77.223.119.85:1414

Mutex

sypjebdnczk

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1424 set thread context of 2308	1424	7edcc97fec5079a8347d739c83644f66a3e282986088d699efe7e94444f86812.exe	91

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7edcc97fec5079a8347d739c83644f66a3e282986088d699efe7e94444f86812.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2308	MSBuild.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 944	1424	7edcc97fec5079a8347d739c83644f66a3e282986088d699efe7e94444f86812.exe	88
PID 1424 wrote to memory of 944	1424	7edcc97fec5079a8347d739c83644f66a3e282986088d699efe7e94444f86812.exe	88
PID 1424 wrote to memory of 944	1424	7edcc97fec5079a8347d739c83644f66a3e282986088d699efe7e94444f86812.exe	88
PID 944 wrote to memory of 392	944	csc.exe	90
PID 944 wrote to memory of 392	944	csc.exe	90
PID 944 wrote to memory of 392	944	csc.exe	90
PID 1424 wrote to memory of 2308	1424	7edcc97fec5079a8347d739c83644f66a3e282986088d699efe7e94444f86812.exe	91
PID 1424 wrote to memory of 2308	1424	7edcc97fec5079a8347d739c83644f66a3e282986088d699efe7e94444f86812.exe	91
PID 1424 wrote to memory of 2308	1424	7edcc97fec5079a8347d739c83644f66a3e282986088d699efe7e94444f86812.exe	91
PID 1424 wrote to memory of 2308	1424	7edcc97fec5079a8347d739c83644f66a3e282986088d699efe7e94444f86812.exe	91
PID 1424 wrote to memory of 2308	1424	7edcc97fec5079a8347d739c83644f66a3e282986088d699efe7e94444f86812.exe	91
PID 1424 wrote to memory of 2308	1424	7edcc97fec5079a8347d739c83644f66a3e282986088d699efe7e94444f86812.exe	91
PID 1424 wrote to memory of 2308	1424	7edcc97fec5079a8347d739c83644f66a3e282986088d699efe7e94444f86812.exe	91
PID 1424 wrote to memory of 2308	1424	7edcc97fec5079a8347d739c83644f66a3e282986088d699efe7e94444f86812.exe	91

C:\Users\Admin\AppData\Local\Temp\7edcc97fec5079a8347d739c83644f66a3e282986088d699efe7e94444f86812.exe
"C:\Users\Admin\AppData\Local\Temp\7edcc97fec5079a8347d739c83644f66a3e282986088d699efe7e94444f86812.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\11fs2qdo\11fs2qdo.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:944
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7EA6.tmp" "c:\Users\Admin\AppData\Local\Temp\11fs2qdo\CSC67D20460DDCE4970A090595F22519DA5.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:392
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2308

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\11fs2qdo\11fs2qdo.dll

Filesize
8KB

MD5
91829864b12dd33a4e844274d6162077

SHA1
94c78fca4515bd39744829ab0586856a51b08ff1

SHA256
a8fc0e70ef23af0306e404eff483258b309fe70b2e73d6021c3ba3714260ea2d

SHA512
573c3a23e79a5ad5a57538d6718930094e6ca1cdbf187df09acb7d3649e251f9e1b21ae61d08dbfe8ea13039d5409a24e3b210fbeec66bb7d0dfa0f860fa3072

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7EA6.tmp

Filesize
1KB

MD5
db4f774f44d4cce5be2db49cbc4e0101

SHA1
b755531dccb8dd6be02eb6b401430c97209a8242

SHA256
bdee27796cd5afda7ca1a09d555263ae42c7a677f4b08240e9e7b08c156b37bd

SHA512
db21e065a80952b9b137e1d8106a422157a2e8c4a4bb813f26847a8fe4309c45c96309f0d5b80af5301d2dde4e418c0e9bba74ae5081fb1797bd725617fe4b61

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\11fs2qdo\11fs2qdo.0.cs

Filesize
8KB

MD5
58b10ef6ba0da88788f1aac56ce7e2db

SHA1
48221936b98aac14ead7c4589513d074365414ec

SHA256
ae11144f426028e50e77d64a66aeb954e169f627f8abfe403791032594834520

SHA512
19c28b5af8e4243350ee13c423fd066cef969a5c86de5f7b2ac4e4fbf75fda17e82a6a91fbd6034786b9beee77e2eb4b1cecd1cf0b901e2874b88da3e338845e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\11fs2qdo\11fs2qdo.cmdline

Filesize
204B

MD5
19f481c9d873acc9f4cf3ed89081b3f9

SHA1
6e7edb2f0d67633e96d6aed8a5dd731ed82ce95c

SHA256
45ddbcd98a4fdfc893d320c84301c4ced71eddcdf4983240f5650410648f9fad

SHA512
8b5edbed17697980b45f06e0b1774dcaa395f6edc82bbabf4fddf8be4f95dba7928339bca40564b7e9b7d9afa2180a74341ee82bb66344278366a28446d8d11b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\11fs2qdo\CSC67D20460DDCE4970A090595F22519DA5.TMP

Filesize
652B

MD5
b38b66337a7596fd25cccb782bf0fe4e

SHA1
0bb38e81b551ee1a399c51aae835d4b3a34441de

SHA256
44011cb000a32c851a2ff2cd0a8c33583450b7a0ba4fde00c440e3584bd355e2

SHA512
881d4645151bbebb0df4a28995227a7ef5bb4e66be94c49a856f45f2f1f3923264f92a0fe37df7a44895fbce1a77e6163f6b9cbd512323259b0b8da5d553c418

Download Submit
memory/1424-24-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/1424-3-0x0000000007FB0000-0x0000000008042000-memory.dmp

Filesize
584KB

Download
memory/1424-2-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/1424-1-0x0000000000A70000-0x0000000000FEE000-memory.dmp

Filesize
5.5MB

Download
memory/1424-16-0x0000000005400000-0x0000000005408000-memory.dmp

Filesize
32KB

Download
memory/1424-0-0x0000000074CBE000-0x0000000074CBF000-memory.dmp

Filesize
4KB

Download
memory/2308-18-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/2308-20-0x0000000002F90000-0x0000000002F9A000-memory.dmp

Filesize
40KB

Download
memory/2308-22-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/2308-23-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/2308-21-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/2308-25-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing