asyncrat | 7edcc97fec5079a8347d739c83644f66a3e282986088d699efe7e94444f86812

General

Target

7edcc97fec5079a8347d739c83644f66a3e282986088d699efe7e94444f86812.exe
Size

5.5MB
MD5

709d2065bfe98aa917e6a5fedd15074c
SHA1

3158f97acb91272f5d441e83ce4a297a2a82d06a
SHA256

7edcc97fec5079a8347d739c83644f66a3e282986088d699efe7e94444f86812
SHA512

86b41341361231600160593cd64dd146365178d16d579d2d25bd4a3b1e46f6a4dff2abb4a2f6b173bf1374c5fdac0586b68a61d17f89c31a24ee0d8dbfbb4a63
SSDEEP

98304:ztbJemtb8kZFqgNxAzN+zyN126fNQT9LhT/tjuAT8qC4ohjPAKoPqU9kYg:pJemtbtpN2fNcxLhztj3T8VlAKkOf

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

LoaderPanel

Botnet

Default

C2

77.223.119.85:1414

Mutex

sypjebdnczk

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3792 set thread context of 5028	3792	7edcc97fec5079a8347d739c83644f66a3e282986088d699efe7e94444f86812.exe	87

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7edcc97fec5079a8347d739c83644f66a3e282986088d699efe7e94444f86812.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5028	MSBuild.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3792 wrote to memory of 4888	3792	7edcc97fec5079a8347d739c83644f66a3e282986088d699efe7e94444f86812.exe	84
PID 3792 wrote to memory of 4888	3792	7edcc97fec5079a8347d739c83644f66a3e282986088d699efe7e94444f86812.exe	84
PID 3792 wrote to memory of 4888	3792	7edcc97fec5079a8347d739c83644f66a3e282986088d699efe7e94444f86812.exe	84
PID 4888 wrote to memory of 5052	4888	csc.exe	86
PID 4888 wrote to memory of 5052	4888	csc.exe	86
PID 4888 wrote to memory of 5052	4888	csc.exe	86
PID 3792 wrote to memory of 5028	3792	7edcc97fec5079a8347d739c83644f66a3e282986088d699efe7e94444f86812.exe	87
PID 3792 wrote to memory of 5028	3792	7edcc97fec5079a8347d739c83644f66a3e282986088d699efe7e94444f86812.exe	87
PID 3792 wrote to memory of 5028	3792	7edcc97fec5079a8347d739c83644f66a3e282986088d699efe7e94444f86812.exe	87
PID 3792 wrote to memory of 5028	3792	7edcc97fec5079a8347d739c83644f66a3e282986088d699efe7e94444f86812.exe	87
PID 3792 wrote to memory of 5028	3792	7edcc97fec5079a8347d739c83644f66a3e282986088d699efe7e94444f86812.exe	87
PID 3792 wrote to memory of 5028	3792	7edcc97fec5079a8347d739c83644f66a3e282986088d699efe7e94444f86812.exe	87
PID 3792 wrote to memory of 5028	3792	7edcc97fec5079a8347d739c83644f66a3e282986088d699efe7e94444f86812.exe	87
PID 3792 wrote to memory of 5028	3792	7edcc97fec5079a8347d739c83644f66a3e282986088d699efe7e94444f86812.exe	87

C:\Users\Admin\AppData\Local\Temp\7edcc97fec5079a8347d739c83644f66a3e282986088d699efe7e94444f86812.exe
"C:\Users\Admin\AppData\Local\Temp\7edcc97fec5079a8347d739c83644f66a3e282986088d699efe7e94444f86812.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lajtaqya\lajtaqya.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4888
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES687E.tmp" "c:\Users\Admin\AppData\Local\Temp\lajtaqya\CSC2FA58524F4034D2BAEADCDD5A39968F7.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5028

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES687E.tmp

Filesize
1KB

MD5
f6c89f8627fc176fafd137ae96cb7637

SHA1
641fe892ab696a30784708ae6348e33b99a98a8a

SHA256
3da9bf5cdd4a1cb37e896df3fe6cebdfa3d0d041d5e3a2424fc96550eca729d7

SHA512
cdc0bca37785f586a86757b1b4daea00f5886a1f35bc305c5e06093a98e5d0d21aad7a70d02a3fe4aae56fa238456af67e7105c0a48165813b264c32db610c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lajtaqya\lajtaqya.dll

Filesize
8KB

MD5
af30ebe73d4c873dcb18557e8574a1d7

SHA1
27856ad2b4a9d56294fb193aeaffe94f30c4e1b9

SHA256
3e1387b8160ad65edad907bdd0feb67b35afe9f249daf88f4baddbf55712da75

SHA512
4e443c10cf54ff4bcfd6b89c5d352cce451dd03b5b9d025bc6909e3acdded13076a3760a23ef8bf32e1cef56df0dcfd94c5d7898b5fbc09d67fee70700d1c378

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lajtaqya\CSC2FA58524F4034D2BAEADCDD5A39968F7.TMP

Filesize
652B

MD5
009c20f4d31e74d546b232e486523063

SHA1
885efa5cc7646e637ab1673bc6b1d50853459731

SHA256
8769076777871dc4b6f3ee8a53c1fb06fee79cb2d0bff0a235ff8adbf1ef567c

SHA512
ac06f7ee7b3a060d0fc7083db75b44975232fd82eaf9b864fd78c539190538a93b9641fe924f06f1c97d6d54e68a46bf0cc695253899bc4eb7b8573345f91fef

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lajtaqya\lajtaqya.0.cs

Filesize
8KB

MD5
58b10ef6ba0da88788f1aac56ce7e2db

SHA1
48221936b98aac14ead7c4589513d074365414ec

SHA256
ae11144f426028e50e77d64a66aeb954e169f627f8abfe403791032594834520

SHA512
19c28b5af8e4243350ee13c423fd066cef969a5c86de5f7b2ac4e4fbf75fda17e82a6a91fbd6034786b9beee77e2eb4b1cecd1cf0b901e2874b88da3e338845e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lajtaqya\lajtaqya.cmdline

Filesize
204B

MD5
d1787a3d296453cba5622939d23a3fa8

SHA1
fb0a37f8d7910e58d3193791984c2a518db31ccc

SHA256
09e12a0b99126bd8b32f5312c440ba3385b2afca51271e2afd981ad649371fbe

SHA512
cc882d129be3ac6ef479b7b8e4fedc5c5afdafd2a515f39d74c4d9e6d6a6c05a157ed389283bcf17ac7360664d0e3a6f4de511df430b8cf3d3ab71d59c7b3f1d

Download Submit
memory/3792-0-0x000000007468E000-0x000000007468F000-memory.dmp

Filesize
4KB

Download
memory/3792-2-0x0000000008460000-0x00000000084F2000-memory.dmp

Filesize
584KB

Download
memory/3792-3-0x0000000074680000-0x0000000074E31000-memory.dmp

Filesize
7.7MB

Download
memory/3792-1-0x0000000000FA0000-0x000000000151E000-memory.dmp

Filesize
5.5MB

Download
memory/3792-16-0x0000000005880000-0x0000000005888000-memory.dmp

Filesize
32KB

Download
memory/3792-22-0x0000000074680000-0x0000000074E31000-memory.dmp

Filesize
7.7MB

Download
memory/5028-18-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/5028-21-0x0000000074680000-0x0000000074E31000-memory.dmp

Filesize
7.7MB

Download
memory/5028-20-0x0000000001680000-0x000000000168A000-memory.dmp

Filesize
40KB

Download
memory/5028-23-0x0000000074680000-0x0000000074E31000-memory.dmp

Filesize
7.7MB

Download
memory/5028-24-0x0000000074680000-0x0000000074E31000-memory.dmp

Filesize
7.7MB

Download
memory/5028-25-0x0000000074680000-0x0000000074E31000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing