asyncrat | 70cd7f8c5818b4bbec9b33b3518736bd0627d8e92570c015dd630a461d074262

General

Target

RFQ_ORDER484425083-NJQ.exe
Size

832KB
MD5

9e83077fd628fefd80f9abcdc025e648
SHA1

faaeb0ce7ee4e268b699ebd57d3af36c8c20cee4
SHA256

70cd7f8c5818b4bbec9b33b3518736bd0627d8e92570c015dd630a461d074262
SHA512

943fb244cc8e5fc96fc19e5734ce32803e7f2f1c006eb372336db2fc4b5ac112972f468c24605e004f6d04ed27f035253e7b43fb49ea449140dff87c63b79916

Score

10^/10

asyncrat venom clients evasion persistence rat trojan

Malware Config

Extracted

Family

asyncrat

Version

VenomRAT 5.0.3

Botnet

Venom Clients

C2

194.5.98.120:4449

Mutex

Venom_RAT_Mutex_Venom_RAT

Attributes

anti_vm
false
bsod
false
delay
0
install
false
install_folder
%AppData%
pastebin_config
null

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3080-138-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat
behavioral2/memory/3080-362-0x00000000052F0000-0x00000000052FE000-memory.dmp	asyncrat

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

RFQ_ORDER484425083-NJQ.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RFQ_ORDER484425083-NJQ.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RFQ_ORDER484425083-NJQ.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

RFQ_ORDER484425083-NJQ.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	RFQ_ORDER484425083-NJQ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	RFQ_ORDER484425083-NJQ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\RFQ_ORDER484425083-NJQ.exe = "0"	RFQ_ORDER484425083-NJQ.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RFQ_ORDER484425083-NJQ.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ROCKS = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RFQ_ORDER484425083-NJQ.exe\""	RFQ_ORDER484425083-NJQ.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

RFQ_ORDER484425083-NJQ.exe

description pid process target process

PID 3900 set thread context of 3080 3900 RFQ_ORDER484425083-NJQ.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

description	pid	process	target process
PID 3900 set thread context of 3080	3900	RFQ_ORDER484425083-NJQ.exe	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

RFQ_ORDER484425083-NJQ.exepowershell.exeRegSvcs.exe

pid	process
3900	RFQ_ORDER484425083-NJQ.exe
3900	RFQ_ORDER484425083-NJQ.exe
3900	RFQ_ORDER484425083-NJQ.exe
3900	RFQ_ORDER484425083-NJQ.exe
1312	powershell.exe
1312	powershell.exe
1312	powershell.exe
3900	RFQ_ORDER484425083-NJQ.exe
3900	RFQ_ORDER484425083-NJQ.exe
3900	RFQ_ORDER484425083-NJQ.exe
3900	RFQ_ORDER484425083-NJQ.exe
3900	RFQ_ORDER484425083-NJQ.exe
3900	RFQ_ORDER484425083-NJQ.exe
3900	RFQ_ORDER484425083-NJQ.exe
3900	RFQ_ORDER484425083-NJQ.exe
3080	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

RFQ_ORDER484425083-NJQ.exepowershell.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	3900	RFQ_ORDER484425083-NJQ.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	3080	RegSvcs.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegSvcs.exe

pid process

3080 RegSvcs.exe

pid	process
3080	RegSvcs.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

RFQ_ORDER484425083-NJQ.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 3900 wrote to memory of 1312	3900	RFQ_ORDER484425083-NJQ.exe	powershell.exe
PID 3900 wrote to memory of 1312	3900	RFQ_ORDER484425083-NJQ.exe	powershell.exe
PID 3900 wrote to memory of 1312	3900	RFQ_ORDER484425083-NJQ.exe	powershell.exe
PID 3900 wrote to memory of 3364	3900	RFQ_ORDER484425083-NJQ.exe	net.exe
PID 3900 wrote to memory of 3364	3900	RFQ_ORDER484425083-NJQ.exe	net.exe
PID 3900 wrote to memory of 3364	3900	RFQ_ORDER484425083-NJQ.exe	net.exe
PID 3364 wrote to memory of 1788	3364	net.exe	net1.exe
PID 3364 wrote to memory of 1788	3364	net.exe	net1.exe
PID 3364 wrote to memory of 1788	3364	net.exe	net1.exe
PID 3900 wrote to memory of 3168	3900	RFQ_ORDER484425083-NJQ.exe	net.exe
PID 3900 wrote to memory of 3168	3900	RFQ_ORDER484425083-NJQ.exe	net.exe
PID 3900 wrote to memory of 3168	3900	RFQ_ORDER484425083-NJQ.exe	net.exe
PID 3168 wrote to memory of 4016	3168	net.exe	net1.exe
PID 3168 wrote to memory of 4016	3168	net.exe	net1.exe
PID 3168 wrote to memory of 4016	3168	net.exe	net1.exe
PID 3900 wrote to memory of 2440	3900	RFQ_ORDER484425083-NJQ.exe	net.exe
PID 3900 wrote to memory of 2440	3900	RFQ_ORDER484425083-NJQ.exe	net.exe
PID 3900 wrote to memory of 2440	3900	RFQ_ORDER484425083-NJQ.exe	net.exe
PID 2440 wrote to memory of 2800	2440	net.exe	net1.exe
PID 2440 wrote to memory of 2800	2440	net.exe	net1.exe
PID 2440 wrote to memory of 2800	2440	net.exe	net1.exe
PID 3900 wrote to memory of 4052	3900	RFQ_ORDER484425083-NJQ.exe	net.exe
PID 3900 wrote to memory of 4052	3900	RFQ_ORDER484425083-NJQ.exe	net.exe
PID 3900 wrote to memory of 4052	3900	RFQ_ORDER484425083-NJQ.exe	net.exe
PID 4052 wrote to memory of 400	4052	net.exe	net1.exe
PID 4052 wrote to memory of 400	4052	net.exe	net1.exe
PID 4052 wrote to memory of 400	4052	net.exe	net1.exe
PID 3900 wrote to memory of 1148	3900	RFQ_ORDER484425083-NJQ.exe	schtasks.exe
PID 3900 wrote to memory of 1148	3900	RFQ_ORDER484425083-NJQ.exe	schtasks.exe
PID 3900 wrote to memory of 1148	3900	RFQ_ORDER484425083-NJQ.exe	schtasks.exe
PID 3900 wrote to memory of 2172	3900	RFQ_ORDER484425083-NJQ.exe	aspnet_regsql.exe
PID 3900 wrote to memory of 2172	3900	RFQ_ORDER484425083-NJQ.exe	aspnet_regsql.exe
PID 3900 wrote to memory of 2172	3900	RFQ_ORDER484425083-NJQ.exe	aspnet_regsql.exe
PID 3900 wrote to memory of 3080	3900	RFQ_ORDER484425083-NJQ.exe	RegSvcs.exe
PID 3900 wrote to memory of 3080	3900	RFQ_ORDER484425083-NJQ.exe	RegSvcs.exe
PID 3900 wrote to memory of 3080	3900	RFQ_ORDER484425083-NJQ.exe	RegSvcs.exe
PID 3900 wrote to memory of 3080	3900	RFQ_ORDER484425083-NJQ.exe	RegSvcs.exe
PID 3900 wrote to memory of 3080	3900	RFQ_ORDER484425083-NJQ.exe	RegSvcs.exe
PID 3900 wrote to memory of 3080	3900	RFQ_ORDER484425083-NJQ.exe	RegSvcs.exe
PID 3900 wrote to memory of 3080	3900	RFQ_ORDER484425083-NJQ.exe	RegSvcs.exe
PID 3900 wrote to memory of 3080	3900	RFQ_ORDER484425083-NJQ.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\RFQ_ORDER484425083-NJQ.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ_ORDER484425083-NJQ.exe"
1⤵
- Checks BIOS information in registry
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3900

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RFQ_ORDER484425083-NJQ.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1312

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" user ADMIN~1 SECRET@1234 /add
2⤵
- Suspicious use of WriteProcessMemory
PID:3364

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user ADMIN~1 SECRET@1234 /add
3⤵
PID:1788

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" localgroup administrators ADMIN~1 /add
2⤵
- Suspicious use of WriteProcessMemory
PID:3168

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup administrators ADMIN~1 /add
3⤵
PID:4016

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" localgroup users "Admin" /add
2⤵
- Suspicious use of WriteProcessMemory
PID:2440

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup users "Admin" /add
3⤵
PID:2800

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" localgroup administrators "Admin" /del
2⤵
- Suspicious use of WriteProcessMemory
PID:4052

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup administrators "Admin" /del
3⤵
PID:400

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
2⤵
PID:1148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe"
2⤵
PID:2172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3080

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

1

T1098

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

2

T1089

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1312-153-0x00000000094A0000-0x0000000009545000-memory.dmp

Filesize
660KB

Download
memory/1312-149-0x000000007E820000-0x000000007E821000-memory.dmp

Filesize
4KB

Download
memory/1312-131-0x00000000071E0000-0x0000000007202000-memory.dmp

Filesize
136KB

Download
memory/1312-132-0x00000000078D0000-0x0000000007936000-memory.dmp

Filesize
408KB

Download
memory/1312-353-0x0000000006E20000-0x0000000006E28000-memory.dmp

Filesize
32KB

Download
memory/1312-348-0x0000000006E30000-0x0000000006E4A000-memory.dmp

Filesize
104KB

Download
memory/1312-133-0x0000000007AB0000-0x0000000007E00000-memory.dmp

Filesize
3.3MB

Download
memory/1312-163-0x00000000047D3000-0x00000000047D4000-memory.dmp

Filesize
4KB

Download
memory/1312-154-0x0000000009660000-0x00000000096F4000-memory.dmp

Filesize
592KB

Download
memory/1312-134-0x0000000007F80000-0x0000000007F9C000-memory.dmp

Filesize
112KB

Download
memory/1312-127-0x00000000047E0000-0x0000000004816000-memory.dmp

Filesize
216KB

Download
memory/1312-128-0x00000000047D0000-0x00000000047D1000-memory.dmp

Filesize
4KB

Download
memory/1312-129-0x00000000047D2000-0x00000000047D3000-memory.dmp

Filesize
4KB

Download
memory/1312-130-0x00000000072A0000-0x00000000078C8000-memory.dmp

Filesize
6.2MB

Download
memory/1312-147-0x0000000009120000-0x000000000913E000-memory.dmp

Filesize
120KB

Download
memory/1312-146-0x0000000009140000-0x0000000009173000-memory.dmp

Filesize
204KB

Download
memory/1312-135-0x00000000084D0000-0x000000000851B000-memory.dmp

Filesize
300KB

Download
memory/3080-362-0x00000000052F0000-0x00000000052FE000-memory.dmp

Filesize
56KB

Download
memory/3080-369-0x0000000006720000-0x000000000672A000-memory.dmp

Filesize
40KB

Download
memory/3080-138-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3080-141-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download
memory/3080-368-0x00000000063F0000-0x00000000063F8000-memory.dmp

Filesize
32KB

Download
memory/3900-115-0x0000000000F50000-0x0000000001024000-memory.dmp

Filesize
848KB

Download
memory/3900-124-0x00000000075D0000-0x0000000007636000-memory.dmp

Filesize
408KB

Download
memory/3900-121-0x0000000005930000-0x0000000005E2E000-memory.dmp

Filesize
5.0MB

Download
memory/3900-123-0x0000000005BC0000-0x0000000005C12000-memory.dmp

Filesize
328KB

Download
memory/3900-122-0x0000000005B10000-0x0000000005BB6000-memory.dmp

Filesize
664KB

Download
memory/3900-120-0x0000000005980000-0x000000000599E000-memory.dmp

Filesize
120KB

Download
memory/3900-119-0x00000000059D0000-0x0000000005A62000-memory.dmp

Filesize
584KB

Download
memory/3900-118-0x0000000005E30000-0x000000000632E000-memory.dmp

Filesize
5.0MB

Download
memory/3900-116-0x0000000005810000-0x00000000058AC000-memory.dmp

Filesize
624KB

Download
memory/3900-117-0x00000000058B0000-0x0000000005926000-memory.dmp

Filesize
472KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads