asyncrat | 22c1b1887ed7fe6986fee6a7c4d926c4f6f598815f5bce51005de59e0c259b13

Analysis

max time kernel
42s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-09-2022 06:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22c1b1887ed7fe6986fee6a7c4d926c4f6f598815f5bce51005de59e0c259b13.exe
Size

8.9MB
MD5

aab5782551a7f2c6b4465d6c83387ecd
SHA1

e7fb82e31bb8afd96c0ed068bea37beb5bb880b9
SHA256

22c1b1887ed7fe6986fee6a7c4d926c4f6f598815f5bce51005de59e0c259b13
SHA512

1096339b094a2546181d71e877858a5260ceb77563956a58b3cb1abd0d4bb3784928daf276bc5ccecc08fc84d2e979e061aa5cc9246e686e80ff01d725d9ff52
SSDEEP

196608:uukuAqO5c26TcKS3wg7/h6VLAWsYEgscmMTtOI/o363RtuaYe9:uqAfc2KDS3F7/h+EBgscpTtOaoSRtul4

Score

10^/10

asyncrat system rat

Malware Config

Extracted

Family

asyncrat

Version

VenomRAT_HVNC 5.0.4

Botnet

System

127.0.0.1:2322

127.0.0.1:13817

2.tcp.ngrok.io:2322

2.tcp.ngrok.io:13817

Mutex

tXTIPkhRL

Attributes

delay
0
install
true
install_file
System.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 13 IoCs

rat

Processes:

resource	yara_rule
\Program Files (x86)\VenomRAT_HVNC.exe	asyncrat
C:\Program Files (x86)\VenomRAT_HVNC.exe	asyncrat
\Program Files (x86)\Stub.exe	asyncrat
C:\Program Files (x86)\Stub.exe	asyncrat
C:\Program Files (x86)\VenomRAT_HVNC.exe	asyncrat
C:\Program Files (x86)\Stub.exe	asyncrat
behavioral1/memory/1524-63-0x00000000003A0000-0x00000000003B6000-memory.dmp	asyncrat
behavioral1/memory/956-64-0x00000000010E0000-0x0000000002172000-memory.dmp	asyncrat
\Program Files (x86)\VenomRAT_HVNC.exe	asyncrat
\Program Files (x86)\VenomRAT_HVNC.exe	asyncrat
\Program Files (x86)\VenomRAT_HVNC.exe	asyncrat
\Program Files (x86)\VenomRAT_HVNC.exe	asyncrat
\Program Files (x86)\VenomRAT_HVNC.exe	asyncrat

Executes dropped EXE 2 IoCs

Processes:

VenomRAT_HVNC.exeStub.exe

pid process

956 VenomRAT_HVNC.exe
1524 Stub.exe

pid	process
956	VenomRAT_HVNC.exe
1524	Stub.exe

Loads dropped DLL 7 IoCs

Processes:

22c1b1887ed7fe6986fee6a7c4d926c4f6f598815f5bce51005de59e0c259b13.exeWerFault.exe

pid	process
1388	22c1b1887ed7fe6986fee6a7c4d926c4f6f598815f5bce51005de59e0c259b13.exe
1388	22c1b1887ed7fe6986fee6a7c4d926c4f6f598815f5bce51005de59e0c259b13.exe
1204	WerFault.exe
1204	WerFault.exe
1204	WerFault.exe
1204	WerFault.exe
1204	WerFault.exe

Drops file in Program Files directory 2 IoCs

Processes:

22c1b1887ed7fe6986fee6a7c4d926c4f6f598815f5bce51005de59e0c259b13.exe

description	ioc	process
File created	C:\Program Files (x86)\Stub.exe	22c1b1887ed7fe6986fee6a7c4d926c4f6f598815f5bce51005de59e0c259b13.exe
File created	C:\Program Files (x86)\VenomRAT_HVNC.exe	22c1b1887ed7fe6986fee6a7c4d926c4f6f598815f5bce51005de59e0c259b13.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1204 956 WerFault.exe VenomRAT_HVNC.exe

pid	pid_target	process	target process
1204	956	WerFault.exe	VenomRAT_HVNC.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

Stub.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1524	Stub.exe
Token: SeSecurityPrivilege	1524	Stub.exe
Token: SeTakeOwnershipPrivilege	1524	Stub.exe
Token: SeLoadDriverPrivilege	1524	Stub.exe
Token: SeSystemProfilePrivilege	1524	Stub.exe
Token: SeSystemtimePrivilege	1524	Stub.exe
Token: SeProfSingleProcessPrivilege	1524	Stub.exe
Token: SeIncBasePriorityPrivilege	1524	Stub.exe
Token: SeCreatePagefilePrivilege	1524	Stub.exe
Token: SeBackupPrivilege	1524	Stub.exe
Token: SeRestorePrivilege	1524	Stub.exe
Token: SeShutdownPrivilege	1524	Stub.exe
Token: SeDebugPrivilege	1524	Stub.exe
Token: SeSystemEnvironmentPrivilege	1524	Stub.exe
Token: SeRemoteShutdownPrivilege	1524	Stub.exe
Token: SeUndockPrivilege	1524	Stub.exe
Token: SeManageVolumePrivilege	1524	Stub.exe
Token: 33	1524	Stub.exe
Token: 34	1524	Stub.exe
Token: 35	1524	Stub.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

22c1b1887ed7fe6986fee6a7c4d926c4f6f598815f5bce51005de59e0c259b13.exeVenomRAT_HVNC.exe

description	pid	process	target process
PID 1388 wrote to memory of 956	1388	22c1b1887ed7fe6986fee6a7c4d926c4f6f598815f5bce51005de59e0c259b13.exe	VenomRAT_HVNC.exe
PID 1388 wrote to memory of 956	1388	22c1b1887ed7fe6986fee6a7c4d926c4f6f598815f5bce51005de59e0c259b13.exe	VenomRAT_HVNC.exe
PID 1388 wrote to memory of 956	1388	22c1b1887ed7fe6986fee6a7c4d926c4f6f598815f5bce51005de59e0c259b13.exe	VenomRAT_HVNC.exe
PID 1388 wrote to memory of 956	1388	22c1b1887ed7fe6986fee6a7c4d926c4f6f598815f5bce51005de59e0c259b13.exe	VenomRAT_HVNC.exe
PID 1388 wrote to memory of 1524	1388	22c1b1887ed7fe6986fee6a7c4d926c4f6f598815f5bce51005de59e0c259b13.exe	Stub.exe
PID 1388 wrote to memory of 1524	1388	22c1b1887ed7fe6986fee6a7c4d926c4f6f598815f5bce51005de59e0c259b13.exe	Stub.exe
PID 1388 wrote to memory of 1524	1388	22c1b1887ed7fe6986fee6a7c4d926c4f6f598815f5bce51005de59e0c259b13.exe	Stub.exe
PID 1388 wrote to memory of 1524	1388	22c1b1887ed7fe6986fee6a7c4d926c4f6f598815f5bce51005de59e0c259b13.exe	Stub.exe
PID 956 wrote to memory of 1204	956	VenomRAT_HVNC.exe	WerFault.exe
PID 956 wrote to memory of 1204	956	VenomRAT_HVNC.exe	WerFault.exe
PID 956 wrote to memory of 1204	956	VenomRAT_HVNC.exe	WerFault.exe
PID 956 wrote to memory of 1204	956	VenomRAT_HVNC.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\22c1b1887ed7fe6986fee6a7c4d926c4f6f598815f5bce51005de59e0c259b13.exe
"C:\Users\Admin\AppData\Local\Temp\22c1b1887ed7fe6986fee6a7c4d926c4f6f598815f5bce51005de59e0c259b13.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1388

C:\Program Files (x86)\VenomRAT_HVNC.exe
"C:\Program Files (x86)\VenomRAT_HVNC.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 632
3⤵
- Loads dropped DLL
- Program crash
PID:1204

C:\Program Files (x86)\Stub.exe
"C:\Program Files (x86)\Stub.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1524

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Stub.exe
Filesize
65KB

MD5
0b65b0c126e716d5b38413d6825abdfd

SHA1
4a7e46abbbb6dbb2b638d860abc98957946b015a

SHA256
509c10f75c2428c5c0a2bb50b64fb88026446d587feb24665204c37f83064e66

SHA512
4e31c7d51fb397c8261ef79e467f4ec1c2176485118951e0c5ebc8ecd42bbc9662ca33d7c7c0d478fa7ca514070b71817ae2fae077579855c5e3fa45979c6be4

Download Submit
C:\Program Files (x86)\Stub.exe
Filesize
65KB

MD5
0b65b0c126e716d5b38413d6825abdfd

SHA1
4a7e46abbbb6dbb2b638d860abc98957946b015a

SHA256
509c10f75c2428c5c0a2bb50b64fb88026446d587feb24665204c37f83064e66

SHA512
4e31c7d51fb397c8261ef79e467f4ec1c2176485118951e0c5ebc8ecd42bbc9662ca33d7c7c0d478fa7ca514070b71817ae2fae077579855c5e3fa45979c6be4

Download Submit
C:\Program Files (x86)\VenomRAT_HVNC.exe
Filesize
16.5MB

MD5
c90bb028354000acc74485f2db4ab492

SHA1
28e6ce32a075669b3e382eaeb4871f7c3fc3bbef

SHA256
54df65f59a153e58faafc63addf325b7c492f000b8cda7e3cf527f5c0080325d

SHA512
9400521f9dd1fd76a914006133cd9b9dc5c8783407ff6b99fbb5a74c1a81e45818772ef4e1cabc9c67232bf60d977b48c2fadcb9401ae05e7c8e23fcf9ba7406

Download Submit
C:\Program Files (x86)\VenomRAT_HVNC.exe
Filesize
16.5MB

MD5
c90bb028354000acc74485f2db4ab492

SHA1
28e6ce32a075669b3e382eaeb4871f7c3fc3bbef

SHA256
54df65f59a153e58faafc63addf325b7c492f000b8cda7e3cf527f5c0080325d

SHA512
9400521f9dd1fd76a914006133cd9b9dc5c8783407ff6b99fbb5a74c1a81e45818772ef4e1cabc9c67232bf60d977b48c2fadcb9401ae05e7c8e23fcf9ba7406

Download Submit
\Program Files (x86)\Stub.exe
Filesize
65KB

MD5
0b65b0c126e716d5b38413d6825abdfd

SHA1
4a7e46abbbb6dbb2b638d860abc98957946b015a

SHA256
509c10f75c2428c5c0a2bb50b64fb88026446d587feb24665204c37f83064e66

SHA512
4e31c7d51fb397c8261ef79e467f4ec1c2176485118951e0c5ebc8ecd42bbc9662ca33d7c7c0d478fa7ca514070b71817ae2fae077579855c5e3fa45979c6be4

Download Submit
\Program Files (x86)\VenomRAT_HVNC.exe
Filesize
16.5MB

MD5
c90bb028354000acc74485f2db4ab492

SHA1
28e6ce32a075669b3e382eaeb4871f7c3fc3bbef

SHA256
54df65f59a153e58faafc63addf325b7c492f000b8cda7e3cf527f5c0080325d

SHA512
9400521f9dd1fd76a914006133cd9b9dc5c8783407ff6b99fbb5a74c1a81e45818772ef4e1cabc9c67232bf60d977b48c2fadcb9401ae05e7c8e23fcf9ba7406

Download Submit
\Program Files (x86)\VenomRAT_HVNC.exe
Filesize
16.5MB

MD5
c90bb028354000acc74485f2db4ab492

SHA1
28e6ce32a075669b3e382eaeb4871f7c3fc3bbef

SHA256
54df65f59a153e58faafc63addf325b7c492f000b8cda7e3cf527f5c0080325d

SHA512
9400521f9dd1fd76a914006133cd9b9dc5c8783407ff6b99fbb5a74c1a81e45818772ef4e1cabc9c67232bf60d977b48c2fadcb9401ae05e7c8e23fcf9ba7406

Download Submit
\Program Files (x86)\VenomRAT_HVNC.exe
Filesize
16.5MB

MD5
c90bb028354000acc74485f2db4ab492

SHA1
28e6ce32a075669b3e382eaeb4871f7c3fc3bbef

SHA256
54df65f59a153e58faafc63addf325b7c492f000b8cda7e3cf527f5c0080325d

SHA512
9400521f9dd1fd76a914006133cd9b9dc5c8783407ff6b99fbb5a74c1a81e45818772ef4e1cabc9c67232bf60d977b48c2fadcb9401ae05e7c8e23fcf9ba7406

Download Submit
\Program Files (x86)\VenomRAT_HVNC.exe
Filesize
16.5MB

MD5
c90bb028354000acc74485f2db4ab492

SHA1
28e6ce32a075669b3e382eaeb4871f7c3fc3bbef

SHA256
54df65f59a153e58faafc63addf325b7c492f000b8cda7e3cf527f5c0080325d

SHA512
9400521f9dd1fd76a914006133cd9b9dc5c8783407ff6b99fbb5a74c1a81e45818772ef4e1cabc9c67232bf60d977b48c2fadcb9401ae05e7c8e23fcf9ba7406

Download Submit
\Program Files (x86)\VenomRAT_HVNC.exe
Filesize
16.5MB

MD5
c90bb028354000acc74485f2db4ab492

SHA1
28e6ce32a075669b3e382eaeb4871f7c3fc3bbef

SHA256
54df65f59a153e58faafc63addf325b7c492f000b8cda7e3cf527f5c0080325d

SHA512
9400521f9dd1fd76a914006133cd9b9dc5c8783407ff6b99fbb5a74c1a81e45818772ef4e1cabc9c67232bf60d977b48c2fadcb9401ae05e7c8e23fcf9ba7406

Download Submit
\Program Files (x86)\VenomRAT_HVNC.exe
Filesize
16.5MB

MD5
c90bb028354000acc74485f2db4ab492

SHA1
28e6ce32a075669b3e382eaeb4871f7c3fc3bbef

SHA256
54df65f59a153e58faafc63addf325b7c492f000b8cda7e3cf527f5c0080325d

SHA512
9400521f9dd1fd76a914006133cd9b9dc5c8783407ff6b99fbb5a74c1a81e45818772ef4e1cabc9c67232bf60d977b48c2fadcb9401ae05e7c8e23fcf9ba7406

Download Submit
memory/956-56-0x0000000000000000-mapping.dmp

Download
memory/956-64-0x00000000010E0000-0x0000000002172000-memory.dmp

Filesize
16.6MB

Download
memory/1204-66-0x0000000000000000-mapping.dmp

Download
memory/1388-54-0x0000000075E11000-0x0000000075E13000-memory.dmp

Filesize
8KB

Download
memory/1524-59-0x0000000000000000-mapping.dmp

Download
memory/1524-63-0x00000000003A0000-0x00000000003B6000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads