asyncrat | 22c1b1887ed7fe6986fee6a7c4d926c4f6f598815f5bce51005de59e0c259b13

General

Target

22c1b1887ed7fe6986fee6a7c4d926c4f6f598815f5bce51005de59e0c259b13.exe
Size

8.9MB
MD5

aab5782551a7f2c6b4465d6c83387ecd
SHA1

e7fb82e31bb8afd96c0ed068bea37beb5bb880b9
SHA256

22c1b1887ed7fe6986fee6a7c4d926c4f6f598815f5bce51005de59e0c259b13
SHA512

1096339b094a2546181d71e877858a5260ceb77563956a58b3cb1abd0d4bb3784928daf276bc5ccecc08fc84d2e979e061aa5cc9246e686e80ff01d725d9ff52
SSDEEP

196608:uukuAqO5c26TcKS3wg7/h6VLAWsYEgscmMTtOI/o363RtuaYe9:uqAfc2KDS3F7/h+EBgscpTtOaoSRtul4

Score

10^/10

asyncrat system rat

Malware Config

Extracted

Family

asyncrat

Version

VenomRAT_HVNC 5.0.4

Botnet

System

C2

127.0.0.1:2322

127.0.0.1:13817

2.tcp.ngrok.io:2322

2.tcp.ngrok.io:13817

Mutex

tXTIPkhRL

Attributes

delay
0
install
true
install_file
System.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
C:\Program Files (x86)\VenomRAT_HVNC.exe	asyncrat
C:\Program Files (x86)\VenomRAT_HVNC.exe	asyncrat
C:\Program Files (x86)\Stub.exe	asyncrat
C:\Program Files (x86)\Stub.exe	asyncrat
behavioral2/memory/1340-138-0x0000000000B20000-0x0000000000B36000-memory.dmp	asyncrat
behavioral2/memory/1688-140-0x0000000000910000-0x00000000019A2000-memory.dmp	asyncrat

Executes dropped EXE 2 IoCs

Processes:

VenomRAT_HVNC.exeStub.exe

pid process

1688 VenomRAT_HVNC.exe
1340 Stub.exe

pid	process
1688	VenomRAT_HVNC.exe
1340	Stub.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

22c1b1887ed7fe6986fee6a7c4d926c4f6f598815f5bce51005de59e0c259b13.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	22c1b1887ed7fe6986fee6a7c4d926c4f6f598815f5bce51005de59e0c259b13.exe

Drops file in Program Files directory 2 IoCs

Processes:

22c1b1887ed7fe6986fee6a7c4d926c4f6f598815f5bce51005de59e0c259b13.exe

description	ioc	process
File created	C:\Program Files (x86)\Stub.exe	22c1b1887ed7fe6986fee6a7c4d926c4f6f598815f5bce51005de59e0c259b13.exe
File created	C:\Program Files (x86)\VenomRAT_HVNC.exe	22c1b1887ed7fe6986fee6a7c4d926c4f6f598815f5bce51005de59e0c259b13.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2476 1340 WerFault.exe Stub.exe
1452 1688 WerFault.exe VenomRAT_HVNC.exe

pid	pid_target	process	target process
2476	1340	WerFault.exe	Stub.exe
1452	1688	WerFault.exe	VenomRAT_HVNC.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

Stub.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1340	Stub.exe
Token: SeSecurityPrivilege	1340	Stub.exe
Token: SeTakeOwnershipPrivilege	1340	Stub.exe
Token: SeLoadDriverPrivilege	1340	Stub.exe
Token: SeSystemProfilePrivilege	1340	Stub.exe
Token: SeSystemtimePrivilege	1340	Stub.exe
Token: SeProfSingleProcessPrivilege	1340	Stub.exe
Token: SeIncBasePriorityPrivilege	1340	Stub.exe
Token: SeCreatePagefilePrivilege	1340	Stub.exe
Token: SeBackupPrivilege	1340	Stub.exe
Token: SeRestorePrivilege	1340	Stub.exe
Token: SeShutdownPrivilege	1340	Stub.exe
Token: SeDebugPrivilege	1340	Stub.exe
Token: SeSystemEnvironmentPrivilege	1340	Stub.exe
Token: SeRemoteShutdownPrivilege	1340	Stub.exe
Token: SeUndockPrivilege	1340	Stub.exe
Token: SeManageVolumePrivilege	1340	Stub.exe
Token: 33	1340	Stub.exe
Token: 34	1340	Stub.exe
Token: 35	1340	Stub.exe
Token: 36	1340	Stub.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

22c1b1887ed7fe6986fee6a7c4d926c4f6f598815f5bce51005de59e0c259b13.exe

description	pid	process	target process
PID 756 wrote to memory of 1688	756	22c1b1887ed7fe6986fee6a7c4d926c4f6f598815f5bce51005de59e0c259b13.exe	VenomRAT_HVNC.exe
PID 756 wrote to memory of 1688	756	22c1b1887ed7fe6986fee6a7c4d926c4f6f598815f5bce51005de59e0c259b13.exe	VenomRAT_HVNC.exe
PID 756 wrote to memory of 1688	756	22c1b1887ed7fe6986fee6a7c4d926c4f6f598815f5bce51005de59e0c259b13.exe	VenomRAT_HVNC.exe
PID 756 wrote to memory of 1340	756	22c1b1887ed7fe6986fee6a7c4d926c4f6f598815f5bce51005de59e0c259b13.exe	Stub.exe
PID 756 wrote to memory of 1340	756	22c1b1887ed7fe6986fee6a7c4d926c4f6f598815f5bce51005de59e0c259b13.exe	Stub.exe

C:\Users\Admin\AppData\Local\Temp\22c1b1887ed7fe6986fee6a7c4d926c4f6f598815f5bce51005de59e0c259b13.exe
"C:\Users\Admin\AppData\Local\Temp\22c1b1887ed7fe6986fee6a7c4d926c4f6f598815f5bce51005de59e0c259b13.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:756

C:\Program Files (x86)\VenomRAT_HVNC.exe
"C:\Program Files (x86)\VenomRAT_HVNC.exe"
2⤵
- Executes dropped EXE
PID:1688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 1048
3⤵
- Program crash
PID:1452

C:\Program Files (x86)\Stub.exe
"C:\Program Files (x86)\Stub.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1340 -s 1104
3⤵
- Program crash
PID:2476

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 1340 -ip 1340
1⤵
PID:2324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1688 -ip 1688
1⤵
PID:1272

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Stub.exe
Filesize
65KB

MD5
0b65b0c126e716d5b38413d6825abdfd

SHA1
4a7e46abbbb6dbb2b638d860abc98957946b015a

SHA256
509c10f75c2428c5c0a2bb50b64fb88026446d587feb24665204c37f83064e66

SHA512
4e31c7d51fb397c8261ef79e467f4ec1c2176485118951e0c5ebc8ecd42bbc9662ca33d7c7c0d478fa7ca514070b71817ae2fae077579855c5e3fa45979c6be4

Download Submit
C:\Program Files (x86)\Stub.exe
Filesize
65KB

MD5
0b65b0c126e716d5b38413d6825abdfd

SHA1
4a7e46abbbb6dbb2b638d860abc98957946b015a

SHA256
509c10f75c2428c5c0a2bb50b64fb88026446d587feb24665204c37f83064e66

SHA512
4e31c7d51fb397c8261ef79e467f4ec1c2176485118951e0c5ebc8ecd42bbc9662ca33d7c7c0d478fa7ca514070b71817ae2fae077579855c5e3fa45979c6be4

Download Submit
C:\Program Files (x86)\VenomRAT_HVNC.exe
Filesize
16.5MB

MD5
c90bb028354000acc74485f2db4ab492

SHA1
28e6ce32a075669b3e382eaeb4871f7c3fc3bbef

SHA256
54df65f59a153e58faafc63addf325b7c492f000b8cda7e3cf527f5c0080325d

SHA512
9400521f9dd1fd76a914006133cd9b9dc5c8783407ff6b99fbb5a74c1a81e45818772ef4e1cabc9c67232bf60d977b48c2fadcb9401ae05e7c8e23fcf9ba7406

Download Submit
C:\Program Files (x86)\VenomRAT_HVNC.exe
Filesize
16.5MB

MD5
c90bb028354000acc74485f2db4ab492

SHA1
28e6ce32a075669b3e382eaeb4871f7c3fc3bbef

SHA256
54df65f59a153e58faafc63addf325b7c492f000b8cda7e3cf527f5c0080325d

SHA512
9400521f9dd1fd76a914006133cd9b9dc5c8783407ff6b99fbb5a74c1a81e45818772ef4e1cabc9c67232bf60d977b48c2fadcb9401ae05e7c8e23fcf9ba7406

Download Submit
memory/1340-138-0x0000000000B20000-0x0000000000B36000-memory.dmp

Filesize
88KB

Download
memory/1340-135-0x0000000000000000-mapping.dmp

Download
memory/1340-139-0x00007FFA02370000-0x00007FFA02E31000-memory.dmp

Filesize
10.8MB

Download
memory/1340-144-0x00007FFA02370000-0x00007FFA02E31000-memory.dmp

Filesize
10.8MB

Download
memory/1688-132-0x0000000000000000-mapping.dmp

Download
memory/1688-140-0x0000000000910000-0x00000000019A2000-memory.dmp

Filesize
16.6MB

Download
memory/1688-141-0x0000000006870000-0x0000000006E14000-memory.dmp

Filesize
5.6MB

Download
memory/1688-142-0x00000000062C0000-0x0000000006352000-memory.dmp

Filesize
584KB

Download
memory/1688-143-0x0000000006210000-0x000000000621A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads