asyncrat | 05af19f88159fdc48e4039627198ddffacceb086e67a5fe0a76379a490be75a6

General

Target

copy.exe
Size

300.0MB
MD5

3bfc4f5d058aac39f3cd1cc7771fb376
SHA1

4f400860ad6e90f17b6abe3f925de5fe47dac4ba
SHA256

05af19f88159fdc48e4039627198ddffacceb086e67a5fe0a76379a490be75a6
SHA512

263be832f00990f423febb1be6f7871841c695c876f051a6f0906dfa9cb577f00b5a6a610fdf36a8c5d3323d2e8b5e171d78fe2e42b4bf6114d6c76476fa236e
SSDEEP

6144:duoCmQdnCJGib1C5mb67X3UIAPaQxgm5LqGZAoyT24sc+n9fiibGd2HzZ:duL8JGib05b7XE2Q4+4Y

Score

10^/10

asyncrat venom clients rat

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

C2

venom12345.duckdns.org:4449

venomunverified.duckdns.org:4449

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 8 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/940-59-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat
behavioral1/memory/940-60-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat
behavioral1/memory/940-61-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat
behavioral1/memory/940-62-0x0000000000410A1E-mapping.dmp	asyncrat
behavioral1/memory/940-64-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat
behavioral1/memory/940-66-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat
behavioral1/memory/1484-83-0x0000000000410A1E-mapping.dmp	asyncrat
behavioral1/memory/892-103-0x0000000000410A1E-mapping.dmp	asyncrat

Executes dropped EXE 2 IoCs

Processes:

msdtc.exemsdtc.exe

pid process

608 msdtc.exe
1020 msdtc.exe

pid	process
608	msdtc.exe
1020	msdtc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

copy.exemsdtc.exemsdtc.exe

description	pid	process	target process
PID 1460 set thread context of 940	1460	copy.exe	RegAsm.exe
PID 608 set thread context of 1484	608	msdtc.exe	RegAsm.exe
PID 1020 set thread context of 892	1020	msdtc.exe	RegAsm.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1064 schtasks.exe
1984 schtasks.exe
1916 schtasks.exe

pid	process
1064	schtasks.exe
1984	schtasks.exe
1916	schtasks.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

copy.exeRegAsm.exemsdtc.exeRegAsm.exemsdtc.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1460	copy.exe
Token: SeDebugPrivilege	940	RegAsm.exe
Token: SeDebugPrivilege	608	msdtc.exe
Token: SeDebugPrivilege	1484	RegAsm.exe
Token: SeDebugPrivilege	1020	msdtc.exe
Token: SeDebugPrivilege	892	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

copy.execmd.exetaskeng.exemsdtc.execmd.exe

description	pid	process	target process
PID 1460 wrote to memory of 940	1460	copy.exe	RegAsm.exe
PID 1460 wrote to memory of 940	1460	copy.exe	RegAsm.exe
PID 1460 wrote to memory of 940	1460	copy.exe	RegAsm.exe
PID 1460 wrote to memory of 940	1460	copy.exe	RegAsm.exe
PID 1460 wrote to memory of 940	1460	copy.exe	RegAsm.exe
PID 1460 wrote to memory of 940	1460	copy.exe	RegAsm.exe
PID 1460 wrote to memory of 940	1460	copy.exe	RegAsm.exe
PID 1460 wrote to memory of 940	1460	copy.exe	RegAsm.exe
PID 1460 wrote to memory of 940	1460	copy.exe	RegAsm.exe
PID 1460 wrote to memory of 940	1460	copy.exe	RegAsm.exe
PID 1460 wrote to memory of 940	1460	copy.exe	RegAsm.exe
PID 1460 wrote to memory of 940	1460	copy.exe	RegAsm.exe
PID 1460 wrote to memory of 2032	1460	copy.exe	cmd.exe
PID 1460 wrote to memory of 2032	1460	copy.exe	cmd.exe
PID 1460 wrote to memory of 2032	1460	copy.exe	cmd.exe
PID 1460 wrote to memory of 2032	1460	copy.exe	cmd.exe
PID 1460 wrote to memory of 1888	1460	copy.exe	cmd.exe
PID 1460 wrote to memory of 1888	1460	copy.exe	cmd.exe
PID 1460 wrote to memory of 1888	1460	copy.exe	cmd.exe
PID 1460 wrote to memory of 1888	1460	copy.exe	cmd.exe
PID 1460 wrote to memory of 892	1460	copy.exe	cmd.exe
PID 1460 wrote to memory of 892	1460	copy.exe	cmd.exe
PID 1460 wrote to memory of 892	1460	copy.exe	cmd.exe
PID 1460 wrote to memory of 892	1460	copy.exe	cmd.exe
PID 1888 wrote to memory of 1916	1888	cmd.exe	schtasks.exe
PID 1888 wrote to memory of 1916	1888	cmd.exe	schtasks.exe
PID 1888 wrote to memory of 1916	1888	cmd.exe	schtasks.exe
PID 1888 wrote to memory of 1916	1888	cmd.exe	schtasks.exe
PID 1936 wrote to memory of 608	1936	taskeng.exe	msdtc.exe
PID 1936 wrote to memory of 608	1936	taskeng.exe	msdtc.exe
PID 1936 wrote to memory of 608	1936	taskeng.exe	msdtc.exe
PID 1936 wrote to memory of 608	1936	taskeng.exe	msdtc.exe
PID 608 wrote to memory of 1484	608	msdtc.exe	RegAsm.exe
PID 608 wrote to memory of 1484	608	msdtc.exe	RegAsm.exe
PID 608 wrote to memory of 1484	608	msdtc.exe	RegAsm.exe
PID 608 wrote to memory of 1484	608	msdtc.exe	RegAsm.exe
PID 608 wrote to memory of 1484	608	msdtc.exe	RegAsm.exe
PID 608 wrote to memory of 1484	608	msdtc.exe	RegAsm.exe
PID 608 wrote to memory of 1484	608	msdtc.exe	RegAsm.exe
PID 608 wrote to memory of 1484	608	msdtc.exe	RegAsm.exe
PID 608 wrote to memory of 1484	608	msdtc.exe	RegAsm.exe
PID 608 wrote to memory of 1484	608	msdtc.exe	RegAsm.exe
PID 608 wrote to memory of 1484	608	msdtc.exe	RegAsm.exe
PID 608 wrote to memory of 1484	608	msdtc.exe	RegAsm.exe
PID 608 wrote to memory of 744	608	msdtc.exe	cmd.exe
PID 608 wrote to memory of 744	608	msdtc.exe	cmd.exe
PID 608 wrote to memory of 744	608	msdtc.exe	cmd.exe
PID 608 wrote to memory of 744	608	msdtc.exe	cmd.exe
PID 608 wrote to memory of 1604	608	msdtc.exe	cmd.exe
PID 608 wrote to memory of 1604	608	msdtc.exe	cmd.exe
PID 608 wrote to memory of 1604	608	msdtc.exe	cmd.exe
PID 608 wrote to memory of 1604	608	msdtc.exe	cmd.exe
PID 608 wrote to memory of 1080	608	msdtc.exe	cmd.exe
PID 608 wrote to memory of 1080	608	msdtc.exe	cmd.exe
PID 608 wrote to memory of 1080	608	msdtc.exe	cmd.exe
PID 608 wrote to memory of 1080	608	msdtc.exe	cmd.exe
PID 1604 wrote to memory of 1064	1604	cmd.exe	schtasks.exe
PID 1604 wrote to memory of 1064	1604	cmd.exe	schtasks.exe
PID 1604 wrote to memory of 1064	1604	cmd.exe	schtasks.exe
PID 1604 wrote to memory of 1064	1604	cmd.exe	schtasks.exe
PID 1936 wrote to memory of 1020	1936	taskeng.exe	msdtc.exe
PID 1936 wrote to memory of 1020	1936	taskeng.exe	msdtc.exe
PID 1936 wrote to memory of 1020	1936	taskeng.exe	msdtc.exe
PID 1936 wrote to memory of 1020	1936	taskeng.exe	msdtc.exe

C:\Users\Admin\AppData\Local\Temp\copy.exe
"C:\Users\Admin\AppData\Local\Temp\copy.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\msdtc"
2⤵
PID:2032

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1916

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\copy.exe" "C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe"
2⤵
PID:892

C:\Windows\system32\taskeng.exe
taskeng.exe {3DFD2CF2-A816-4DE2-B8A8-450A973DAD27} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1936

C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe
C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\msdtc"
3⤵
PID:744

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1064

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe" "C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe"
3⤵
PID:1080

C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe
C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:892

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\msdtc"
3⤵
PID:616

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe'" /f
3⤵
PID:1724

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1984

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe" "C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe"
3⤵
PID:1544

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe
Filesize
300.0MB

MD5
3bfc4f5d058aac39f3cd1cc7771fb376

SHA1
4f400860ad6e90f17b6abe3f925de5fe47dac4ba

SHA256
05af19f88159fdc48e4039627198ddffacceb086e67a5fe0a76379a490be75a6

SHA512
263be832f00990f423febb1be6f7871841c695c876f051a6f0906dfa9cb577f00b5a6a610fdf36a8c5d3323d2e8b5e171d78fe2e42b4bf6114d6c76476fa236e

Download Submit
C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe
Filesize
300.0MB

MD5
3bfc4f5d058aac39f3cd1cc7771fb376

SHA1
4f400860ad6e90f17b6abe3f925de5fe47dac4ba

SHA256
05af19f88159fdc48e4039627198ddffacceb086e67a5fe0a76379a490be75a6

SHA512
263be832f00990f423febb1be6f7871841c695c876f051a6f0906dfa9cb577f00b5a6a610fdf36a8c5d3323d2e8b5e171d78fe2e42b4bf6114d6c76476fa236e

Download Submit
C:\Users\Admin\AppData\Roaming\msdtc\msdtc.exe
Filesize
300.0MB

MD5
3bfc4f5d058aac39f3cd1cc7771fb376

SHA1
4f400860ad6e90f17b6abe3f925de5fe47dac4ba

SHA256
05af19f88159fdc48e4039627198ddffacceb086e67a5fe0a76379a490be75a6

SHA512
263be832f00990f423febb1be6f7871841c695c876f051a6f0906dfa9cb577f00b5a6a610fdf36a8c5d3323d2e8b5e171d78fe2e42b4bf6114d6c76476fa236e

Download Submit
memory/608-75-0x0000000000A10000-0x0000000000A92000-memory.dmp

Filesize
520KB

Download
memory/608-73-0x0000000000000000-mapping.dmp

Download
memory/616-109-0x0000000000000000-mapping.dmp

Download
memory/744-84-0x0000000000000000-mapping.dmp

Download
memory/892-70-0x0000000000000000-mapping.dmp

Download
memory/892-103-0x0000000000410A1E-mapping.dmp

Download
memory/940-62-0x0000000000410A1E-mapping.dmp

Download
memory/940-56-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/940-66-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/940-64-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/940-57-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/940-61-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/940-60-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/940-59-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1020-95-0x0000000000BE0000-0x0000000000C62000-memory.dmp

Filesize
520KB

Download
memory/1020-93-0x0000000000000000-mapping.dmp

Download
memory/1064-92-0x0000000000000000-mapping.dmp

Download
memory/1080-91-0x0000000000000000-mapping.dmp

Download
memory/1460-54-0x0000000000B30000-0x0000000000BB2000-memory.dmp

Filesize
520KB

Download
memory/1460-55-0x0000000075981000-0x0000000075983000-memory.dmp

Filesize
8KB

Download
memory/1484-83-0x0000000000410A1E-mapping.dmp

Download
memory/1544-111-0x0000000000000000-mapping.dmp

Download
memory/1604-90-0x0000000000000000-mapping.dmp

Download
memory/1724-110-0x0000000000000000-mapping.dmp

Download
memory/1888-69-0x0000000000000000-mapping.dmp

Download
memory/1916-71-0x0000000000000000-mapping.dmp

Download
memory/1984-112-0x0000000000000000-mapping.dmp

Download
memory/2032-68-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads