asyncrat | f0ba0fdaeb248b67341c740cb728b056516768bee672c4df22f38dbad3598bde

General

Target

4029013#.exe
Size

300.0MB
MD5

41308dae88480a4eaf61b36767990bbe
SHA1

a347f3eb607df4c47b9473818866bcad6aef4e96
SHA256

190324c758fe4e21f2254d10bc9871b5e8a2e0f063a0b49f1680b3ee9f8da519
SHA512

ee0812562d7f0f16ea75ccc236ac85c986c47ed52fc75ffb8d1a21d9c62cb90855963d2678dfc01345e97f5435d320d0ba982d82f1d7395d066b843e49479c42
SSDEEP

3072:ZuDu8y65Hc4/+683JZbqaZ75yEzHX7NXjPP8shYd0CwbI+hRx:ZuDu8y65Hc4SrbqXEz37BjzugbIg

Score

10^/10

asyncrat may 17 rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT 5.0.4

Botnet

MAY 17

C2

paris-comrademay17.duckdns.org:25045

Mutex

kjauwydefagvrcku64y

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1288-63-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat
behavioral1/memory/1288-62-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat
behavioral1/memory/1288-64-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat
behavioral1/memory/1288-65-0x00000000004109BE-mapping.dmp	asyncrat
behavioral1/memory/1288-69-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat
behavioral1/memory/1288-67-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

Processes:

pmfr.exe

pid process

1116 pmfr.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

4029013#.exe

description pid process target process

PID 2000 set thread context of 1288 2000 4029013#.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1312 schtasks.exe
1700 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

vbc.exe

description pid process

Token: SeDebugPrivilege 1288 vbc.exe

pid	process
1116	pmfr.exe

description	pid	process	target process
PID 2000 set thread context of 1288	2000	4029013#.exe	vbc.exe

pid	process
1312	schtasks.exe
1700	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	1288	vbc.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

4029013#.execmd.exetaskeng.exepmfr.execmd.exe

description	pid	process	target process
PID 2000 wrote to memory of 1488	2000	4029013#.exe	cmd.exe
PID 2000 wrote to memory of 1488	2000	4029013#.exe	cmd.exe
PID 2000 wrote to memory of 1488	2000	4029013#.exe	cmd.exe
PID 2000 wrote to memory of 1488	2000	4029013#.exe	cmd.exe
PID 2000 wrote to memory of 1492	2000	4029013#.exe	cmd.exe
PID 2000 wrote to memory of 1492	2000	4029013#.exe	cmd.exe
PID 2000 wrote to memory of 1492	2000	4029013#.exe	cmd.exe
PID 2000 wrote to memory of 1492	2000	4029013#.exe	cmd.exe
PID 1488 wrote to memory of 1312	1488	cmd.exe	schtasks.exe
PID 1488 wrote to memory of 1312	1488	cmd.exe	schtasks.exe
PID 1488 wrote to memory of 1312	1488	cmd.exe	schtasks.exe
PID 1488 wrote to memory of 1312	1488	cmd.exe	schtasks.exe
PID 2000 wrote to memory of 1288	2000	4029013#.exe	vbc.exe
PID 2000 wrote to memory of 1288	2000	4029013#.exe	vbc.exe
PID 2000 wrote to memory of 1288	2000	4029013#.exe	vbc.exe
PID 2000 wrote to memory of 1288	2000	4029013#.exe	vbc.exe
PID 2000 wrote to memory of 1288	2000	4029013#.exe	vbc.exe
PID 2000 wrote to memory of 1288	2000	4029013#.exe	vbc.exe
PID 2000 wrote to memory of 1288	2000	4029013#.exe	vbc.exe
PID 2000 wrote to memory of 1288	2000	4029013#.exe	vbc.exe
PID 2000 wrote to memory of 1288	2000	4029013#.exe	vbc.exe
PID 1104 wrote to memory of 1116	1104	taskeng.exe	pmfr.exe
PID 1104 wrote to memory of 1116	1104	taskeng.exe	pmfr.exe
PID 1104 wrote to memory of 1116	1104	taskeng.exe	pmfr.exe
PID 1104 wrote to memory of 1116	1104	taskeng.exe	pmfr.exe
PID 1116 wrote to memory of 1512	1116	pmfr.exe	cmd.exe
PID 1116 wrote to memory of 1512	1116	pmfr.exe	cmd.exe
PID 1116 wrote to memory of 1512	1116	pmfr.exe	cmd.exe
PID 1116 wrote to memory of 1512	1116	pmfr.exe	cmd.exe
PID 1512 wrote to memory of 1700	1512	cmd.exe	schtasks.exe
PID 1512 wrote to memory of 1700	1512	cmd.exe	schtasks.exe
PID 1512 wrote to memory of 1700	1512	cmd.exe	schtasks.exe
PID 1512 wrote to memory of 1700	1512	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\4029013#.exe
"C:\Users\Admin\AppData\Local\Temp\4029013#.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\pmfr.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\pmfr.exe'" /f
3⤵
- Creates scheduled task(s)
PID:1312

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\4029013#.exe" "C:\Users\Admin\AppData\Roaming\pmfr.exe"
2⤵
PID:1492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1288

C:\Windows\system32\taskeng.exe
taskeng.exe {705D7806-5FF1-488C-BE95-3D61DB401813} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1104

C:\Users\Admin\AppData\Roaming\pmfr.exe
C:\Users\Admin\AppData\Roaming\pmfr.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\pmfr.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafdnasia" /tr "'C:\Users\Admin\AppData\Roaming\pmfr.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1700

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\pmfr.exe
Filesize
266.2MB

MD5
0953e6106e5e369e6e96ac0d4bd67365

SHA1
a5531f314db75cb7f9a8f80dd9a642aca57a235e

SHA256
f9b54a6d4f278e9c72e4bca51f96e750eb22c40d76c838d2eb64e971a6035c9d

SHA512
988d92eb38c304b72fe543648d8215258ff2716886218eb24064008136f37bbea49a888bec6c5ef4b013cb24fa5273adef382095f629da4533a8fff1cf0bfec4

Download Submit
C:\Users\Admin\AppData\Roaming\pmfr.exe
Filesize
271.1MB

MD5
e0eafcf5d734e000c22201726cb6c3be

SHA1
b58208464dbc02507b9a9a540678f10a8a031a49

SHA256
23462ed4b3d4648b918ce2cdae47934a9882d2320fe914f110b93d253a622dae

SHA512
3b452f64ba3bdd32e87146e51acc9e448dc47549448f32160c4419c96e5a1868b4b8fe220dc5aec6bd9e9b3665fbd053c78931751a3bb824302d1ed2de38a81d

Download Submit
memory/1116-74-0x0000000000B90000-0x0000000000BC2000-memory.dmp

Filesize
200KB

Download
memory/1116-72-0x0000000000000000-mapping.dmp

Download
memory/1288-67-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1288-69-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1288-60-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1288-63-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1288-62-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1288-64-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1288-65-0x00000000004109BE-mapping.dmp

Download
memory/1288-59-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1312-58-0x0000000000000000-mapping.dmp

Download
memory/1488-56-0x0000000000000000-mapping.dmp

Download
memory/1492-57-0x0000000000000000-mapping.dmp

Download
memory/1512-76-0x0000000000000000-mapping.dmp

Download
memory/1700-77-0x0000000000000000-mapping.dmp

Download
memory/2000-54-0x0000000000E30000-0x0000000000E62000-memory.dmp

Filesize
200KB

Download
memory/2000-55-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads