asyncrat | 74b502f28ed461b089fd8f201f472c5dfaf4f366b76449d41a742cd9204a42ca

General

Target

74b502f28ed461b089fd8f201f472c5dfaf4f366b76449d41a742cd9204a42ca.exe
Size

273KB
MD5

1d7b16b873866f8f2052b82c899205b9
SHA1

ade49b4252860b2ca06151a392f6095efd851fdb
SHA256

74b502f28ed461b089fd8f201f472c5dfaf4f366b76449d41a742cd9204a42ca
SHA512

ed9ea335e02b4797d0ec3e6aa1702573235b6b53e2fcdeeb495086a1c09ad45d69455ddc8f56bc5a0d79681ce04228c3388abf9f66544dff507232674223d78e
SSDEEP

3072:CyVXVetg8Y0OltV6MYWv5O1wAv/KN7x5Lo7fhTDw02rwefem2ZeXGMh0k:tRh6Me1wAv/kXGu02sefee2U

Score

10^/10

asyncrat smokeloader venom clients backdoor rat trojan

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT 5.0.5

Botnet

Venom Clients

C2

80.89.230.176:4449

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
5
install
true
install_file
svshost.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4956-133-0x00000000005B0000-0x00000000005B9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1084-180-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

1D3C.exesvshost.exe

pid process

4244 1D3C.exe
1044 svshost.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

1D3C.exe

description pid process target process

PID 4244 set thread context of 1084 4244 1D3C.exe RegSvcs.exe

pid	process
4244	1D3C.exe
1044	svshost.exe

description	pid	process	target process
PID 4244 set thread context of 1084	4244	1D3C.exe	RegSvcs.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

74b502f28ed461b089fd8f201f472c5dfaf4f366b76449d41a742cd9204a42ca.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	74b502f28ed461b089fd8f201f472c5dfaf4f366b76449d41a742cd9204a42ca.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	74b502f28ed461b089fd8f201f472c5dfaf4f366b76449d41a742cd9204a42ca.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	74b502f28ed461b089fd8f201f472c5dfaf4f366b76449d41a742cd9204a42ca.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4396 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4532 timeout.exe

pid	process
4396	schtasks.exe

pid	process
4532	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

74b502f28ed461b089fd8f201f472c5dfaf4f366b76449d41a742cd9204a42ca.exe

pid	process
4956	74b502f28ed461b089fd8f201f472c5dfaf4f366b76449d41a742cd9204a42ca.exe
4956	74b502f28ed461b089fd8f201f472c5dfaf4f366b76449d41a742cd9204a42ca.exe
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3048

pid	process
3048

Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

74b502f28ed461b089fd8f201f472c5dfaf4f366b76449d41a742cd9204a42ca.exe

pid	process
4956	74b502f28ed461b089fd8f201f472c5dfaf4f366b76449d41a742cd9204a42ca.exe
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

RegSvcs.exe

description	pid	process
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeDebugPrivilege	1084	RegSvcs.exe
Token: SeDebugPrivilege	1084	RegSvcs.exe
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

1D3C.exeRegSvcs.execmd.execmd.exe

description	pid	process	target process
PID 3048 wrote to memory of 4244	3048		1D3C.exe
PID 3048 wrote to memory of 4244	3048		1D3C.exe
PID 3048 wrote to memory of 4244	3048		1D3C.exe
PID 3048 wrote to memory of 2504	3048		explorer.exe
PID 3048 wrote to memory of 2504	3048		explorer.exe
PID 3048 wrote to memory of 2504	3048		explorer.exe
PID 3048 wrote to memory of 2504	3048		explorer.exe
PID 3048 wrote to memory of 2040	3048		explorer.exe
PID 3048 wrote to memory of 2040	3048		explorer.exe
PID 3048 wrote to memory of 2040	3048		explorer.exe
PID 3048 wrote to memory of 372	3048		explorer.exe
PID 3048 wrote to memory of 372	3048		explorer.exe
PID 3048 wrote to memory of 372	3048		explorer.exe
PID 3048 wrote to memory of 372	3048		explorer.exe
PID 3048 wrote to memory of 4676	3048		explorer.exe
PID 3048 wrote to memory of 4676	3048		explorer.exe
PID 3048 wrote to memory of 4676	3048		explorer.exe
PID 3048 wrote to memory of 1332	3048		explorer.exe
PID 3048 wrote to memory of 1332	3048		explorer.exe
PID 3048 wrote to memory of 1332	3048		explorer.exe
PID 3048 wrote to memory of 1332	3048		explorer.exe
PID 3048 wrote to memory of 4368	3048		explorer.exe
PID 3048 wrote to memory of 4368	3048		explorer.exe
PID 3048 wrote to memory of 4368	3048		explorer.exe
PID 3048 wrote to memory of 4368	3048		explorer.exe
PID 3048 wrote to memory of 3900	3048		explorer.exe
PID 3048 wrote to memory of 3900	3048		explorer.exe
PID 3048 wrote to memory of 3900	3048		explorer.exe
PID 3048 wrote to memory of 3900	3048		explorer.exe
PID 3048 wrote to memory of 5004	3048		explorer.exe
PID 3048 wrote to memory of 5004	3048		explorer.exe
PID 3048 wrote to memory of 5004	3048		explorer.exe
PID 3048 wrote to memory of 668	3048		explorer.exe
PID 3048 wrote to memory of 668	3048		explorer.exe
PID 3048 wrote to memory of 668	3048		explorer.exe
PID 3048 wrote to memory of 668	3048		explorer.exe
PID 4244 wrote to memory of 1084	4244	1D3C.exe	RegSvcs.exe
PID 4244 wrote to memory of 1084	4244	1D3C.exe	RegSvcs.exe
PID 4244 wrote to memory of 1084	4244	1D3C.exe	RegSvcs.exe
PID 4244 wrote to memory of 1084	4244	1D3C.exe	RegSvcs.exe
PID 4244 wrote to memory of 1084	4244	1D3C.exe	RegSvcs.exe
PID 4244 wrote to memory of 1084	4244	1D3C.exe	RegSvcs.exe
PID 4244 wrote to memory of 1084	4244	1D3C.exe	RegSvcs.exe
PID 4244 wrote to memory of 1084	4244	1D3C.exe	RegSvcs.exe
PID 1084 wrote to memory of 392	1084	RegSvcs.exe	cmd.exe
PID 1084 wrote to memory of 392	1084	RegSvcs.exe	cmd.exe
PID 1084 wrote to memory of 392	1084	RegSvcs.exe	cmd.exe
PID 1084 wrote to memory of 1876	1084	RegSvcs.exe	cmd.exe
PID 1084 wrote to memory of 1876	1084	RegSvcs.exe	cmd.exe
PID 1084 wrote to memory of 1876	1084	RegSvcs.exe	cmd.exe
PID 1876 wrote to memory of 4532	1876	cmd.exe	timeout.exe
PID 1876 wrote to memory of 4532	1876	cmd.exe	timeout.exe
PID 1876 wrote to memory of 4532	1876	cmd.exe	timeout.exe
PID 392 wrote to memory of 4396	392	cmd.exe	schtasks.exe
PID 392 wrote to memory of 4396	392	cmd.exe	schtasks.exe
PID 392 wrote to memory of 4396	392	cmd.exe	schtasks.exe
PID 1876 wrote to memory of 1044	1876	cmd.exe	svshost.exe
PID 1876 wrote to memory of 1044	1876	cmd.exe	svshost.exe
PID 1876 wrote to memory of 1044	1876	cmd.exe	svshost.exe

C:\Users\Admin\AppData\Local\Temp\74b502f28ed461b089fd8f201f472c5dfaf4f366b76449d41a742cd9204a42ca.exe
"C:\Users\Admin\AppData\Local\Temp\74b502f28ed461b089fd8f201f472c5dfaf4f366b76449d41a742cd9204a42ca.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4956

C:\Users\Admin\AppData\Local\Temp\1D3C.exe
C:\Users\Admin\AppData\Local\Temp\1D3C.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svshost" /tr '"C:\Users\Admin\AppData\Roaming\svshost.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:392

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svshost" /tr '"C:\Users\Admin\AppData\Roaming\svshost.exe"'
4⤵
- Creates scheduled task(s)
PID:4396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA8F2.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:4532

C:\Users\Admin\AppData\Roaming\svshost.exe
"C:\Users\Admin\AppData\Roaming\svshost.exe"
4⤵
- Executes dropped EXE
PID:1044

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2504

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2040

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:372

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4676

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1332

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4368

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3900

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5004

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:668

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1D3C.exe
Filesize
986KB

MD5
9abed258d16bc74722d469f48baeccd5

SHA1
f2b2d18fbd0dd22b755aea5a4f9bc1e2148cac47

SHA256
877e947467beb6827f5dec938c5c73e6b56d632a9422c4b4f4bef83cd19c0779

SHA512
b1d6e7f308cc8587000c097c4d7693c8d501923e3f5b7dcfc6380d071b3372dccda66f8d6beff278dec09c42d9eee7c846c37bbc821d825d31321e6490403c2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1D3C.exe
Filesize
986KB

MD5
9abed258d16bc74722d469f48baeccd5

SHA1
f2b2d18fbd0dd22b755aea5a4f9bc1e2148cac47

SHA256
877e947467beb6827f5dec938c5c73e6b56d632a9422c4b4f4bef83cd19c0779

SHA512
b1d6e7f308cc8587000c097c4d7693c8d501923e3f5b7dcfc6380d071b3372dccda66f8d6beff278dec09c42d9eee7c846c37bbc821d825d31321e6490403c2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA8F2.tmp.bat
Filesize
151B

MD5
5a06620f68922a706f71bffe011ed205

SHA1
2fbcf16a8a446dde12985fc7e9b6058676fba34b

SHA256
6c892dd496fe5e3baf7b859d5bd2047ed0650c74734545b53d4681a0fe9bd9f7

SHA512
f75d805cae8d5d927376b5da92b6afc2730c148e4582c43418ac1816de475d35f161f42d8a82addf963ed38bc6f5e39022b61f95be5c79782d43d9f16f7697a0

Download Submit
C:\Users\Admin\AppData\Roaming\svshost.exe
Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Roaming\svshost.exe
Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
memory/372-150-0x0000000000000000-mapping.dmp

Download
memory/372-173-0x0000000000DC0000-0x0000000000DC5000-memory.dmp

Filesize
20KB

Download
memory/372-152-0x0000000000DB0000-0x0000000000DB9000-memory.dmp

Filesize
36KB

Download
memory/372-151-0x0000000000DC0000-0x0000000000DC5000-memory.dmp

Filesize
20KB

Download
memory/392-181-0x0000000000000000-mapping.dmp

Download
memory/668-170-0x0000000000460000-0x000000000046B000-memory.dmp

Filesize
44KB

Download
memory/668-168-0x0000000000000000-mapping.dmp

Download
memory/668-169-0x0000000000470000-0x0000000000478000-memory.dmp

Filesize
32KB

Download
memory/668-178-0x0000000000470000-0x0000000000478000-memory.dmp

Filesize
32KB

Download
memory/1044-186-0x0000000000000000-mapping.dmp

Download
memory/1044-190-0x0000000004AE0000-0x0000000004B1C000-memory.dmp

Filesize
240KB

Download
memory/1044-189-0x00000000002F0000-0x00000000002FE000-memory.dmp

Filesize
56KB

Download
memory/1084-179-0x0000000000000000-mapping.dmp

Download
memory/1084-180-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1332-156-0x0000000000000000-mapping.dmp

Download
memory/1332-174-0x0000000000830000-0x0000000000852000-memory.dmp

Filesize
136KB

Download
memory/1332-157-0x0000000000830000-0x0000000000852000-memory.dmp

Filesize
136KB

Download
memory/1332-158-0x0000000000800000-0x0000000000827000-memory.dmp

Filesize
156KB

Download
memory/1876-182-0x0000000000000000-mapping.dmp

Download
memory/2040-172-0x0000000000130000-0x0000000000139000-memory.dmp

Filesize
36KB

Download
memory/2040-149-0x0000000000120000-0x000000000012F000-memory.dmp

Filesize
60KB

Download
memory/2040-147-0x0000000000000000-mapping.dmp

Download
memory/2040-148-0x0000000000130000-0x0000000000139000-memory.dmp

Filesize
36KB

Download
memory/2504-145-0x00000000010E0000-0x00000000010E7000-memory.dmp

Filesize
28KB

Download
memory/2504-171-0x00000000010E0000-0x00000000010E7000-memory.dmp

Filesize
28KB

Download
memory/2504-144-0x0000000000000000-mapping.dmp

Download
memory/2504-146-0x00000000010D0000-0x00000000010DB000-memory.dmp

Filesize
44KB

Download
memory/3900-162-0x0000000000000000-mapping.dmp

Download
memory/3900-163-0x0000000000370000-0x0000000000376000-memory.dmp

Filesize
24KB

Download
memory/3900-164-0x0000000000360000-0x000000000036B000-memory.dmp

Filesize
44KB

Download
memory/3900-176-0x0000000000370000-0x0000000000376000-memory.dmp

Filesize
24KB

Download
memory/4244-140-0x0000000005620000-0x0000000005BC4000-memory.dmp

Filesize
5.6MB

Download
memory/4244-142-0x00000000051B0000-0x000000000524C000-memory.dmp

Filesize
624KB

Download
memory/4244-143-0x0000000005080000-0x000000000508A000-memory.dmp

Filesize
40KB

Download
memory/4244-141-0x0000000005110000-0x00000000051A2000-memory.dmp

Filesize
584KB

Download
memory/4244-139-0x00000000005E0000-0x00000000006DC000-memory.dmp

Filesize
1008KB

Download
memory/4244-136-0x0000000000000000-mapping.dmp

Download
memory/4368-160-0x0000000000800000-0x0000000000805000-memory.dmp

Filesize
20KB

Download
memory/4368-159-0x0000000000000000-mapping.dmp

Download
memory/4368-161-0x00000000007F0000-0x00000000007F9000-memory.dmp

Filesize
36KB

Download
memory/4368-175-0x0000000000800000-0x0000000000805000-memory.dmp

Filesize
20KB

Download
memory/4396-185-0x0000000000000000-mapping.dmp

Download
memory/4532-184-0x0000000000000000-mapping.dmp

Download
memory/4676-153-0x0000000000000000-mapping.dmp

Download
memory/4676-154-0x0000000000FD0000-0x0000000000FD6000-memory.dmp

Filesize
24KB

Download
memory/4676-155-0x0000000000FC0000-0x0000000000FCC000-memory.dmp

Filesize
48KB

Download
memory/4956-135-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4956-133-0x00000000005B0000-0x00000000005B9000-memory.dmp

Filesize
36KB

Download
memory/4956-132-0x00000000006A8000-0x00000000006B9000-memory.dmp

Filesize
68KB

Download
memory/4956-134-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5004-167-0x0000000000780000-0x000000000078D000-memory.dmp

Filesize
52KB

Download
memory/5004-165-0x0000000000000000-mapping.dmp

Download
memory/5004-166-0x0000000000790000-0x0000000000797000-memory.dmp

Filesize
28KB

Download
memory/5004-177-0x0000000000790000-0x0000000000797000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads