asyncrat | b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4

Analysis

max time kernel
51s
max time network
148s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
09-01-2023 11:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4.exe
Size

915KB
MD5

98bb7310f473f8151d19643afb9142c0
SHA1

470d392167d337c8c64f02298f8c47f11385c188
SHA256

b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4
SHA512

0ba43ae3b0727738c959a57db161724957e1ac0e05dddcf5e97de65565472689a5d73c682be1117b3b8bb58b1f1f191703fe2c536f344c4c7a304816f70660fa
SSDEEP

12288:aY60OiHviUznMCR0O0JMRZe+3gyJ+s7RYdWbNo5EET9G/Sau4qQQi5W13mWNVALF:aWZPRPZrbZq9u014

Score

10^/10

asyncrat stormkitty venom clients evasion persistence rat stealer

Malware Config

Extracted

Family

asyncrat

Version

VenomRAT+HVNC+Stealer Version:5.0.9

Botnet

Venom Clients

185.132.176.192:4449

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4984-221-0x00000000071B0000-0x00000000072D2000-memory.dmp	family_stormkitty

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/4984-117-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat
behavioral1/memory/4984-118-0x000000000041165E-mapping.dmp	asyncrat

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\62E797958FDC4E9DB6894BFAAB84D550 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4.exe\""	b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4.exe

description	pid	process	target process
PID 5004 set thread context of 4984	5004	b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4.exe	AddInProcess32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4116 4984 WerFault.exe AddInProcess32.exe

pid	pid_target	process	target process
4116	4984	WerFault.exe	AddInProcess32.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4.exeAddInProcess32.exe

pid	process
5004	b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4.exe
5004	b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4.exe
5004	b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4.exe
5004	b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4.exe
5004	b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4.exe
5004	b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4.exe
5004	b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4.exe
5004	b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4.exe
5004	b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4.exe
5004	b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4.exe
4984	AddInProcess32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4.exeAddInProcess32.exe

description	pid	process
Token: SeDebugPrivilege	5004	b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4.exe
Token: SeDebugPrivilege	4984	AddInProcess32.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4.exe

description	pid	process	target process
PID 5004 wrote to memory of 5060	5004	b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4.exe	cvtres.exe
PID 5004 wrote to memory of 5060	5004	b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4.exe	cvtres.exe
PID 5004 wrote to memory of 1872	5004	b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4.exe	EdmGen.exe
PID 5004 wrote to memory of 1872	5004	b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4.exe	EdmGen.exe
PID 5004 wrote to memory of 1628	5004	b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4.exe	aspnet_state.exe
PID 5004 wrote to memory of 1628	5004	b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4.exe	aspnet_state.exe
PID 5004 wrote to memory of 1736	5004	b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4.exe	mscorsvw.exe
PID 5004 wrote to memory of 1736	5004	b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4.exe	mscorsvw.exe
PID 5004 wrote to memory of 1944	5004	b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4.exe	AppLaunch.exe
PID 5004 wrote to memory of 1944	5004	b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4.exe	AppLaunch.exe
PID 5004 wrote to memory of 4984	5004	b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4.exe	AddInProcess32.exe
PID 5004 wrote to memory of 4984	5004	b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4.exe	AddInProcess32.exe
PID 5004 wrote to memory of 4984	5004	b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4.exe	AddInProcess32.exe
PID 5004 wrote to memory of 4984	5004	b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4.exe	AddInProcess32.exe
PID 5004 wrote to memory of 4984	5004	b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4.exe	AddInProcess32.exe
PID 5004 wrote to memory of 4984	5004	b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4.exe	AddInProcess32.exe
PID 5004 wrote to memory of 4984	5004	b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4.exe	AddInProcess32.exe
PID 5004 wrote to memory of 4984	5004	b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4.exe	AddInProcess32.exe

C:\Users\Admin\AppData\Local\Temp\b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4.exe
"C:\Users\Admin\AppData\Local\Temp\b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5004

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
2⤵
PID:5060

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
2⤵
PID:1872

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
2⤵
PID:1628

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
2⤵
PID:1736

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
2⤵
PID:1944

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 2756
3⤵
- Program crash
PID:4116

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4984-117-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4984-118-0x000000000041165E-mapping.dmp

Download
memory/4984-119-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-120-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-121-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-122-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-123-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-124-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-125-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-126-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-127-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-128-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-129-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-130-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-131-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-132-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-133-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-134-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-135-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-136-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-137-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-138-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-139-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-140-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-141-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-142-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-143-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-144-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-145-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-146-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-147-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-148-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-149-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-150-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-151-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-152-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-153-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-154-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-155-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-156-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-157-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-158-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-159-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-160-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-161-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-162-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-163-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-164-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-165-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-166-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-167-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-168-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-169-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-170-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-171-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-172-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-173-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-174-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-175-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-176-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-177-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-178-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-179-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-180-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-181-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4984-193-0x0000000005E00000-0x0000000005E9C000-memory.dmp

Filesize
624KB

Download
memory/4984-194-0x00000000063A0000-0x000000000689E000-memory.dmp

Filesize
5.0MB

Download
memory/4984-195-0x0000000005F10000-0x0000000005F76000-memory.dmp

Filesize
408KB

Download
memory/4984-219-0x0000000007130000-0x00000000071A6000-memory.dmp

Filesize
472KB

Download
memory/4984-221-0x00000000071B0000-0x00000000072D2000-memory.dmp

Filesize
1.1MB

Download
memory/4984-222-0x0000000007100000-0x000000000711E000-memory.dmp

Filesize
120KB

Download
memory/4984-223-0x00000000075B0000-0x0000000007900000-memory.dmp

Filesize
3.3MB

Download
memory/4984-225-0x0000000006F70000-0x0000000006FBB000-memory.dmp

Filesize
300KB

Download
memory/5004-115-0x000001FD30190000-0x000001FD3027A000-memory.dmp

Filesize
936KB

Download
memory/5004-116-0x000001FD30610000-0x000001FD30666000-memory.dmp

Filesize
344KB

Download