asyncrat | 98fc50a25512d2ac4673c05bee1f757b36fe812ba6981465ff8faec50d78d0c2

General

Target

svchost.exe
Size

42KB
MD5

a184997f7fb21c53e838fb30f265fa73
SHA1

ba53c020bb15ec804b1bf69425d7694b70c7ab66
SHA256

98fc50a25512d2ac4673c05bee1f757b36fe812ba6981465ff8faec50d78d0c2
SHA512

b29702060ec94c68d6f00b1016dbcd440ea248010afe6497c647cdab8ad8144453f6798cffd32e4f031c73b3550197fd4d30ed0e6c5debde0bb9c9f42751a4e8
SSDEEP

768:UaJ45P5jHWSDAYsAYHWmfsVi/jV09VCBJifoeH5zFi/30NZXggkXoyiRs:UaSsi3s3Ht0ViLV0zgJifo2Q3CZw5Xog

Score

10^/10

asyncrat minecraft clients evasion persistence rat trojan

Malware Config

Extracted

Family

asyncrat

Version

VenomRAT+HVNC+Stealer Version:5.0.9

Botnet

Minecraft Clients

C2

178.211.139.47:4449

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Async RAT payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/544-71-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat
behavioral1/memory/544-72-0x000000000041169E-mapping.dmp	asyncrat
behavioral1/memory/544-74-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat
behavioral1/memory/544-76-0x0000000000400000-0x0000000000416000-memory.dmp	asyncrat

Executes dropped EXE 1 IoCs

pid	Process
1796	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
936	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	svchost.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1796 set thread context of 544	1796	svchost.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
852	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1184	timeout.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
368	svchost.exe
620	powershell.exe
544	jsc.exe
544	jsc.exe
544	jsc.exe
544	jsc.exe
544	jsc.exe
544	jsc.exe
544	jsc.exe
544	jsc.exe
544	jsc.exe
544	jsc.exe
544	jsc.exe
544	jsc.exe
544	jsc.exe
544	jsc.exe
544	jsc.exe
544	jsc.exe
544	jsc.exe
544	jsc.exe
544	jsc.exe
544	jsc.exe
544	jsc.exe
544	jsc.exe
544	jsc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	368	svchost.exe
Token: SeDebugPrivilege	1796	svchost.exe
Token: SeDebugPrivilege	620	powershell.exe
Token: SeDebugPrivilege	544	jsc.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 1972	368	svchost.exe	26
PID 368 wrote to memory of 1972	368	svchost.exe	26
PID 368 wrote to memory of 1972	368	svchost.exe	26
PID 368 wrote to memory of 936	368	svchost.exe	28
PID 368 wrote to memory of 936	368	svchost.exe	28
PID 368 wrote to memory of 936	368	svchost.exe	28
PID 1972 wrote to memory of 852	1972	cmd.exe	30
PID 1972 wrote to memory of 852	1972	cmd.exe	30
PID 1972 wrote to memory of 852	1972	cmd.exe	30
PID 936 wrote to memory of 1184	936	cmd.exe	31
PID 936 wrote to memory of 1184	936	cmd.exe	31
PID 936 wrote to memory of 1184	936	cmd.exe	31
PID 936 wrote to memory of 1796	936	cmd.exe	32
PID 936 wrote to memory of 1796	936	cmd.exe	32
PID 936 wrote to memory of 1796	936	cmd.exe	32
PID 1796 wrote to memory of 620	1796	svchost.exe	33
PID 1796 wrote to memory of 620	1796	svchost.exe	33
PID 1796 wrote to memory of 620	1796	svchost.exe	33
PID 1796 wrote to memory of 544	1796	svchost.exe	35
PID 1796 wrote to memory of 544	1796	svchost.exe	35
PID 1796 wrote to memory of 544	1796	svchost.exe	35
PID 1796 wrote to memory of 544	1796	svchost.exe	35
PID 1796 wrote to memory of 544	1796	svchost.exe	35
PID 1796 wrote to memory of 544	1796	svchost.exe	35
PID 1796 wrote to memory of 544	1796	svchost.exe	35
PID 1796 wrote to memory of 544	1796	svchost.exe	35
PID 1796 wrote to memory of 544	1796	svchost.exe	35

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:368
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:852
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp6172.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1184
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1796
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:620
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Bypass User Account Control

Scheduled Task

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6172.tmp.bat

Filesize
151B

MD5
c42de80360d366e9ffaf3a611f8b48af

SHA1
13e74075a927269ca609b996599131cc859fe997

SHA256
bde198b7908182bdf48c983a09a129dffa816a6bd1107f055595b71c102a2fc3

SHA512
6c8974b6e2d371eb411ed1e3cd657f977f9e006df081670efc72b0bd7c2d2f131d7bdd0e629e89e3341914a493854de54021a1823f089afc48aa082a1b6c6b3b

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
42KB

MD5
a184997f7fb21c53e838fb30f265fa73

SHA1
ba53c020bb15ec804b1bf69425d7694b70c7ab66

SHA256
98fc50a25512d2ac4673c05bee1f757b36fe812ba6981465ff8faec50d78d0c2

SHA512
b29702060ec94c68d6f00b1016dbcd440ea248010afe6497c647cdab8ad8144453f6798cffd32e4f031c73b3550197fd4d30ed0e6c5debde0bb9c9f42751a4e8

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
42KB

MD5
a184997f7fb21c53e838fb30f265fa73

SHA1
ba53c020bb15ec804b1bf69425d7694b70c7ab66

SHA256
98fc50a25512d2ac4673c05bee1f757b36fe812ba6981465ff8faec50d78d0c2

SHA512
b29702060ec94c68d6f00b1016dbcd440ea248010afe6497c647cdab8ad8144453f6798cffd32e4f031c73b3550197fd4d30ed0e6c5debde0bb9c9f42751a4e8

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe

Filesize
42KB

MD5
a184997f7fb21c53e838fb30f265fa73

SHA1
ba53c020bb15ec804b1bf69425d7694b70c7ab66

SHA256
98fc50a25512d2ac4673c05bee1f757b36fe812ba6981465ff8faec50d78d0c2

SHA512
b29702060ec94c68d6f00b1016dbcd440ea248010afe6497c647cdab8ad8144453f6798cffd32e4f031c73b3550197fd4d30ed0e6c5debde0bb9c9f42751a4e8

Download Submit
memory/368-54-0x0000000000320000-0x000000000032E000-memory.dmp

Filesize
56KB

Download
memory/368-55-0x00000000002C0000-0x0000000000316000-memory.dmp

Filesize
344KB

Download
memory/544-79-0x0000000075E81000-0x0000000075E83000-memory.dmp

Filesize
8KB

Download
memory/544-76-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/544-74-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/544-71-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/620-67-0x000007FEFB9F1000-0x000007FEFB9F3000-memory.dmp

Filesize
8KB

Download
memory/620-68-0x000007FEEC420000-0x000007FEECE43000-memory.dmp

Filesize
10.1MB

Download
memory/620-69-0x000007FEEB8C0000-0x000007FEEC41D000-memory.dmp

Filesize
11.4MB

Download
memory/620-70-0x0000000002344000-0x0000000002347000-memory.dmp

Filesize
12KB

Download
memory/620-77-0x0000000002344000-0x0000000002347000-memory.dmp

Filesize
12KB

Download
memory/620-78-0x000000000234B000-0x000000000236A000-memory.dmp

Filesize
124KB

Download
memory/1796-65-0x0000000000D10000-0x0000000000D1E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads