asyncrat | 33c374a5686da5dede55e0d7a867e185c193dd281dbb84594769395b6f49db01

Resubmissions

27-03-2023 14:22

230327-rp15zsdg92 10

27-03-2023 13:43

230327-q1lc8sdf86 10

Analysis

max time kernel
297s
max time network
299s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2023 13:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client2.exe
Size

63KB
MD5

40a63f050f41848d979fc88712d1fbf1
SHA1

0d155350fd579788f71dbf7e3f39c889bd37f50e
SHA256

33c374a5686da5dede55e0d7a867e185c193dd281dbb84594769395b6f49db01
SHA512

c11e32b23ca672c863de8d1ddb4a44d1b09f15262660914ef9c1ba3b99e210939df089b8c0d27f5616d820e9fe217e8a91c4875aa7108d25fe26802c1bb96a64
SSDEEP

1536:YhW5hc1kw0kVit8Q0v9Gbb3w+HRpGmDpqKmY7:YhW5hc1kWVHGbb3hHR9gz

Score

10^/10

asyncrat venom clients rat

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

soon-lp.at.ply.gg:17209

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
true
install_file
svchost.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/4680-133-0x00000000001F0000-0x0000000000206000-memory.dmp	asyncrat
C:\Users\Admin\AppData\Roaming\svchost.exe	asyncrat
C:\Users\Admin\AppData\Roaming\svchost.exe	asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	Client2.exe

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

3000 svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2008 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2292 timeout.exe

pid	process
3000	svchost.exe

pid	process
2008	schtasks.exe

pid	process
2292	timeout.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

Client2.exe

pid	process
4680	Client2.exe
4680	Client2.exe
4680	Client2.exe
4680	Client2.exe
4680	Client2.exe
4680	Client2.exe
4680	Client2.exe
4680	Client2.exe
4680	Client2.exe
4680	Client2.exe
4680	Client2.exe
4680	Client2.exe
4680	Client2.exe
4680	Client2.exe
4680	Client2.exe
4680	Client2.exe
4680	Client2.exe
4680	Client2.exe
4680	Client2.exe
4680	Client2.exe
4680	Client2.exe
4680	Client2.exe
4680	Client2.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Client2.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	4680	Client2.exe
Token: SeDebugPrivilege	4680	Client2.exe
Token: SeDebugPrivilege	3000	svchost.exe
Token: SeDebugPrivilege	3000	svchost.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

Client2.execmd.execmd.exe

description	pid	process	target process
PID 4680 wrote to memory of 1628	4680	Client2.exe	cmd.exe
PID 4680 wrote to memory of 1628	4680	Client2.exe	cmd.exe
PID 4680 wrote to memory of 2992	4680	Client2.exe	cmd.exe
PID 4680 wrote to memory of 2992	4680	Client2.exe	cmd.exe
PID 2992 wrote to memory of 2292	2992	cmd.exe	timeout.exe
PID 2992 wrote to memory of 2292	2992	cmd.exe	timeout.exe
PID 1628 wrote to memory of 2008	1628	cmd.exe	schtasks.exe
PID 1628 wrote to memory of 2008	1628	cmd.exe	schtasks.exe
PID 2992 wrote to memory of 3000	2992	cmd.exe	svchost.exe
PID 2992 wrote to memory of 3000	2992	cmd.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client2.exe
"C:\Users\Admin\AppData\Local\Temp\Client2.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4680

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
3⤵
- Creates scheduled task(s)
PID:2008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8CC4.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:2992

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:2292

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3000

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8CC4.tmp.bat
Filesize
151B

MD5
ab5cd4748f90163a437eb32660c7b812

SHA1
ff7dccaf6dda931082d73c353a6f38970f3ec409

SHA256
fabeafcafe5e8d5092777681ae1f12d8c3a7df4f4b6485c920ff11340cb20558

SHA512
3647abb693bfd5a360fa4cc93a343b16eab2b81bf05650b2b225fb48238b308af6990ec5bf7c7c8d35e51f7b9cf71c08459a40cd3b1fb01050d7b84f19dae5a1

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
63KB

MD5
40a63f050f41848d979fc88712d1fbf1

SHA1
0d155350fd579788f71dbf7e3f39c889bd37f50e

SHA256
33c374a5686da5dede55e0d7a867e185c193dd281dbb84594769395b6f49db01

SHA512
c11e32b23ca672c863de8d1ddb4a44d1b09f15262660914ef9c1ba3b99e210939df089b8c0d27f5616d820e9fe217e8a91c4875aa7108d25fe26802c1bb96a64

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
63KB

MD5
40a63f050f41848d979fc88712d1fbf1

SHA1
0d155350fd579788f71dbf7e3f39c889bd37f50e

SHA256
33c374a5686da5dede55e0d7a867e185c193dd281dbb84594769395b6f49db01

SHA512
c11e32b23ca672c863de8d1ddb4a44d1b09f15262660914ef9c1ba3b99e210939df089b8c0d27f5616d820e9fe217e8a91c4875aa7108d25fe26802c1bb96a64

Download Submit
memory/3000-144-0x000000001C340000-0x000000001C48E000-memory.dmp

Filesize
1.3MB

Download
memory/3000-145-0x000000001D9C0000-0x000000001DA36000-memory.dmp

Filesize
472KB

Download
memory/3000-146-0x000000001C590000-0x000000001C5AE000-memory.dmp

Filesize
120KB

Download
memory/3000-147-0x000000001C340000-0x000000001C48E000-memory.dmp

Filesize
1.3MB

Download
memory/3000-148-0x000000001C340000-0x000000001C48E000-memory.dmp

Filesize
1.3MB

Download
memory/3000-150-0x000000001C340000-0x000000001C48E000-memory.dmp

Filesize
1.3MB

Download
memory/4680-133-0x00000000001F0000-0x0000000000206000-memory.dmp

Filesize
88KB

Download
memory/4680-134-0x000000001AF30000-0x000000001AF40000-memory.dmp

Filesize
64KB

Download
memory/4680-139-0x000000001AD20000-0x000000001AE6E000-memory.dmp

Filesize
1.3MB

Download