asyncrat | 6d4d71c94b1613f2bce90d54971e115c33fc57f3d78965cf219754c9393d263b

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
23-05-2023 17:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57875.exe
Size

350KB
MD5

5616b95c1b71f2a56742274bec64cfc3
SHA1

1b092dbe0a5c797f89d52d853dc4f23a7d0dc87c
SHA256

6d4d71c94b1613f2bce90d54971e115c33fc57f3d78965cf219754c9393d263b
SHA512

86b92910f06320ae2500690a96111cc25a965858c6b86b5b649f884d43f942c0923a3ac35f694685ce75bb52fdd1c262dfa7058a8e7d059da4aa6be3aa3db93b
SSDEEP

6144:FjfgX5fZLs1RIu4FsFp7GUb8x9mTnQGo7Q7k91LQqWPzTg3:5YXhZLsyFMQUb8IQ/7R1UqWPzTg3

Score

10^/10

asyncrat default evasion persistence rat trojan

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.1

Botnet

Default

151.80.52.38:4449

Mutex

ctbrvrbjbpdrrmujx

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Async RAT payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/1388-80-0x0000000000400000-0x0000000000418000-memory.dmp	asyncrat
behavioral1/memory/1388-82-0x0000000000400000-0x0000000000418000-memory.dmp	asyncrat
behavioral1/memory/1388-84-0x0000000000400000-0x0000000000418000-memory.dmp	asyncrat

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
588	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
900	cmd.exe
900	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	57875.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 588 set thread context of 1388	588	svchost.exe	44

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2028	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1536	timeout.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
1676	57875.exe
292	powershell.exe
588	svchost.exe
588	svchost.exe
588	svchost.exe
588	svchost.exe
588	svchost.exe
588	svchost.exe
588	svchost.exe
588	svchost.exe
588	svchost.exe
1388	AddInProcess32.exe
1388	AddInProcess32.exe
1388	AddInProcess32.exe
1388	AddInProcess32.exe
1388	AddInProcess32.exe
1388	AddInProcess32.exe
1388	AddInProcess32.exe
1388	AddInProcess32.exe
1388	AddInProcess32.exe
1388	AddInProcess32.exe
1388	AddInProcess32.exe
1388	AddInProcess32.exe
1388	AddInProcess32.exe
1388	AddInProcess32.exe
1388	AddInProcess32.exe
1388	AddInProcess32.exe
1388	AddInProcess32.exe
1388	AddInProcess32.exe
1388	AddInProcess32.exe
1388	AddInProcess32.exe
1388	AddInProcess32.exe
1388	AddInProcess32.exe
1388	AddInProcess32.exe
1388	AddInProcess32.exe
1388	AddInProcess32.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
588	svchost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1676	57875.exe
Token: SeDebugPrivilege	588	svchost.exe
Token: SeDebugPrivilege	588	svchost.exe
Token: SeLoadDriverPrivilege	588	svchost.exe
Token: SeDebugPrivilege	292	powershell.exe
Token: SeDebugPrivilege	1388	AddInProcess32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1388	AddInProcess32.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 516	1676	57875.exe	26
PID 1676 wrote to memory of 516	1676	57875.exe	26
PID 1676 wrote to memory of 516	1676	57875.exe	26
PID 516 wrote to memory of 2028	516	cmd.exe	28
PID 516 wrote to memory of 2028	516	cmd.exe	28
PID 516 wrote to memory of 2028	516	cmd.exe	28
PID 1676 wrote to memory of 900	1676	57875.exe	29
PID 1676 wrote to memory of 900	1676	57875.exe	29
PID 1676 wrote to memory of 900	1676	57875.exe	29
PID 900 wrote to memory of 1536	900	cmd.exe	31
PID 900 wrote to memory of 1536	900	cmd.exe	31
PID 900 wrote to memory of 1536	900	cmd.exe	31
PID 900 wrote to memory of 588	900	cmd.exe	32
PID 900 wrote to memory of 588	900	cmd.exe	32
PID 900 wrote to memory of 588	900	cmd.exe	32
PID 588 wrote to memory of 292	588	svchost.exe	33
PID 588 wrote to memory of 292	588	svchost.exe	33
PID 588 wrote to memory of 292	588	svchost.exe	33
PID 588 wrote to memory of 1688	588	svchost.exe	35
PID 588 wrote to memory of 1688	588	svchost.exe	35
PID 588 wrote to memory of 1688	588	svchost.exe	35
PID 588 wrote to memory of 820	588	svchost.exe	36
PID 588 wrote to memory of 820	588	svchost.exe	36
PID 588 wrote to memory of 820	588	svchost.exe	36
PID 588 wrote to memory of 1028	588	svchost.exe	37
PID 588 wrote to memory of 1028	588	svchost.exe	37
PID 588 wrote to memory of 1028	588	svchost.exe	37
PID 588 wrote to memory of 956	588	svchost.exe	38
PID 588 wrote to memory of 956	588	svchost.exe	38
PID 588 wrote to memory of 956	588	svchost.exe	38
PID 588 wrote to memory of 1236	588	svchost.exe	39
PID 588 wrote to memory of 1236	588	svchost.exe	39
PID 588 wrote to memory of 1236	588	svchost.exe	39
PID 588 wrote to memory of 1228	588	svchost.exe	40
PID 588 wrote to memory of 1228	588	svchost.exe	40
PID 588 wrote to memory of 1228	588	svchost.exe	40
PID 588 wrote to memory of 1788	588	svchost.exe	41
PID 588 wrote to memory of 1788	588	svchost.exe	41
PID 588 wrote to memory of 1788	588	svchost.exe	41
PID 588 wrote to memory of 1584	588	svchost.exe	42
PID 588 wrote to memory of 1584	588	svchost.exe	42
PID 588 wrote to memory of 1584	588	svchost.exe	42
PID 588 wrote to memory of 548	588	svchost.exe	43
PID 588 wrote to memory of 548	588	svchost.exe	43
PID 588 wrote to memory of 548	588	svchost.exe	43
PID 588 wrote to memory of 1388	588	svchost.exe	44
PID 588 wrote to memory of 1388	588	svchost.exe	44
PID 588 wrote to memory of 1388	588	svchost.exe	44
PID 588 wrote to memory of 1388	588	svchost.exe	44
PID 588 wrote to memory of 1388	588	svchost.exe	44
PID 588 wrote to memory of 1388	588	svchost.exe	44
PID 588 wrote to memory of 1388	588	svchost.exe	44
PID 588 wrote to memory of 1388	588	svchost.exe	44
PID 588 wrote to memory of 1388	588	svchost.exe	44

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\57875.exe
"C:\Users\Admin\AppData\Local\Temp\57875.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:516
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:2028
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp9992.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:900
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1536
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - UAC bypass
    - Sets service image path in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:588
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:292
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
      4⤵
      PID:1688
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
      4⤵
      PID:820
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:1028
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
      4⤵
      PID:956
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
      4⤵
      PID:1236
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:1228
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
      4⤵
      PID:1788
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:1584
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
      4⤵
      PID:548
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEF18.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9992.tmp.bat

Filesize
151B

MD5
553314f044b42b827e1cf3554a873571

SHA1
492580fc080a6b7e60fc50e699e0af993d955cf3

SHA256
99605426994789e4e6e615dd0d64d78e57733792ddb939812ba1f963f65dde0b

SHA512
6375947f48a775a994b3fe672be11224b72a95c2accd48b7b6a60f4be58ca6cbbb5250756364195590fb8625de899b17dd0f3d92d802b3a9e344fc1908067392

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9992.tmp.bat

Filesize
151B

MD5
553314f044b42b827e1cf3554a873571

SHA1
492580fc080a6b7e60fc50e699e0af993d955cf3

SHA256
99605426994789e4e6e615dd0d64d78e57733792ddb939812ba1f963f65dde0b

SHA512
6375947f48a775a994b3fe672be11224b72a95c2accd48b7b6a60f4be58ca6cbbb5250756364195590fb8625de899b17dd0f3d92d802b3a9e344fc1908067392

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
350KB

MD5
5616b95c1b71f2a56742274bec64cfc3

SHA1
1b092dbe0a5c797f89d52d853dc4f23a7d0dc87c

SHA256
6d4d71c94b1613f2bce90d54971e115c33fc57f3d78965cf219754c9393d263b

SHA512
86b92910f06320ae2500690a96111cc25a965858c6b86b5b649f884d43f942c0923a3ac35f694685ce75bb52fdd1c262dfa7058a8e7d059da4aa6be3aa3db93b

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
350KB

MD5
5616b95c1b71f2a56742274bec64cfc3

SHA1
1b092dbe0a5c797f89d52d853dc4f23a7d0dc87c

SHA256
6d4d71c94b1613f2bce90d54971e115c33fc57f3d78965cf219754c9393d263b

SHA512
86b92910f06320ae2500690a96111cc25a965858c6b86b5b649f884d43f942c0923a3ac35f694685ce75bb52fdd1c262dfa7058a8e7d059da4aa6be3aa3db93b

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe

Filesize
350KB

MD5
5616b95c1b71f2a56742274bec64cfc3

SHA1
1b092dbe0a5c797f89d52d853dc4f23a7d0dc87c

SHA256
6d4d71c94b1613f2bce90d54971e115c33fc57f3d78965cf219754c9393d263b

SHA512
86b92910f06320ae2500690a96111cc25a965858c6b86b5b649f884d43f942c0923a3ac35f694685ce75bb52fdd1c262dfa7058a8e7d059da4aa6be3aa3db93b

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe

Filesize
350KB

MD5
5616b95c1b71f2a56742274bec64cfc3

SHA1
1b092dbe0a5c797f89d52d853dc4f23a7d0dc87c

SHA256
6d4d71c94b1613f2bce90d54971e115c33fc57f3d78965cf219754c9393d263b

SHA512
86b92910f06320ae2500690a96111cc25a965858c6b86b5b649f884d43f942c0923a3ac35f694685ce75bb52fdd1c262dfa7058a8e7d059da4aa6be3aa3db93b

Download Submit
memory/292-79-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/292-86-0x000000000247B000-0x00000000024B2000-memory.dmp

Filesize
220KB

Download
memory/292-85-0x0000000002474000-0x0000000002477000-memory.dmp

Filesize
12KB

Download
memory/292-77-0x0000000002470000-0x00000000024F0000-memory.dmp

Filesize
512KB

Download
memory/292-78-0x000000001B1B0000-0x000000001B492000-memory.dmp

Filesize
2.9MB

Download
memory/588-71-0x000000001A550000-0x000000001A5D0000-memory.dmp

Filesize
512KB

Download
memory/588-70-0x0000000000300000-0x000000000035A000-memory.dmp

Filesize
360KB

Download
memory/1388-80-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1388-82-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1388-84-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1388-88-0x0000000004B60000-0x0000000004BA0000-memory.dmp

Filesize
256KB

Download
memory/1388-126-0x0000000004B60000-0x0000000004BA0000-memory.dmp

Filesize
256KB

Download
memory/1676-54-0x00000000013E0000-0x000000000143A000-memory.dmp

Filesize
360KB

Download
memory/1676-56-0x000000001AD50000-0x000000001ADD0000-memory.dmp

Filesize
512KB

Download
memory/1676-55-0x0000000000B10000-0x0000000000B68000-memory.dmp

Filesize
352KB

Download