asyncrat | 2869fbcf083c03c7cd55e45661f6df089fdf169b1719d5052a52e2e386bf3a6d

General

Target

file.exe
Size

336KB
MD5

7f5fd6228a8d8edf2c88d1b34cb8c847
SHA1

408049adf245bcad778add0903c6803a4d691d3f
SHA256

2869fbcf083c03c7cd55e45661f6df089fdf169b1719d5052a52e2e386bf3a6d
SHA512

4ec90147cdace22b9a14d776fe28837994689553aeef682597a4e218a44ca68a0227131987ed28f6458ca6ba478f2e1f39785f99c98154a301a5affb37a755ab
SSDEEP

6144:DT9zpYsT9/xBDwYQJkaLVo/DtBI6C39gMGHQuwDBOknXcMbE+:DYsZ/bxQJDVODtBtOgOuYO8Xb

Score

10^/10

asyncrat default evasion persistence rat trojan

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.1

Botnet

Default

Mutex

vrmctetyuyojxzjvffl

Attributes

delay
1
install
false
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/WD485ntt

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

svchost.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0"	svchost.exe

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1912-154-0x0000000000400000-0x0000000000418000-memory.dmp	asyncrat

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys"	svchost.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

file.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

3016 svchost.exe

pid	process
3016	svchost.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0"	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

file.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	file.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 3016 set thread context of 1912 3016 svchost.exe jsc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2120 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1368 timeout.exe

description	pid	process	target process
PID 3016 set thread context of 1912	3016	svchost.exe	jsc.exe

pid	process
2120	schtasks.exe

pid	process
1368	timeout.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

file.exesvchost.exepowershell.exejsc.exe

pid	process
3960	file.exe
3960	file.exe
3960	file.exe
3960	file.exe
3960	file.exe
3960	file.exe
3960	file.exe
3960	file.exe
3960	file.exe
3960	file.exe
3960	file.exe
3960	file.exe
3960	file.exe
3960	file.exe
3960	file.exe
3960	file.exe
3960	file.exe
3960	file.exe
3960	file.exe
3960	file.exe
3960	file.exe
3016	svchost.exe
3016	svchost.exe
672	powershell.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
3016	svchost.exe
672	powershell.exe
1912	jsc.exe
1912	jsc.exe
1912	jsc.exe
1912	jsc.exe
1912	jsc.exe
1912	jsc.exe
1912	jsc.exe
1912	jsc.exe
1912	jsc.exe
1912	jsc.exe
1912	jsc.exe
1912	jsc.exe
1912	jsc.exe
1912	jsc.exe
1912	jsc.exe
1912	jsc.exe
1912	jsc.exe
1912	jsc.exe
1912	jsc.exe
1912	jsc.exe
1912	jsc.exe
1912	jsc.exe
1912	jsc.exe
1912	jsc.exe
1912	jsc.exe
1912	jsc.exe
1912	jsc.exe
1912	jsc.exe
1912	jsc.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

svchost.exe

pid process

3016 svchost.exe

pid	process
3016	svchost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

file.exesvchost.exepowershell.exejsc.exe

description	pid	process
Token: SeDebugPrivilege	3960	file.exe
Token: SeDebugPrivilege	3016	svchost.exe
Token: SeDebugPrivilege	3016	svchost.exe
Token: SeLoadDriverPrivilege	3016	svchost.exe
Token: SeDebugPrivilege	672	powershell.exe
Token: SeDebugPrivilege	1912	jsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

jsc.exe

pid process

1912 jsc.exe

pid	process
1912	jsc.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

file.execmd.execmd.exesvchost.exe

description	pid	process	target process
PID 3960 wrote to memory of 1436	3960	file.exe	cmd.exe
PID 3960 wrote to memory of 1436	3960	file.exe	cmd.exe
PID 3960 wrote to memory of 1596	3960	file.exe	cmd.exe
PID 3960 wrote to memory of 1596	3960	file.exe	cmd.exe
PID 1596 wrote to memory of 1368	1596	cmd.exe	timeout.exe
PID 1596 wrote to memory of 1368	1596	cmd.exe	timeout.exe
PID 1436 wrote to memory of 2120	1436	cmd.exe	schtasks.exe
PID 1436 wrote to memory of 2120	1436	cmd.exe	schtasks.exe
PID 1596 wrote to memory of 3016	1596	cmd.exe	svchost.exe
PID 1596 wrote to memory of 3016	1596	cmd.exe	svchost.exe
PID 3016 wrote to memory of 672	3016	svchost.exe	powershell.exe
PID 3016 wrote to memory of 672	3016	svchost.exe	powershell.exe
PID 3016 wrote to memory of 4916	3016	svchost.exe	ComSvcConfig.exe
PID 3016 wrote to memory of 4916	3016	svchost.exe	ComSvcConfig.exe
PID 3016 wrote to memory of 1424	3016	svchost.exe	ngentask.exe
PID 3016 wrote to memory of 1424	3016	svchost.exe	ngentask.exe
PID 3016 wrote to memory of 3356	3016	svchost.exe	aspnet_wp.exe
PID 3016 wrote to memory of 3356	3016	svchost.exe	aspnet_wp.exe
PID 3016 wrote to memory of 3824	3016	svchost.exe	RegSvcs.exe
PID 3016 wrote to memory of 3824	3016	svchost.exe	RegSvcs.exe
PID 3016 wrote to memory of 1912	3016	svchost.exe	jsc.exe
PID 3016 wrote to memory of 1912	3016	svchost.exe	jsc.exe
PID 3016 wrote to memory of 1912	3016	svchost.exe	jsc.exe
PID 3016 wrote to memory of 1912	3016	svchost.exe	jsc.exe
PID 3016 wrote to memory of 1912	3016	svchost.exe	jsc.exe
PID 3016 wrote to memory of 1912	3016	svchost.exe	jsc.exe
PID 3016 wrote to memory of 1912	3016	svchost.exe	jsc.exe
PID 3016 wrote to memory of 1912	3016	svchost.exe	jsc.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

svchost.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3960

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1436

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
3⤵
- Creates scheduled task(s)
PID:2120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp956A.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1368

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
3⤵
- UAC bypass
- Windows security bypass
- Sets service image path in registry
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3016

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:672

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
4⤵
PID:4916

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
4⤵
PID:1424

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
4⤵
PID:3356

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
4⤵
PID:3824

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1912

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

2

T1060

Scheduled Task

1

T1053

Privilege Escalation

Bypass User Account Control

1

T1088

Scheduled Task

1

T1053

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

3

T1089

Modify Registry

6

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xexghpnb.nwz.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp956A.tmp.bat
Filesize
151B

MD5
3b1f7ec8f026af9f48af011c94964700

SHA1
a5d0862552dc1a9ca25519933d55fc7b5a4e06f5

SHA256
86b1b0a546ce96cd0093cddf49314a1cb0f17ae000cfa3b6fa6ae7c92995d8ee

SHA512
03f6000f012d40b95e2b8b84f192d09c4bb332c8fe911c5e6fa5aa638fa48611860600befbdf3f4884589675d75144d543b5bcd727bdb20361eb669451250ff8

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
336KB

MD5
7f5fd6228a8d8edf2c88d1b34cb8c847

SHA1
408049adf245bcad778add0903c6803a4d691d3f

SHA256
2869fbcf083c03c7cd55e45661f6df089fdf169b1719d5052a52e2e386bf3a6d

SHA512
4ec90147cdace22b9a14d776fe28837994689553aeef682597a4e218a44ca68a0227131987ed28f6458ca6ba478f2e1f39785f99c98154a301a5affb37a755ab

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
336KB

MD5
7f5fd6228a8d8edf2c88d1b34cb8c847

SHA1
408049adf245bcad778add0903c6803a4d691d3f

SHA256
2869fbcf083c03c7cd55e45661f6df089fdf169b1719d5052a52e2e386bf3a6d

SHA512
4ec90147cdace22b9a14d776fe28837994689553aeef682597a4e218a44ca68a0227131987ed28f6458ca6ba478f2e1f39785f99c98154a301a5affb37a755ab

Download Submit
memory/672-153-0x00000185A5930000-0x00000185A5952000-memory.dmp

Filesize
136KB

Download
memory/672-156-0x00000185A59F0000-0x00000185A5A00000-memory.dmp

Filesize
64KB

Download
memory/672-157-0x00000185A59F0000-0x00000185A5A00000-memory.dmp

Filesize
64KB

Download
memory/1912-154-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1912-160-0x00000000058D0000-0x0000000005E74000-memory.dmp

Filesize
5.6MB

Download
memory/1912-162-0x0000000002BD0000-0x0000000002BE0000-memory.dmp

Filesize
64KB

Download
memory/1912-163-0x0000000002BD0000-0x0000000002BE0000-memory.dmp

Filesize
64KB

Download
memory/1912-164-0x0000000005F20000-0x0000000005FB2000-memory.dmp

Filesize
584KB

Download
memory/1912-165-0x0000000006820000-0x000000000682A000-memory.dmp

Filesize
40KB

Download
memory/3960-133-0x000001735FB50000-0x000001735FBA8000-memory.dmp

Filesize
352KB

Download
memory/3960-134-0x000001737A0D0000-0x000001737A0E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads