asyncrat | f464d1eca16652727a68d9ba70a7760e992063907b2d9b3889d9accf0d0dc9ae

General

Target

vnm/VenomRAT_HVNC.exe
Size

16.8MB
MD5

d8291744ad4573fbc0c2f82b1ada7bec
SHA1

94960ccdc763248cb03e29d3f7b5ac5e20c7c501
SHA256

69821fd27dd83d225fc21c799b8223d416985ad4a3bb5e78586b6d319e77f351
SHA512

30f2110a990a541bc64b065b9615581356bdd682765e813d9b0bf32d68cd7dd559498a4e719085b514b7258380681eb7d1789ce2879973f45e18c2050b1266ce
SSDEEP

393216:0nu7cCgkszHR7G6lrbkDlyoB+Lj19TRA282+yKGoAZGPcFl:0rDhG61qyoBY7q282+JPA4E

Score

10^/10

asyncrat ctovnm rat

Malware Config

Extracted

Family

asyncrat

Version

VenomRAT_HVNC 5.0.4

Botnet

ctovnm

C2

85.31.45.6:4444

Mutex

OWAsgnAMn

Attributes

delay
0
install
true
install_file
VenomStartup.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 8 IoCs

rat

resource	yara_rule
behavioral5/files/0x0009000000023043-149.dat	asyncrat
behavioral5/files/0x0009000000023043-160.dat	asyncrat
behavioral5/files/0x000a0000000231dd-169.dat	asyncrat
behavioral5/files/0x000a0000000231dd-170.dat	asyncrat
behavioral5/files/0x000a0000000231dd-164.dat	asyncrat
behavioral5/files/0x0009000000023043-172.dat	asyncrat
behavioral5/memory/1212-173-0x0000000000070000-0x0000000000086000-memory.dmp	asyncrat
behavioral5/memory/4140-178-0x0000000000190000-0x000000000122A000-memory.dmp	asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation	VenomRAT_HVNC.exe

Executes dropped EXE 2 IoCs

pid	Process
4140	VenomRAT_HVNC.exe
1212	vnm.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\vnm.exe	VenomRAT_HVNC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4628	4140	WerFault.exe	88
4372	1212	WerFault.exe	89

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4780	powershell.exe
4780	powershell.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	4780	powershell.exe
Token: SeIncreaseQuotaPrivilege	1212	vnm.exe
Token: SeSecurityPrivilege	1212	vnm.exe
Token: SeTakeOwnershipPrivilege	1212	vnm.exe
Token: SeLoadDriverPrivilege	1212	vnm.exe
Token: SeSystemProfilePrivilege	1212	vnm.exe
Token: SeSystemtimePrivilege	1212	vnm.exe
Token: SeProfSingleProcessPrivilege	1212	vnm.exe
Token: SeIncBasePriorityPrivilege	1212	vnm.exe
Token: SeCreatePagefilePrivilege	1212	vnm.exe
Token: SeBackupPrivilege	1212	vnm.exe
Token: SeRestorePrivilege	1212	vnm.exe
Token: SeShutdownPrivilege	1212	vnm.exe
Token: SeDebugPrivilege	1212	vnm.exe
Token: SeSystemEnvironmentPrivilege	1212	vnm.exe
Token: SeRemoteShutdownPrivilege	1212	vnm.exe
Token: SeUndockPrivilege	1212	vnm.exe
Token: SeManageVolumePrivilege	1212	vnm.exe
Token: 33	1212	vnm.exe
Token: 34	1212	vnm.exe
Token: 35	1212	vnm.exe
Token: 36	1212	vnm.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3872 wrote to memory of 4780	3872	VenomRAT_HVNC.exe	86
PID 3872 wrote to memory of 4780	3872	VenomRAT_HVNC.exe	86
PID 3872 wrote to memory of 4140	3872	VenomRAT_HVNC.exe	88
PID 3872 wrote to memory of 4140	3872	VenomRAT_HVNC.exe	88
PID 3872 wrote to memory of 4140	3872	VenomRAT_HVNC.exe	88
PID 3872 wrote to memory of 1212	3872	VenomRAT_HVNC.exe	89
PID 3872 wrote to memory of 1212	3872	VenomRAT_HVNC.exe	89

C:\Users\Admin\AppData\Local\Temp\vnm\VenomRAT_HVNC.exe
"C:\Users\Admin\AppData\Local\Temp\vnm\VenomRAT_HVNC.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAZQBmACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAYwB4ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHUAeABoACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAcgBsACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4780
- C:\Users\Admin\AppData\Local\Temp\VenomRAT_HVNC.exe
  "C:\Users\Admin\AppData\Local\Temp\VenomRAT_HVNC.exe"
  2⤵
  - Executes dropped EXE
  PID:4140
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 1056
    3⤵
    - Program crash
    PID:4628
- C:\Windows\vnm.exe
  "C:\Windows\vnm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1212
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1212 -s 1148
    3⤵
    - Program crash
    PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4140 -ip 4140
1⤵
PID:2296

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 488 -p 1212 -ip 1212
1⤵
PID:3848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\VenomRAT_HVNC.exe

Filesize
16.6MB

MD5
5384c0396589430eeb3d1a2e05703e9a

SHA1
20da44da7639bbef2f6b5bfc21df7474cd1109af

SHA256
b4250aff983f1f588593baed1adb4797e6c1ab6225595ebd013b50348a57a459

SHA512
9bf613ee62b0e56af500dd88f572b2221ad6df63b0b4c0dcb0ef763efcebeac633a95f10dfce90f6cff038df2810681dd55dcdd272eb9f907c670cc2e4f7363a

Download Submit
C:\Users\Admin\AppData\Local\Temp\VenomRAT_HVNC.exe

Filesize
16.6MB

MD5
5384c0396589430eeb3d1a2e05703e9a

SHA1
20da44da7639bbef2f6b5bfc21df7474cd1109af

SHA256
b4250aff983f1f588593baed1adb4797e6c1ab6225595ebd013b50348a57a459

SHA512
9bf613ee62b0e56af500dd88f572b2221ad6df63b0b4c0dcb0ef763efcebeac633a95f10dfce90f6cff038df2810681dd55dcdd272eb9f907c670cc2e4f7363a

Download Submit
C:\Users\Admin\AppData\Local\Temp\VenomRAT_HVNC.exe

Filesize
16.6MB

MD5
5384c0396589430eeb3d1a2e05703e9a

SHA1
20da44da7639bbef2f6b5bfc21df7474cd1109af

SHA256
b4250aff983f1f588593baed1adb4797e6c1ab6225595ebd013b50348a57a459

SHA512
9bf613ee62b0e56af500dd88f572b2221ad6df63b0b4c0dcb0ef763efcebeac633a95f10dfce90f6cff038df2810681dd55dcdd272eb9f907c670cc2e4f7363a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bonoldnv.4pa.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\vnm.exe

Filesize
65KB

MD5
ab28aa2b77bf291b81076ce783489391

SHA1
aa0218f9cd0361792c3810bdae345f4128ada396

SHA256
cd6e2c8f97e768be2d21a0ad0af35317a682f4aba4ba8d6f62d94aba745da45d

SHA512
dc791aabade2518012d7f6ea76518eda96e311cb2dbe10695f263e6720fd5f9f55503c200336bec17490e06565e65b3c910bd808e7027358f79edc79277fe0cc

Download Submit
C:\Windows\vnm.exe

Filesize
65KB

MD5
ab28aa2b77bf291b81076ce783489391

SHA1
aa0218f9cd0361792c3810bdae345f4128ada396

SHA256
cd6e2c8f97e768be2d21a0ad0af35317a682f4aba4ba8d6f62d94aba745da45d

SHA512
dc791aabade2518012d7f6ea76518eda96e311cb2dbe10695f263e6720fd5f9f55503c200336bec17490e06565e65b3c910bd808e7027358f79edc79277fe0cc

Download Submit
C:\Windows\vnm.exe

Filesize
65KB

MD5
ab28aa2b77bf291b81076ce783489391

SHA1
aa0218f9cd0361792c3810bdae345f4128ada396

SHA256
cd6e2c8f97e768be2d21a0ad0af35317a682f4aba4ba8d6f62d94aba745da45d

SHA512
dc791aabade2518012d7f6ea76518eda96e311cb2dbe10695f263e6720fd5f9f55503c200336bec17490e06565e65b3c910bd808e7027358f79edc79277fe0cc

Download Submit
memory/1212-188-0x00007FF9A7D80000-0x00007FF9A8841000-memory.dmp

Filesize
10.8MB

Download
memory/1212-173-0x0000000000070000-0x0000000000086000-memory.dmp

Filesize
88KB

Download
memory/1212-174-0x00007FF9A7D80000-0x00007FF9A8841000-memory.dmp

Filesize
10.8MB

Download
memory/3872-133-0x0000000000BA0000-0x0000000001C6C000-memory.dmp

Filesize
16.8MB

Download
memory/3872-135-0x000000001C8B0000-0x000000001C8C0000-memory.dmp

Filesize
64KB

Download
memory/3872-175-0x00007FF9A7D80000-0x00007FF9A8841000-memory.dmp

Filesize
10.8MB

Download
memory/3872-134-0x00007FF9A7D80000-0x00007FF9A8841000-memory.dmp

Filesize
10.8MB

Download
memory/4140-179-0x00000000060F0000-0x0000000006694000-memory.dmp

Filesize
5.6MB

Download
memory/4140-183-0x0000000005A80000-0x0000000005A92000-memory.dmp

Filesize
72KB

Download
memory/4140-187-0x0000000074420000-0x0000000074BD0000-memory.dmp

Filesize
7.7MB

Download
memory/4140-185-0x0000000005CE0000-0x0000000005CF0000-memory.dmp

Filesize
64KB

Download
memory/4140-176-0x0000000074420000-0x0000000074BD0000-memory.dmp

Filesize
7.7MB

Download
memory/4140-186-0x0000000005B20000-0x0000000005B2A000-memory.dmp

Filesize
40KB

Download
memory/4140-178-0x0000000000190000-0x000000000122A000-memory.dmp

Filesize
16.6MB

Download
memory/4140-182-0x0000000005B40000-0x0000000005BD2000-memory.dmp

Filesize
584KB

Download
memory/4780-155-0x000001B129350000-0x000001B129360000-memory.dmp

Filesize
64KB

Download
memory/4780-184-0x00007FF9A7D80000-0x00007FF9A8841000-memory.dmp

Filesize
10.8MB

Download
memory/4780-177-0x000001B129350000-0x000001B129360000-memory.dmp

Filesize
64KB

Download
memory/4780-156-0x000001B129350000-0x000001B129360000-memory.dmp

Filesize
64KB

Download
memory/4780-154-0x00007FF9A7D80000-0x00007FF9A8841000-memory.dmp

Filesize
10.8MB

Download
memory/4780-157-0x000001B129350000-0x000001B129360000-memory.dmp

Filesize
64KB

Download
memory/4780-153-0x000001B12B620000-0x000001B12B642000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing