asyncrat | 8817a1e8ad3bacc4b983ea52a54fe54b595a75986978ff60e331f8a134aafbd6

General

Target

8817a1e8ad3bacc4b983ea52a54fe54b595a75986978ff60e331f8a134aafbd6.exe
Size

7.5MB
MD5

64023657cca817495e94afe5f8887be2
SHA1

d55e3d9b41c4cee294cce54964f7e7d7d8788d01
SHA256

8817a1e8ad3bacc4b983ea52a54fe54b595a75986978ff60e331f8a134aafbd6
SHA512

c59bd6edf885ca94b0b023746c514566f0f9546a7171476bdd82926cc0caac4710f0a787da0fc8a4fb27601eed9fec1f123680d135f8d5141358d00b2eaa50cb
SSDEEP

98304:ax3zJiOlgXb/hT3y9eLAOk2stoG6isn5MsXSlmxetu1SPbgMp30ac5A8O7KaIBtd:akF3mesOJGX6d4EegATDT8cGZkYg2qp

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.1

Botnet

Default

C2

185.106.94.122:4449

Mutex

nrasbnbyxirll

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/3744-144-0x0000000000400000-0x0000000000418000-memory.dmp	asyncrat

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1736 set thread context of 3744	1736	8817a1e8ad3bacc4b983ea52a54fe54b595a75986978ff60e331f8a134aafbd6.exe	87

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1252	3744	WerFault.exe	87

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1736	8817a1e8ad3bacc4b983ea52a54fe54b595a75986978ff60e331f8a134aafbd6.exe
1736	8817a1e8ad3bacc4b983ea52a54fe54b595a75986978ff60e331f8a134aafbd6.exe
1736	8817a1e8ad3bacc4b983ea52a54fe54b595a75986978ff60e331f8a134aafbd6.exe
3744	InstallUtil.exe
3744	InstallUtil.exe
3744	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1736	8817a1e8ad3bacc4b983ea52a54fe54b595a75986978ff60e331f8a134aafbd6.exe
Token: SeDebugPrivilege	3744	InstallUtil.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3744	InstallUtil.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 3744	1736	8817a1e8ad3bacc4b983ea52a54fe54b595a75986978ff60e331f8a134aafbd6.exe	87
PID 1736 wrote to memory of 3744	1736	8817a1e8ad3bacc4b983ea52a54fe54b595a75986978ff60e331f8a134aafbd6.exe	87
PID 1736 wrote to memory of 3744	1736	8817a1e8ad3bacc4b983ea52a54fe54b595a75986978ff60e331f8a134aafbd6.exe	87
PID 1736 wrote to memory of 3744	1736	8817a1e8ad3bacc4b983ea52a54fe54b595a75986978ff60e331f8a134aafbd6.exe	87
PID 1736 wrote to memory of 3744	1736	8817a1e8ad3bacc4b983ea52a54fe54b595a75986978ff60e331f8a134aafbd6.exe	87
PID 1736 wrote to memory of 3744	1736	8817a1e8ad3bacc4b983ea52a54fe54b595a75986978ff60e331f8a134aafbd6.exe	87
PID 1736 wrote to memory of 3744	1736	8817a1e8ad3bacc4b983ea52a54fe54b595a75986978ff60e331f8a134aafbd6.exe	87
PID 1736 wrote to memory of 3744	1736	8817a1e8ad3bacc4b983ea52a54fe54b595a75986978ff60e331f8a134aafbd6.exe	87

C:\Users\Admin\AppData\Local\Temp\8817a1e8ad3bacc4b983ea52a54fe54b595a75986978ff60e331f8a134aafbd6.exe
"C:\Users\Admin\AppData\Local\Temp\8817a1e8ad3bacc4b983ea52a54fe54b595a75986978ff60e331f8a134aafbd6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3744
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 2648
    3⤵
    - Program crash
    PID:1252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3744 -ip 3744
1⤵
PID:1520

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1736-143-0x0000000005960000-0x0000000005970000-memory.dmp

Filesize
64KB

Download
memory/1736-142-0x0000000005960000-0x0000000005970000-memory.dmp

Filesize
64KB

Download
memory/1736-135-0x0000000005FC0000-0x0000000006564000-memory.dmp

Filesize
5.6MB

Download
memory/1736-136-0x0000000005A10000-0x0000000005AA2000-memory.dmp

Filesize
584KB

Download
memory/1736-137-0x0000000005960000-0x0000000005970000-memory.dmp

Filesize
64KB

Download
memory/1736-138-0x0000000005990000-0x000000000599A000-memory.dmp

Filesize
40KB

Download
memory/1736-139-0x00000000070E0000-0x000000000717C000-memory.dmp

Filesize
624KB

Download
memory/1736-140-0x0000000005960000-0x0000000005970000-memory.dmp

Filesize
64KB

Download
memory/1736-141-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/1736-147-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/1736-134-0x0000000000A30000-0x00000000011B0000-memory.dmp

Filesize
7.5MB

Download
memory/1736-133-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/3744-144-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3744-146-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/3744-149-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/3744-150-0x00000000778C1000-0x00000000778C2000-memory.dmp

Filesize
4KB

Download
memory/3744-153-0x00000000062A0000-0x0000000006306000-memory.dmp

Filesize
408KB

Download
memory/3744-154-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/3744-156-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/3744-157-0x0000000006CB0000-0x0000000006D26000-memory.dmp

Filesize
472KB

Download
memory/3744-158-0x0000000006E50000-0x0000000006E6E000-memory.dmp

Filesize
120KB

Download
memory/3744-197-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing