asyncrat | 30e641405af2fa5bc1a705bf239a45bf8b8e42d6bf2c2692d98299d4a8ff344e

General

Target

93e7784defa1b30dcc93427bae186724.exe
Size

1.3MB
MD5

93e7784defa1b30dcc93427bae186724
SHA1

eb20295f9ee17ce56965fc426c347a4fa7992fcc
SHA256

30e641405af2fa5bc1a705bf239a45bf8b8e42d6bf2c2692d98299d4a8ff344e
SHA512

abb0dde73b5c7b48335ffe7c1b42870921505b598c7e926ce0fc7e0298d0f0c3d826b8a735144003a5823c9af76ebd7a1d340988f73705910f00cdf8641ba13c
SSDEEP

12288:suyj5aH+AStprOKd+RyAWjOXjrWq7WWXFpdp8LxwrLqgpwZWpT6oIfo1AfBNAWUU:L+Ltbd+R2OXjrWq51pmxwrNpKWZ6D

Score

10^/10

asyncrat venom clients rat

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

C2

138.197.66.62:22256

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
true
install_file
Match-Ventures.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4380-6-0x0000000000400000-0x0000000000418000-memory.dmp	asyncrat

Downloads MZ/PE file

Drops startup file 2 IoCs

Processes:

93e7784defa1b30dcc93427bae186724.exeMatch-Ventures.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pekmez.lnk	93e7784defa1b30dcc93427bae186724.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pekmez.lnk	Match-Ventures.exe

Executes dropped EXE 2 IoCs

Processes:

Match-Ventures.exeMatch-Ventures.exe

pid process

3412 Match-Ventures.exe
4492 Match-Ventures.exe

pid	process
3412	Match-Ventures.exe
4492	Match-Ventures.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

93e7784defa1b30dcc93427bae186724.exeMatch-Ventures.exe

description	pid	process	target process
PID 960 set thread context of 4380	960	93e7784defa1b30dcc93427bae186724.exe	93e7784defa1b30dcc93427bae186724.exe
PID 3412 set thread context of 4492	3412	Match-Ventures.exe	Match-Ventures.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1744 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4080 timeout.exe

pid	process
1744	schtasks.exe

pid	process
4080	timeout.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

93e7784defa1b30dcc93427bae186724.exe

pid	process
4380	93e7784defa1b30dcc93427bae186724.exe
4380	93e7784defa1b30dcc93427bae186724.exe
4380	93e7784defa1b30dcc93427bae186724.exe
4380	93e7784defa1b30dcc93427bae186724.exe
4380	93e7784defa1b30dcc93427bae186724.exe
4380	93e7784defa1b30dcc93427bae186724.exe
4380	93e7784defa1b30dcc93427bae186724.exe
4380	93e7784defa1b30dcc93427bae186724.exe
4380	93e7784defa1b30dcc93427bae186724.exe
4380	93e7784defa1b30dcc93427bae186724.exe
4380	93e7784defa1b30dcc93427bae186724.exe
4380	93e7784defa1b30dcc93427bae186724.exe
4380	93e7784defa1b30dcc93427bae186724.exe
4380	93e7784defa1b30dcc93427bae186724.exe
4380	93e7784defa1b30dcc93427bae186724.exe
4380	93e7784defa1b30dcc93427bae186724.exe
4380	93e7784defa1b30dcc93427bae186724.exe
4380	93e7784defa1b30dcc93427bae186724.exe
4380	93e7784defa1b30dcc93427bae186724.exe
4380	93e7784defa1b30dcc93427bae186724.exe
4380	93e7784defa1b30dcc93427bae186724.exe
4380	93e7784defa1b30dcc93427bae186724.exe
4380	93e7784defa1b30dcc93427bae186724.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

93e7784defa1b30dcc93427bae186724.exe93e7784defa1b30dcc93427bae186724.exeMatch-Ventures.exeMatch-Ventures.exe

description	pid	process
Token: SeDebugPrivilege	960	93e7784defa1b30dcc93427bae186724.exe
Token: SeDebugPrivilege	4380	93e7784defa1b30dcc93427bae186724.exe
Token: SeDebugPrivilege	3412	Match-Ventures.exe
Token: SeDebugPrivilege	4492	Match-Ventures.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

93e7784defa1b30dcc93427bae186724.exe93e7784defa1b30dcc93427bae186724.execmd.execmd.exeMatch-Ventures.exe

description	pid	process	target process
PID 960 wrote to memory of 4380	960	93e7784defa1b30dcc93427bae186724.exe	93e7784defa1b30dcc93427bae186724.exe
PID 960 wrote to memory of 4380	960	93e7784defa1b30dcc93427bae186724.exe	93e7784defa1b30dcc93427bae186724.exe
PID 960 wrote to memory of 4380	960	93e7784defa1b30dcc93427bae186724.exe	93e7784defa1b30dcc93427bae186724.exe
PID 960 wrote to memory of 4380	960	93e7784defa1b30dcc93427bae186724.exe	93e7784defa1b30dcc93427bae186724.exe
PID 960 wrote to memory of 4380	960	93e7784defa1b30dcc93427bae186724.exe	93e7784defa1b30dcc93427bae186724.exe
PID 960 wrote to memory of 4380	960	93e7784defa1b30dcc93427bae186724.exe	93e7784defa1b30dcc93427bae186724.exe
PID 960 wrote to memory of 4380	960	93e7784defa1b30dcc93427bae186724.exe	93e7784defa1b30dcc93427bae186724.exe
PID 960 wrote to memory of 4380	960	93e7784defa1b30dcc93427bae186724.exe	93e7784defa1b30dcc93427bae186724.exe
PID 4380 wrote to memory of 1096	4380	93e7784defa1b30dcc93427bae186724.exe	cmd.exe
PID 4380 wrote to memory of 1096	4380	93e7784defa1b30dcc93427bae186724.exe	cmd.exe
PID 4380 wrote to memory of 1096	4380	93e7784defa1b30dcc93427bae186724.exe	cmd.exe
PID 4380 wrote to memory of 4116	4380	93e7784defa1b30dcc93427bae186724.exe	cmd.exe
PID 4380 wrote to memory of 4116	4380	93e7784defa1b30dcc93427bae186724.exe	cmd.exe
PID 4380 wrote to memory of 4116	4380	93e7784defa1b30dcc93427bae186724.exe	cmd.exe
PID 1096 wrote to memory of 1744	1096	cmd.exe	schtasks.exe
PID 1096 wrote to memory of 1744	1096	cmd.exe	schtasks.exe
PID 1096 wrote to memory of 1744	1096	cmd.exe	schtasks.exe
PID 4116 wrote to memory of 4080	4116	cmd.exe	timeout.exe
PID 4116 wrote to memory of 4080	4116	cmd.exe	timeout.exe
PID 4116 wrote to memory of 4080	4116	cmd.exe	timeout.exe
PID 4116 wrote to memory of 3412	4116	cmd.exe	Match-Ventures.exe
PID 4116 wrote to memory of 3412	4116	cmd.exe	Match-Ventures.exe
PID 4116 wrote to memory of 3412	4116	cmd.exe	Match-Ventures.exe
PID 3412 wrote to memory of 4492	3412	Match-Ventures.exe	Match-Ventures.exe
PID 3412 wrote to memory of 4492	3412	Match-Ventures.exe	Match-Ventures.exe
PID 3412 wrote to memory of 4492	3412	Match-Ventures.exe	Match-Ventures.exe
PID 3412 wrote to memory of 4492	3412	Match-Ventures.exe	Match-Ventures.exe
PID 3412 wrote to memory of 4492	3412	Match-Ventures.exe	Match-Ventures.exe
PID 3412 wrote to memory of 4492	3412	Match-Ventures.exe	Match-Ventures.exe
PID 3412 wrote to memory of 4492	3412	Match-Ventures.exe	Match-Ventures.exe
PID 3412 wrote to memory of 4492	3412	Match-Ventures.exe	Match-Ventures.exe

C:\Users\Admin\AppData\Local\Temp\93e7784defa1b30dcc93427bae186724.exe
"C:\Users\Admin\AppData\Local\Temp\93e7784defa1b30dcc93427bae186724.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960

C:\Users\Admin\AppData\Local\Temp\93e7784defa1b30dcc93427bae186724.exe
"C:\Users\Admin\AppData\Local\Temp\93e7784defa1b30dcc93427bae186724.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4380

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Match-Ventures" /tr '"C:\Users\Admin\AppData\Roaming\Match-Ventures.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Match-Ventures" /tr '"C:\Users\Admin\AppData\Roaming\Match-Ventures.exe"'
4⤵
- Creates scheduled task(s)
PID:1744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9A7B.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:4116

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:4080

C:\Users\Admin\AppData\Roaming\Match-Ventures.exe
"C:\Users\Admin\AppData\Roaming\Match-Ventures.exe"
4⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3412

C:\Users\Admin\AppData\Roaming\Match-Ventures.exe
"C:\Users\Admin\AppData\Roaming\Match-Ventures.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4492

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\93e7784defa1b30dcc93427bae186724.exe.log
Filesize
1KB

MD5
b489b1bc475b3d4f03f45dbca1f74682

SHA1
f5e0fbd6e64a880731751135cf968fabc6effb8a

SHA256
e655ea0158cc09d517c5c106c25f73060c4f126ff31480395ebd0816efa7ebf2

SHA512
d03a7c00407462913d8fd02c042d622911e69b069522f2377685ab7975390ebc2a535324bfe3b4253fc97ed1df22c23a988d095ec1a00821ade98179adb4a814

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Match-Ventures.exe.log
Filesize
1KB

MD5
b489b1bc475b3d4f03f45dbca1f74682

SHA1
f5e0fbd6e64a880731751135cf968fabc6effb8a

SHA256
e655ea0158cc09d517c5c106c25f73060c4f126ff31480395ebd0816efa7ebf2

SHA512
d03a7c00407462913d8fd02c042d622911e69b069522f2377685ab7975390ebc2a535324bfe3b4253fc97ed1df22c23a988d095ec1a00821ade98179adb4a814

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9A7B.tmp.bat
Filesize
158B

MD5
25b02f1a25478019a2c56f9ee2a2f845

SHA1
adaff36e192a218a8455603dfe6942892dad7149

SHA256
54887e031c65998513659adfdafc910f528c12a07a02f9b781c147f25a70d17c

SHA512
258a1ec8fb76fbbb1dfc4f25f89c927f7378935e40962bc43ff73e28aee38ec950d1f8ee5d30d5827826f0e4cb5c046d4511108b7195351420f9add80b9b61d8

Download Submit
C:\Users\Admin\AppData\Roaming\Match-Ventures.exe
Filesize
1.3MB

MD5
93e7784defa1b30dcc93427bae186724

SHA1
eb20295f9ee17ce56965fc426c347a4fa7992fcc

SHA256
30e641405af2fa5bc1a705bf239a45bf8b8e42d6bf2c2692d98299d4a8ff344e

SHA512
abb0dde73b5c7b48335ffe7c1b42870921505b598c7e926ce0fc7e0298d0f0c3d826b8a735144003a5823c9af76ebd7a1d340988f73705910f00cdf8641ba13c

Download Submit
C:\Users\Admin\AppData\Roaming\Match-Ventures.exe
Filesize
1.3MB

MD5
93e7784defa1b30dcc93427bae186724

SHA1
eb20295f9ee17ce56965fc426c347a4fa7992fcc

SHA256
30e641405af2fa5bc1a705bf239a45bf8b8e42d6bf2c2692d98299d4a8ff344e

SHA512
abb0dde73b5c7b48335ffe7c1b42870921505b598c7e926ce0fc7e0298d0f0c3d826b8a735144003a5823c9af76ebd7a1d340988f73705910f00cdf8641ba13c

Download Submit
C:\Users\Admin\AppData\Roaming\Match-Ventures.exe
Filesize
1.3MB

MD5
93e7784defa1b30dcc93427bae186724

SHA1
eb20295f9ee17ce56965fc426c347a4fa7992fcc

SHA256
30e641405af2fa5bc1a705bf239a45bf8b8e42d6bf2c2692d98299d4a8ff344e

SHA512
abb0dde73b5c7b48335ffe7c1b42870921505b598c7e926ce0fc7e0298d0f0c3d826b8a735144003a5823c9af76ebd7a1d340988f73705910f00cdf8641ba13c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pekmez.lnk
Filesize
1KB

MD5
b74ed97865b29c5ac798714a341b79c8

SHA1
397cb0db26b31c203f43d5d5f18a7f2ce9af839e

SHA256
3b23921490c5d13b65e65b3a7168e60cc7bc91ccdb7c71957e1fe2e83de936d8

SHA512
ff0c59307caf9b911bec0c751fd07b4d817a548a2d205b13df961ed0c3e4d7d97932bc68c7a87062f12d02626a69bd78d97a84aa62e2ca068a0a91507c31375f

Download Submit
memory/960-10-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/960-2-0x00000000050A0000-0x000000000513C000-memory.dmp

Filesize
624KB

Download
memory/960-0-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/960-1-0x0000000000530000-0x000000000067C000-memory.dmp

Filesize
1.3MB

Download
memory/960-3-0x00000000056F0000-0x0000000005C94000-memory.dmp

Filesize
5.6MB

Download
memory/960-5-0x0000000005FF0000-0x0000000006000000-memory.dmp

Filesize
64KB

Download
memory/3412-21-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/3412-24-0x00000000064E0000-0x00000000064F0000-memory.dmp

Filesize
64KB

Download
memory/3412-29-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/4380-16-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/4380-9-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/4380-6-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4380-12-0x00000000779C1000-0x00000000779C2000-memory.dmp

Filesize
4KB

Download
memory/4380-11-0x00000000052B0000-0x00000000052C0000-memory.dmp

Filesize
64KB

Download
memory/4492-33-0x0000000002AA0000-0x0000000002AB0000-memory.dmp

Filesize
64KB

Download
memory/4492-30-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download
memory/4492-31-0x0000000002AA0000-0x0000000002AB0000-memory.dmp

Filesize
64KB

Download
memory/4492-32-0x0000000074EC0000-0x0000000075670000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads