asyncrat | 1a9ad5f2a8a4cc93a5244200d46288948daec3ae9387d5fc66799d52d77a587c

General

Target

f9391638fc3c6dec9b7319d1c8adeebb.exe
Size

68KB
MD5

f9391638fc3c6dec9b7319d1c8adeebb
SHA1

84e442eee76140490409219f0419dd58d2ea4820
SHA256

1a9ad5f2a8a4cc93a5244200d46288948daec3ae9387d5fc66799d52d77a587c
SHA512

38419ba8ce831a63a831a6ca1c27028a5a1b432be61fae885e684d5affa436413145dd1c5f07eb2e66ee3d26d8228878ed8608551f1a05de3ccd89e97e0e4a4e
SSDEEP

1536:fJWnX1QHsrLhSBjCeeiIVrGbbXw+39wG5/FpqKmY7:fJWnX1QHsrLqjbeXGbbX739J/+z

Score

10^/10

asyncrat venom clients rat

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

C2

138.197.66.62:22256

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
true
install_file
Match-Ventures.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/1380-0-0x0000000000CB0000-0x0000000000CC8000-memory.dmp	asyncrat
behavioral2/files/0x00080000000231dd-13.dat	asyncrat
behavioral2/files/0x00080000000231dd-12.dat	asyncrat

Executes dropped EXE 1 IoCs

pid	Process
4988	Match-Ventures.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1444	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1224	timeout.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1380	f9391638fc3c6dec9b7319d1c8adeebb.exe
1380	f9391638fc3c6dec9b7319d1c8adeebb.exe
1380	f9391638fc3c6dec9b7319d1c8adeebb.exe
1380	f9391638fc3c6dec9b7319d1c8adeebb.exe
1380	f9391638fc3c6dec9b7319d1c8adeebb.exe
1380	f9391638fc3c6dec9b7319d1c8adeebb.exe
1380	f9391638fc3c6dec9b7319d1c8adeebb.exe
1380	f9391638fc3c6dec9b7319d1c8adeebb.exe
1380	f9391638fc3c6dec9b7319d1c8adeebb.exe
1380	f9391638fc3c6dec9b7319d1c8adeebb.exe
1380	f9391638fc3c6dec9b7319d1c8adeebb.exe
1380	f9391638fc3c6dec9b7319d1c8adeebb.exe
1380	f9391638fc3c6dec9b7319d1c8adeebb.exe
1380	f9391638fc3c6dec9b7319d1c8adeebb.exe
1380	f9391638fc3c6dec9b7319d1c8adeebb.exe
1380	f9391638fc3c6dec9b7319d1c8adeebb.exe
1380	f9391638fc3c6dec9b7319d1c8adeebb.exe
1380	f9391638fc3c6dec9b7319d1c8adeebb.exe
1380	f9391638fc3c6dec9b7319d1c8adeebb.exe
1380	f9391638fc3c6dec9b7319d1c8adeebb.exe
1380	f9391638fc3c6dec9b7319d1c8adeebb.exe
1380	f9391638fc3c6dec9b7319d1c8adeebb.exe
1380	f9391638fc3c6dec9b7319d1c8adeebb.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1380	f9391638fc3c6dec9b7319d1c8adeebb.exe
Token: SeDebugPrivilege	4988	Match-Ventures.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 3700	1380	f9391638fc3c6dec9b7319d1c8adeebb.exe	81
PID 1380 wrote to memory of 3700	1380	f9391638fc3c6dec9b7319d1c8adeebb.exe	81
PID 1380 wrote to memory of 4900	1380	f9391638fc3c6dec9b7319d1c8adeebb.exe	82
PID 1380 wrote to memory of 4900	1380	f9391638fc3c6dec9b7319d1c8adeebb.exe	82
PID 4900 wrote to memory of 1224	4900	cmd.exe	85
PID 4900 wrote to memory of 1224	4900	cmd.exe	85
PID 3700 wrote to memory of 1444	3700	cmd.exe	86
PID 3700 wrote to memory of 1444	3700	cmd.exe	86
PID 4900 wrote to memory of 4988	4900	cmd.exe	91
PID 4900 wrote to memory of 4988	4900	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\f9391638fc3c6dec9b7319d1c8adeebb.exe
"C:\Users\Admin\AppData\Local\Temp\f9391638fc3c6dec9b7319d1c8adeebb.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Match-Ventures" /tr '"C:\Users\Admin\AppData\Roaming\Match-Ventures.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3700
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "Match-Ventures" /tr '"C:\Users\Admin\AppData\Roaming\Match-Ventures.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:1444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8146.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1224
- - C:\Users\Admin\AppData\Roaming\Match-Ventures.exe
    "C:\Users\Admin\AppData\Roaming\Match-Ventures.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8146.tmp.bat

Filesize
158B

MD5
33b23cd8972ea616a80d473717d196eb

SHA1
db767b8b7b7f57ddf98e99ffe8c156ed91eae095

SHA256
b28460c786b1927e44067b5e6c45163330e20b184d3b60cd0d529bbc55f0332f

SHA512
e683d09bf5f2f6646ed132fab1b9f8f8f0f00932f234e46a0876a75949d0d388ae46acfcad4d90cd629402dc9d6151a25e3e5a40484777665d23fe325735c757

Download Submit
C:\Users\Admin\AppData\Roaming\Match-Ventures.exe

Filesize
68KB

MD5
f9391638fc3c6dec9b7319d1c8adeebb

SHA1
84e442eee76140490409219f0419dd58d2ea4820

SHA256
1a9ad5f2a8a4cc93a5244200d46288948daec3ae9387d5fc66799d52d77a587c

SHA512
38419ba8ce831a63a831a6ca1c27028a5a1b432be61fae885e684d5affa436413145dd1c5f07eb2e66ee3d26d8228878ed8608551f1a05de3ccd89e97e0e4a4e

Download Submit
C:\Users\Admin\AppData\Roaming\Match-Ventures.exe

Filesize
68KB

MD5
f9391638fc3c6dec9b7319d1c8adeebb

SHA1
84e442eee76140490409219f0419dd58d2ea4820

SHA256
1a9ad5f2a8a4cc93a5244200d46288948daec3ae9387d5fc66799d52d77a587c

SHA512
38419ba8ce831a63a831a6ca1c27028a5a1b432be61fae885e684d5affa436413145dd1c5f07eb2e66ee3d26d8228878ed8608551f1a05de3ccd89e97e0e4a4e

Download Submit
memory/1380-7-0x00007FF9C5DD0000-0x00007FF9C5FC5000-memory.dmp

Filesize
2.0MB

Download
memory/1380-8-0x00007FF9A8500000-0x00007FF9A8FC1000-memory.dmp

Filesize
10.8MB

Download
memory/1380-9-0x00007FF9C5DD0000-0x00007FF9C5FC5000-memory.dmp

Filesize
2.0MB

Download
memory/1380-0-0x0000000000CB0000-0x0000000000CC8000-memory.dmp

Filesize
96KB

Download
memory/1380-2-0x000000001B9D0000-0x000000001B9E0000-memory.dmp

Filesize
64KB

Download
memory/1380-1-0x00007FF9A8500000-0x00007FF9A8FC1000-memory.dmp

Filesize
10.8MB

Download
memory/4988-14-0x00007FF9A7FB0000-0x00007FF9A8A71000-memory.dmp

Filesize
10.8MB

Download
memory/4988-15-0x000000001BC70000-0x000000001BC80000-memory.dmp

Filesize
64KB

Download
memory/4988-16-0x00007FF9A7FB0000-0x00007FF9A8A71000-memory.dmp

Filesize
10.8MB

Download
memory/4988-17-0x000000001BC70000-0x000000001BC80000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads