asyncrat | 240c710c0e9ac872803407490fd60e67ec7bc970326f8938608320ccee52e36a

General

Target

c10fcea2721002bd22ed2d3b7572b50d.exe
Size

68KB
MD5

c10fcea2721002bd22ed2d3b7572b50d
SHA1

2d27c6a7591e6280b34349d58ec615e9509ab2cd
SHA256

240c710c0e9ac872803407490fd60e67ec7bc970326f8938608320ccee52e36a
SHA512

745ade289f0f51a925e413de11fc5962d583987e039069a2c52415da358eb294633eef310b6b484bd7515ee385eb5db873924cd6a95e5e759f0dd4178e4e1ae6
SSDEEP

1536:XhSjnRQ/kVJmV/WeeiIVrGbbXw2XslYGFqopqKmY7:XhSjnRQ/kVC/PeXGbbXoHqzz

Score

10^/10

asyncrat venom clients rat

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

C2

138.197.66.62:22596

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
true
install_file
Game GTA.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4324-0-0x00000000004F0000-0x0000000000508000-memory.dmp	asyncrat
C:\Users\Admin\AppData\Roaming\Game GTA.exe	asyncrat
C:\Users\Admin\AppData\Roaming\Game GTA.exe	asyncrat

Executes dropped EXE 1 IoCs

Processes:

Game GTA.exe

pid process

4468 Game GTA.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2636 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3292 timeout.exe

pid	process
4468	Game GTA.exe

pid	process
2636	schtasks.exe

pid	process
3292	timeout.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

c10fcea2721002bd22ed2d3b7572b50d.exe

pid	process
4324	c10fcea2721002bd22ed2d3b7572b50d.exe
4324	c10fcea2721002bd22ed2d3b7572b50d.exe
4324	c10fcea2721002bd22ed2d3b7572b50d.exe
4324	c10fcea2721002bd22ed2d3b7572b50d.exe
4324	c10fcea2721002bd22ed2d3b7572b50d.exe
4324	c10fcea2721002bd22ed2d3b7572b50d.exe
4324	c10fcea2721002bd22ed2d3b7572b50d.exe
4324	c10fcea2721002bd22ed2d3b7572b50d.exe
4324	c10fcea2721002bd22ed2d3b7572b50d.exe
4324	c10fcea2721002bd22ed2d3b7572b50d.exe
4324	c10fcea2721002bd22ed2d3b7572b50d.exe
4324	c10fcea2721002bd22ed2d3b7572b50d.exe
4324	c10fcea2721002bd22ed2d3b7572b50d.exe
4324	c10fcea2721002bd22ed2d3b7572b50d.exe
4324	c10fcea2721002bd22ed2d3b7572b50d.exe
4324	c10fcea2721002bd22ed2d3b7572b50d.exe
4324	c10fcea2721002bd22ed2d3b7572b50d.exe
4324	c10fcea2721002bd22ed2d3b7572b50d.exe
4324	c10fcea2721002bd22ed2d3b7572b50d.exe
4324	c10fcea2721002bd22ed2d3b7572b50d.exe
4324	c10fcea2721002bd22ed2d3b7572b50d.exe
4324	c10fcea2721002bd22ed2d3b7572b50d.exe
4324	c10fcea2721002bd22ed2d3b7572b50d.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

c10fcea2721002bd22ed2d3b7572b50d.exeGame GTA.exe

description pid process

Token: SeDebugPrivilege 4324 c10fcea2721002bd22ed2d3b7572b50d.exe
Token: SeDebugPrivilege 4468 Game GTA.exe

description	pid	process
Token: SeDebugPrivilege	4324	c10fcea2721002bd22ed2d3b7572b50d.exe
Token: SeDebugPrivilege	4468	Game GTA.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

c10fcea2721002bd22ed2d3b7572b50d.execmd.execmd.exe

description	pid	process	target process
PID 4324 wrote to memory of 3928	4324	c10fcea2721002bd22ed2d3b7572b50d.exe	cmd.exe
PID 4324 wrote to memory of 3928	4324	c10fcea2721002bd22ed2d3b7572b50d.exe	cmd.exe
PID 4324 wrote to memory of 1184	4324	c10fcea2721002bd22ed2d3b7572b50d.exe	cmd.exe
PID 4324 wrote to memory of 1184	4324	c10fcea2721002bd22ed2d3b7572b50d.exe	cmd.exe
PID 1184 wrote to memory of 3292	1184	cmd.exe	timeout.exe
PID 1184 wrote to memory of 3292	1184	cmd.exe	timeout.exe
PID 3928 wrote to memory of 2636	3928	cmd.exe	schtasks.exe
PID 3928 wrote to memory of 2636	3928	cmd.exe	schtasks.exe
PID 1184 wrote to memory of 4468	1184	cmd.exe	Game GTA.exe
PID 1184 wrote to memory of 4468	1184	cmd.exe	Game GTA.exe

C:\Users\Admin\AppData\Local\Temp\c10fcea2721002bd22ed2d3b7572b50d.exe
"C:\Users\Admin\AppData\Local\Temp\c10fcea2721002bd22ed2d3b7572b50d.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4324

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Game GTA" /tr '"C:\Users\Admin\AppData\Roaming\Game GTA.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Game GTA" /tr '"C:\Users\Admin\AppData\Roaming\Game GTA.exe"'
3⤵
- Creates scheduled task(s)
PID:2636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8666.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:3292

C:\Users\Admin\AppData\Roaming\Game GTA.exe
"C:\Users\Admin\AppData\Roaming\Game GTA.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4468

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8666.tmp.bat
Filesize
152B

MD5
62e534a44521ea1b06f1ac5367dc16b6

SHA1
5b2e00ab685503a46fc4bb2e1d6c316462a7aba8

SHA256
29de892e7c5a9e36f979ccd7060a162ead92e3347c5d64e24d697cad16af405f

SHA512
2232af526acab24be4f05c5f7aa329e91b5cd742d5ca76275b95bb16dcc9928bd3874ae276030d2287ef8f25ec4b57d3c3063cf7bfa7a1503a9cd3e2ef2bfb97

Download Submit
C:\Users\Admin\AppData\Roaming\Game GTA.exe
Filesize
68KB

MD5
c10fcea2721002bd22ed2d3b7572b50d

SHA1
2d27c6a7591e6280b34349d58ec615e9509ab2cd

SHA256
240c710c0e9ac872803407490fd60e67ec7bc970326f8938608320ccee52e36a

SHA512
745ade289f0f51a925e413de11fc5962d583987e039069a2c52415da358eb294633eef310b6b484bd7515ee385eb5db873924cd6a95e5e759f0dd4178e4e1ae6

Download Submit
C:\Users\Admin\AppData\Roaming\Game GTA.exe
Filesize
68KB

MD5
c10fcea2721002bd22ed2d3b7572b50d

SHA1
2d27c6a7591e6280b34349d58ec615e9509ab2cd

SHA256
240c710c0e9ac872803407490fd60e67ec7bc970326f8938608320ccee52e36a

SHA512
745ade289f0f51a925e413de11fc5962d583987e039069a2c52415da358eb294633eef310b6b484bd7515ee385eb5db873924cd6a95e5e759f0dd4178e4e1ae6

Download Submit
memory/4324-7-0x00007FFCA3650000-0x00007FFCA3845000-memory.dmp

Filesize
2.0MB

Download
memory/4324-8-0x00007FFC85B60000-0x00007FFC86621000-memory.dmp

Filesize
10.8MB

Download
memory/4324-9-0x00007FFCA3650000-0x00007FFCA3845000-memory.dmp

Filesize
2.0MB

Download
memory/4324-0-0x00000000004F0000-0x0000000000508000-memory.dmp

Filesize
96KB

Download
memory/4324-2-0x0000000000E90000-0x0000000000EA0000-memory.dmp

Filesize
64KB

Download
memory/4324-1-0x00007FFC85B60000-0x00007FFC86621000-memory.dmp

Filesize
10.8MB

Download
memory/4468-14-0x00007FFC85610000-0x00007FFC860D1000-memory.dmp

Filesize
10.8MB

Download
memory/4468-15-0x0000000000F20000-0x0000000000F30000-memory.dmp

Filesize
64KB

Download
memory/4468-16-0x00007FFC85610000-0x00007FFC860D1000-memory.dmp

Filesize
10.8MB

Download
memory/4468-17-0x0000000000F20000-0x0000000000F30000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads