asyncrat | 8ddb1b9319fea0a1b751325121a0d98f8047c1f7ee26808ca5ab4ec588d76cfc

General

Target

8ddb1b9319fea0a1b751325121a0d98f8047c1f7ee26808ca5ab4ec588d76cfc.exe
Size

10.8MB
MD5

9e7c72593a21de47db9c8ad184833478
SHA1

240558190055c3152d9623650093ea65162257cc
SHA256

8ddb1b9319fea0a1b751325121a0d98f8047c1f7ee26808ca5ab4ec588d76cfc
SHA512

897a5276ea8b1d3f230a5df0a3825c16c2082024dfd853acf55ee4db9a705b2565e63e5c3a016286d6921f58302fbe626800c859f1ea43bf41e7d19a50c213e0
SSDEEP

196608:YZDkuqtCt5KnDkYOvSP12C56EkafFPF8bilIIHzK+FLOyomFHKnP:YiuHvSP12/EkaZ+UF

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

103.233.253.8:8801

Mutex

fyrroywybihriuoljv

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/1688-21-0x0000000003000000-0x0000000003018000-memory.dmp	asyncrat
behavioral1/memory/1688-22-0x0000000006C10000-0x0000000006C50000-memory.dmp	asyncrat

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2236	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1688	8ddb1b9319fea0a1b751325121a0d98f8047c1f7ee26808ca5ab4ec588d76cfc.exe
1688	8ddb1b9319fea0a1b751325121a0d98f8047c1f7ee26808ca5ab4ec588d76cfc.exe
1688	8ddb1b9319fea0a1b751325121a0d98f8047c1f7ee26808ca5ab4ec588d76cfc.exe
1688	8ddb1b9319fea0a1b751325121a0d98f8047c1f7ee26808ca5ab4ec588d76cfc.exe
1688	8ddb1b9319fea0a1b751325121a0d98f8047c1f7ee26808ca5ab4ec588d76cfc.exe
1688	8ddb1b9319fea0a1b751325121a0d98f8047c1f7ee26808ca5ab4ec588d76cfc.exe
1688	8ddb1b9319fea0a1b751325121a0d98f8047c1f7ee26808ca5ab4ec588d76cfc.exe
1688	8ddb1b9319fea0a1b751325121a0d98f8047c1f7ee26808ca5ab4ec588d76cfc.exe
1688	8ddb1b9319fea0a1b751325121a0d98f8047c1f7ee26808ca5ab4ec588d76cfc.exe
1688	8ddb1b9319fea0a1b751325121a0d98f8047c1f7ee26808ca5ab4ec588d76cfc.exe
1688	8ddb1b9319fea0a1b751325121a0d98f8047c1f7ee26808ca5ab4ec588d76cfc.exe
1688	8ddb1b9319fea0a1b751325121a0d98f8047c1f7ee26808ca5ab4ec588d76cfc.exe
1688	8ddb1b9319fea0a1b751325121a0d98f8047c1f7ee26808ca5ab4ec588d76cfc.exe
1688	8ddb1b9319fea0a1b751325121a0d98f8047c1f7ee26808ca5ab4ec588d76cfc.exe
1688	8ddb1b9319fea0a1b751325121a0d98f8047c1f7ee26808ca5ab4ec588d76cfc.exe
1688	8ddb1b9319fea0a1b751325121a0d98f8047c1f7ee26808ca5ab4ec588d76cfc.exe
1688	8ddb1b9319fea0a1b751325121a0d98f8047c1f7ee26808ca5ab4ec588d76cfc.exe
1688	8ddb1b9319fea0a1b751325121a0d98f8047c1f7ee26808ca5ab4ec588d76cfc.exe
1688	8ddb1b9319fea0a1b751325121a0d98f8047c1f7ee26808ca5ab4ec588d76cfc.exe
1688	8ddb1b9319fea0a1b751325121a0d98f8047c1f7ee26808ca5ab4ec588d76cfc.exe
1688	8ddb1b9319fea0a1b751325121a0d98f8047c1f7ee26808ca5ab4ec588d76cfc.exe
1688	8ddb1b9319fea0a1b751325121a0d98f8047c1f7ee26808ca5ab4ec588d76cfc.exe
1688	8ddb1b9319fea0a1b751325121a0d98f8047c1f7ee26808ca5ab4ec588d76cfc.exe
1688	8ddb1b9319fea0a1b751325121a0d98f8047c1f7ee26808ca5ab4ec588d76cfc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1688	8ddb1b9319fea0a1b751325121a0d98f8047c1f7ee26808ca5ab4ec588d76cfc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1688	8ddb1b9319fea0a1b751325121a0d98f8047c1f7ee26808ca5ab4ec588d76cfc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 2236	1688	8ddb1b9319fea0a1b751325121a0d98f8047c1f7ee26808ca5ab4ec588d76cfc.exe	28
PID 1688 wrote to memory of 2236	1688	8ddb1b9319fea0a1b751325121a0d98f8047c1f7ee26808ca5ab4ec588d76cfc.exe	28
PID 1688 wrote to memory of 2236	1688	8ddb1b9319fea0a1b751325121a0d98f8047c1f7ee26808ca5ab4ec588d76cfc.exe	28
PID 1688 wrote to memory of 2236	1688	8ddb1b9319fea0a1b751325121a0d98f8047c1f7ee26808ca5ab4ec588d76cfc.exe	28

C:\Users\Admin\AppData\Local\Temp\8ddb1b9319fea0a1b751325121a0d98f8047c1f7ee26808ca5ab4ec588d76cfc.exe
"C:\Users\Admin\AppData\Local\Temp\8ddb1b9319fea0a1b751325121a0d98f8047c1f7ee26808ca5ab4ec588d76cfc.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\wps.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabA3D0.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA49E.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\wps.txt

Filesize
2.4MB

MD5
011cbf832e84b143b960e21e90bf8648

SHA1
94cee9939519e89709a5520f3b1f8c2eccaddc05

SHA256
4656c2b14fad7b748002c3f4017e861c697c24174113fe4a72a6e8c239cddaca

SHA512
bdd2cefefe62b6747674962278b5cad65b5660b00b48c4a78ada60abde8074d2f2a39fd938bb6ed3c70f53fc6fd4638575642f1ae8b36d3a280644cbe341920c

Download Submit
memory/1688-20-0x0000000006C10000-0x0000000006C50000-memory.dmp

Filesize
256KB

Download
memory/1688-21-0x0000000003000000-0x0000000003018000-memory.dmp

Filesize
96KB

Download
memory/1688-22-0x0000000006C10000-0x0000000006C50000-memory.dmp

Filesize
256KB

Download
memory/1688-23-0x0000000006C10000-0x0000000006C50000-memory.dmp

Filesize
256KB

Download
memory/1688-25-0x0000000077D30000-0x0000000077D31000-memory.dmp

Filesize
4KB

Download
memory/1688-19-0x0000000073A10000-0x00000000740FE000-memory.dmp

Filesize
6.9MB

Download
memory/1688-18-0x0000000002DB0000-0x0000000002DCC000-memory.dmp

Filesize
112KB

Download
memory/1688-44-0x0000000073A10000-0x00000000740FE000-memory.dmp

Filesize
6.9MB

Download
memory/1688-45-0x0000000006C10000-0x0000000006C50000-memory.dmp

Filesize
256KB

Download
memory/1688-46-0x0000000006C10000-0x0000000006C50000-memory.dmp

Filesize
256KB

Download
memory/1688-47-0x0000000006C10000-0x0000000006C50000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing