asyncrat | b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9

General

Target

b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe
Size

1.5MB
MD5

9ad26bb1c0b4b036924ca19466970f68
SHA1

b6079c55e40206fbc4d1ead67d36ba7d8b850eca
SHA256

b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9
SHA512

33f71941d5c0e9c6598468d8f1837ecc3f4d204d936d23469ddf178de9c147b06f3bed2c616e1a156192c397f499c3c01406846a993a81f50dd4328efe7f1a4d
SSDEEP

49152:LfwEitJhjw4g6Rcdz8brR4WdzbcLav8TWwzzeWof94TV/F8RvF9:8EiJjRg6Rcdz8brRxd0LavKLof98V/FO

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

113.207.105.195:15806

Mutex

hanpmclowlyazr

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1212-18-0x00000000030C0000-0x00000000030D8000-memory.dmp	asyncrat

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe

pid	process
1212	b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe
1212	b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe
1212	b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe
1212	b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe
1212	b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe
1212	b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe
1212	b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe
1212	b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe
1212	b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe
1212	b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe
1212	b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe
1212	b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe
1212	b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe
1212	b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe
1212	b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe
1212	b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe
1212	b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe
1212	b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe
1212	b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe
1212	b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe
1212	b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe
1212	b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe
1212	b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe
1212	b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe
1212	b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe

description pid process

Token: SeDebugPrivilege 1212 b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe

pid process

1212 b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe

description	pid	process
Token: SeDebugPrivilege	1212	b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe

C:\Users\Admin\AppData\Local\Temp\b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe
"C:\Users\Admin\AppData\Local\Temp\b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
3440c7406b2fe01403fa6df19e746657

SHA1
db1cbbbbc51c7f8ea53ecea7b06228fd41edef18

SHA256
84869fdde1399306cbb271313372ba1b738b3fe2ebb3127ab3922dbb4235f821

SHA512
cb2b64016781d0d741172ec622598d4617d67811dd34b9102b449a06d22e3f5139d9660c433200b51dcddc8ea508787f71c34b06bc69577b5314f78411c59f97

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA67E.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBED6.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
memory/1212-19-0x00000000072A0000-0x00000000072E0000-memory.dmp

Filesize
256KB

Download
memory/1212-23-0x0000000077080000-0x0000000077081000-memory.dmp

Filesize
4KB

Download
memory/1212-20-0x00000000072A0000-0x00000000072E0000-memory.dmp

Filesize
256KB

Download
memory/1212-16-0x0000000000820000-0x000000000083C000-memory.dmp

Filesize
112KB

Download
memory/1212-62-0x0000000072D40000-0x000000007342E000-memory.dmp

Filesize
6.9MB

Download
memory/1212-83-0x00000000072A0000-0x00000000072E0000-memory.dmp

Filesize
256KB

Download
memory/1212-18-0x00000000030C0000-0x00000000030D8000-memory.dmp

Filesize
96KB

Download
memory/1212-17-0x0000000072D40000-0x000000007342E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing