asyncrat | b7491f105a9624be5fec6a46e6932074730758bba75a6a7f74ea3e9b4d92eccb

General

Target

4f9f63fc9e0ac76188596bb2efd3b033.exe
Size

63KB
MD5

4f9f63fc9e0ac76188596bb2efd3b033
SHA1

cde6775e15f73eb512f50ee824550fd64400e1cf
SHA256

b7491f105a9624be5fec6a46e6932074730758bba75a6a7f74ea3e9b4d92eccb
SHA512

cfeb52790f20cc558753b473c02647c6fd7635a302e0481d9d412f5029b2100f834b8c6d3f62baffcfdaeed3e5b40011cc730c6fd0f76f6ac58ae1a5a62f70ba
SSDEEP

1536:4ZeNjfU/cNRPZNg/p6eeiIVrGbbXwuYGCDpqKmY7:4ZeNjfU/clCpDeXGbbXogz

Score

10^/10

asyncrat venom clients rat

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

C2

127.0.0.1:4449

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
true
install_file
SVCHOSTER.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\SVCHOSTER.exe	family_asyncrat

Executes dropped EXE 1 IoCs

Processes:

SVCHOSTER.exe

pid process

2640 SVCHOSTER.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2164 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2552 timeout.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

4f9f63fc9e0ac76188596bb2efd3b033.exe

pid process

2508 4f9f63fc9e0ac76188596bb2efd3b033.exe
2508 4f9f63fc9e0ac76188596bb2efd3b033.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

4f9f63fc9e0ac76188596bb2efd3b033.exeSVCHOSTER.exe

description pid process

Token: SeDebugPrivilege 2508 4f9f63fc9e0ac76188596bb2efd3b033.exe
Token: SeDebugPrivilege 2640 SVCHOSTER.exe

pid	process
2640	SVCHOSTER.exe

pid	process
2164	schtasks.exe

pid	process
2552	timeout.exe

pid	process
2508	4f9f63fc9e0ac76188596bb2efd3b033.exe
2508	4f9f63fc9e0ac76188596bb2efd3b033.exe

description	pid	process
Token: SeDebugPrivilege	2508	4f9f63fc9e0ac76188596bb2efd3b033.exe
Token: SeDebugPrivilege	2640	SVCHOSTER.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

4f9f63fc9e0ac76188596bb2efd3b033.execmd.execmd.exe

description	pid	process	target process
PID 2508 wrote to memory of 2896	2508	4f9f63fc9e0ac76188596bb2efd3b033.exe	cmd.exe
PID 2508 wrote to memory of 2896	2508	4f9f63fc9e0ac76188596bb2efd3b033.exe	cmd.exe
PID 2508 wrote to memory of 2896	2508	4f9f63fc9e0ac76188596bb2efd3b033.exe	cmd.exe
PID 2508 wrote to memory of 2940	2508	4f9f63fc9e0ac76188596bb2efd3b033.exe	cmd.exe
PID 2508 wrote to memory of 2940	2508	4f9f63fc9e0ac76188596bb2efd3b033.exe	cmd.exe
PID 2508 wrote to memory of 2940	2508	4f9f63fc9e0ac76188596bb2efd3b033.exe	cmd.exe
PID 2896 wrote to memory of 2164	2896	cmd.exe	schtasks.exe
PID 2896 wrote to memory of 2164	2896	cmd.exe	schtasks.exe
PID 2896 wrote to memory of 2164	2896	cmd.exe	schtasks.exe
PID 2940 wrote to memory of 2552	2940	cmd.exe	timeout.exe
PID 2940 wrote to memory of 2552	2940	cmd.exe	timeout.exe
PID 2940 wrote to memory of 2552	2940	cmd.exe	timeout.exe
PID 2940 wrote to memory of 2640	2940	cmd.exe	SVCHOSTER.exe
PID 2940 wrote to memory of 2640	2940	cmd.exe	SVCHOSTER.exe
PID 2940 wrote to memory of 2640	2940	cmd.exe	SVCHOSTER.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4f9f63fc9e0ac76188596bb2efd3b033.exe
"C:\Users\Admin\AppData\Local\Temp\4f9f63fc9e0ac76188596bb2efd3b033.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "SVCHOSTER" /tr '"C:\Users\Admin\AppData\Roaming\SVCHOSTER.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2896

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "SVCHOSTER" /tr '"C:\Users\Admin\AppData\Roaming\SVCHOSTER.exe"'
3⤵
- Creates scheduled task(s)
PID:2164

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpA969.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:2940

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:2552

C:\Users\Admin\AppData\Roaming\SVCHOSTER.exe
"C:\Users\Admin\AppData\Roaming\SVCHOSTER.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2640

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA969.tmp.bat
Filesize
153B

MD5
63d2aa773dede4efd1d3ff35b5cc2bff

SHA1
f1e205e5b2e23cfb576a9d578144fff7f776a22f

SHA256
d9436d04b6bcabdf5aebf86a4079fe8654b633dcde0dfb01e46d3267ea8981aa

SHA512
60314fd16c287852feba52cbe9f2dda3f06aa004e7de7c3bd7b25aab1eced1daeb79e2edf4b6f8b209c74d5aa15738a7a59cc9142fafe7a72f8fc36835d8e87c

Download Submit
C:\Users\Admin\AppData\Roaming\SVCHOSTER.exe
Filesize
63KB

MD5
4f9f63fc9e0ac76188596bb2efd3b033

SHA1
cde6775e15f73eb512f50ee824550fd64400e1cf

SHA256
b7491f105a9624be5fec6a46e6932074730758bba75a6a7f74ea3e9b4d92eccb

SHA512
cfeb52790f20cc558753b473c02647c6fd7635a302e0481d9d412f5029b2100f834b8c6d3f62baffcfdaeed3e5b40011cc730c6fd0f76f6ac58ae1a5a62f70ba

Download Submit
memory/2508-13-0x000007FEF50C0000-0x000007FEF5AAC000-memory.dmp

Filesize
9.9MB

Download
memory/2508-3-0x0000000076D00000-0x0000000076EA9000-memory.dmp

Filesize
1.7MB

Download
memory/2508-2-0x000000001AF60000-0x000000001AFE0000-memory.dmp

Filesize
512KB

Download
memory/2508-14-0x0000000076D00000-0x0000000076EA9000-memory.dmp

Filesize
1.7MB

Download
memory/2508-0-0x0000000000F10000-0x0000000000F26000-memory.dmp

Filesize
88KB

Download
memory/2508-1-0x000007FEF50C0000-0x000007FEF5AAC000-memory.dmp

Filesize
9.9MB

Download
memory/2640-18-0x0000000000A40000-0x0000000000A56000-memory.dmp

Filesize
88KB

Download
memory/2640-19-0x000007FEF46D0000-0x000007FEF50BC000-memory.dmp

Filesize
9.9MB

Download
memory/2640-20-0x000000001B300000-0x000000001B380000-memory.dmp

Filesize
512KB

Download
memory/2640-21-0x0000000076D00000-0x0000000076EA9000-memory.dmp

Filesize
1.7MB

Download
memory/2640-22-0x000007FEF46D0000-0x000007FEF50BC000-memory.dmp

Filesize
9.9MB

Download
memory/2640-23-0x000000001B300000-0x000000001B380000-memory.dmp

Filesize
512KB

Download
memory/2640-24-0x0000000076D00000-0x0000000076EA9000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads