asyncrat | b7491f105a9624be5fec6a46e6932074730758bba75a6a7f74ea3e9b4d92eccb

General

Target

4f9f63fc9e0ac76188596bb2efd3b033.exe
Size

63KB
MD5

4f9f63fc9e0ac76188596bb2efd3b033
SHA1

cde6775e15f73eb512f50ee824550fd64400e1cf
SHA256

b7491f105a9624be5fec6a46e6932074730758bba75a6a7f74ea3e9b4d92eccb
SHA512

cfeb52790f20cc558753b473c02647c6fd7635a302e0481d9d412f5029b2100f834b8c6d3f62baffcfdaeed3e5b40011cc730c6fd0f76f6ac58ae1a5a62f70ba
SSDEEP

1536:4ZeNjfU/cNRPZNg/p6eeiIVrGbbXwuYGCDpqKmY7:4ZeNjfU/clCpDeXGbbXogz

Score

10^/10

asyncrat venom clients rat

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

C2

127.0.0.1:4449

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
true
install_file
SVCHOSTER.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\SVCHOSTER.exe	family_asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4f9f63fc9e0ac76188596bb2efd3b033.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	4f9f63fc9e0ac76188596bb2efd3b033.exe

Executes dropped EXE 1 IoCs

Processes:

SVCHOSTER.exe

pid process

5044 SVCHOSTER.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4456 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1312 timeout.exe

pid	process
5044	SVCHOSTER.exe

pid	process
4456	schtasks.exe

pid	process
1312	timeout.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

4f9f63fc9e0ac76188596bb2efd3b033.exe

pid	process
2712	4f9f63fc9e0ac76188596bb2efd3b033.exe
2712	4f9f63fc9e0ac76188596bb2efd3b033.exe
2712	4f9f63fc9e0ac76188596bb2efd3b033.exe
2712	4f9f63fc9e0ac76188596bb2efd3b033.exe
2712	4f9f63fc9e0ac76188596bb2efd3b033.exe
2712	4f9f63fc9e0ac76188596bb2efd3b033.exe
2712	4f9f63fc9e0ac76188596bb2efd3b033.exe
2712	4f9f63fc9e0ac76188596bb2efd3b033.exe
2712	4f9f63fc9e0ac76188596bb2efd3b033.exe
2712	4f9f63fc9e0ac76188596bb2efd3b033.exe
2712	4f9f63fc9e0ac76188596bb2efd3b033.exe
2712	4f9f63fc9e0ac76188596bb2efd3b033.exe
2712	4f9f63fc9e0ac76188596bb2efd3b033.exe
2712	4f9f63fc9e0ac76188596bb2efd3b033.exe
2712	4f9f63fc9e0ac76188596bb2efd3b033.exe
2712	4f9f63fc9e0ac76188596bb2efd3b033.exe
2712	4f9f63fc9e0ac76188596bb2efd3b033.exe
2712	4f9f63fc9e0ac76188596bb2efd3b033.exe
2712	4f9f63fc9e0ac76188596bb2efd3b033.exe
2712	4f9f63fc9e0ac76188596bb2efd3b033.exe
2712	4f9f63fc9e0ac76188596bb2efd3b033.exe
2712	4f9f63fc9e0ac76188596bb2efd3b033.exe
2712	4f9f63fc9e0ac76188596bb2efd3b033.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

4f9f63fc9e0ac76188596bb2efd3b033.exeSVCHOSTER.exe

description pid process

Token: SeDebugPrivilege 2712 4f9f63fc9e0ac76188596bb2efd3b033.exe
Token: SeDebugPrivilege 5044 SVCHOSTER.exe

description	pid	process
Token: SeDebugPrivilege	2712	4f9f63fc9e0ac76188596bb2efd3b033.exe
Token: SeDebugPrivilege	5044	SVCHOSTER.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

4f9f63fc9e0ac76188596bb2efd3b033.execmd.execmd.exe

description	pid	process	target process
PID 2712 wrote to memory of 1564	2712	4f9f63fc9e0ac76188596bb2efd3b033.exe	cmd.exe
PID 2712 wrote to memory of 1564	2712	4f9f63fc9e0ac76188596bb2efd3b033.exe	cmd.exe
PID 2712 wrote to memory of 2056	2712	4f9f63fc9e0ac76188596bb2efd3b033.exe	cmd.exe
PID 2712 wrote to memory of 2056	2712	4f9f63fc9e0ac76188596bb2efd3b033.exe	cmd.exe
PID 2056 wrote to memory of 1312	2056	cmd.exe	timeout.exe
PID 2056 wrote to memory of 1312	2056	cmd.exe	timeout.exe
PID 1564 wrote to memory of 4456	1564	cmd.exe	schtasks.exe
PID 1564 wrote to memory of 4456	1564	cmd.exe	schtasks.exe
PID 2056 wrote to memory of 5044	2056	cmd.exe	SVCHOSTER.exe
PID 2056 wrote to memory of 5044	2056	cmd.exe	SVCHOSTER.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4f9f63fc9e0ac76188596bb2efd3b033.exe
"C:\Users\Admin\AppData\Local\Temp\4f9f63fc9e0ac76188596bb2efd3b033.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "SVCHOSTER" /tr '"C:\Users\Admin\AppData\Roaming\SVCHOSTER.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "SVCHOSTER" /tr '"C:\Users\Admin\AppData\Roaming\SVCHOSTER.exe"'
3⤵
- Creates scheduled task(s)
PID:4456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp538E.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:2056

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1312

C:\Users\Admin\AppData\Roaming\SVCHOSTER.exe
"C:\Users\Admin\AppData\Roaming\SVCHOSTER.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5044

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp538E.tmp.bat
Filesize
153B

MD5
9be3b461554d797c678ad14ef3d2b6c0

SHA1
4cfbafbb374d03439160ade8ee88ea7efa845319

SHA256
0900e883f5925940b06fb545fb3f849915f51c1ff813e3cab7dd574841c88864

SHA512
e6736dfef2a03249f5a7c92dc601fa59250bdab9a6929fcd42f27c6b00d4fd8ddb7fe388bcbc263f298376780f5ea18c093f8e7f9c654df81d99e879f7e9d704

Download Submit
C:\Users\Admin\AppData\Roaming\SVCHOSTER.exe
Filesize
63KB

MD5
4f9f63fc9e0ac76188596bb2efd3b033

SHA1
cde6775e15f73eb512f50ee824550fd64400e1cf

SHA256
b7491f105a9624be5fec6a46e6932074730758bba75a6a7f74ea3e9b4d92eccb

SHA512
cfeb52790f20cc558753b473c02647c6fd7635a302e0481d9d412f5029b2100f834b8c6d3f62baffcfdaeed3e5b40011cc730c6fd0f76f6ac58ae1a5a62f70ba

Download Submit
memory/2712-0-0x0000000000C90000-0x0000000000CA6000-memory.dmp

Filesize
88KB

Download
memory/2712-1-0x00007FFB677A0000-0x00007FFB68261000-memory.dmp

Filesize
10.8MB

Download
memory/2712-2-0x000000001B930000-0x000000001B940000-memory.dmp

Filesize
64KB

Download
memory/2712-7-0x00007FFB7AE90000-0x00007FFB7B085000-memory.dmp

Filesize
2.0MB

Download
memory/2712-8-0x00007FFB677A0000-0x00007FFB68261000-memory.dmp

Filesize
10.8MB

Download
memory/5044-13-0x00007FFB5CE00000-0x00007FFB5D8C1000-memory.dmp

Filesize
10.8MB

Download
memory/5044-14-0x000000001AE00000-0x000000001AE10000-memory.dmp

Filesize
64KB

Download
memory/5044-15-0x00007FFB7AE90000-0x00007FFB7B085000-memory.dmp

Filesize
2.0MB

Download
memory/5044-16-0x00007FFB5CE00000-0x00007FFB5D8C1000-memory.dmp

Filesize
10.8MB

Download
memory/5044-17-0x000000001AE00000-0x000000001AE10000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads