asyncrat | fc1ad8d1483f0b1c94b55be7b7587b86485022ca4e62e6fb0c06e392dfaeecd2

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/04/2024, 20:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

C11Bootstrapper/Properties/IndependenciesInstallation.bat
Size

489B
MD5

d8da01fb6f6288b044868f85228cbb10
SHA1

9d08c813ce59ab863c6ec3c68c336eed265c5e8a
SHA256

74416d022dde876ff622038a6359907da239bbd26ceb7024f5d39dd52f16c9de
SHA512

c92b83ba5513694e05cf908a747609dd6fd3c70944d04a9b8a62939f4372561e4feb567d158b0316853c50a0c241a1c8c075875746a1e538912ea91ff84c308e

Score

10^/10

asyncrat umbral default rat stealer

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

127.0.0.1:4449

Mutex

chhphkahmfnasuyziqc

Attributes

delay
1
install
false
install_folder
%Temp%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral5/memory/2728-30-0x0000000001390000-0x00000000013D4000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 4 IoCs

evasion

pid	Process
2380	timeout.exe
2340	timeout.exe
1728	timeout.exe
2580	timeout.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2800	PageEditor.exe
Token: SeDebugPrivilege	2728	GuiLoader.exe
Token: SeIncreaseQuotaPrivilege	2800	PageEditor.exe
Token: SeSecurityPrivilege	2800	PageEditor.exe
Token: SeTakeOwnershipPrivilege	2800	PageEditor.exe
Token: SeLoadDriverPrivilege	2800	PageEditor.exe
Token: SeSystemProfilePrivilege	2800	PageEditor.exe
Token: SeSystemtimePrivilege	2800	PageEditor.exe
Token: SeProfSingleProcessPrivilege	2800	PageEditor.exe
Token: SeIncBasePriorityPrivilege	2800	PageEditor.exe
Token: SeCreatePagefilePrivilege	2800	PageEditor.exe
Token: SeBackupPrivilege	2800	PageEditor.exe
Token: SeRestorePrivilege	2800	PageEditor.exe
Token: SeShutdownPrivilege	2800	PageEditor.exe
Token: SeDebugPrivilege	2800	PageEditor.exe
Token: SeSystemEnvironmentPrivilege	2800	PageEditor.exe
Token: SeRemoteShutdownPrivilege	2800	PageEditor.exe
Token: SeUndockPrivilege	2800	PageEditor.exe
Token: SeManageVolumePrivilege	2800	PageEditor.exe
Token: 33	2800	PageEditor.exe
Token: 34	2800	PageEditor.exe
Token: 35	2800	PageEditor.exe
Token: SeIncreaseQuotaPrivilege	2800	PageEditor.exe
Token: SeSecurityPrivilege	2800	PageEditor.exe
Token: SeTakeOwnershipPrivilege	2800	PageEditor.exe
Token: SeLoadDriverPrivilege	2800	PageEditor.exe
Token: SeSystemProfilePrivilege	2800	PageEditor.exe
Token: SeSystemtimePrivilege	2800	PageEditor.exe
Token: SeProfSingleProcessPrivilege	2800	PageEditor.exe
Token: SeIncBasePriorityPrivilege	2800	PageEditor.exe
Token: SeCreatePagefilePrivilege	2800	PageEditor.exe
Token: SeBackupPrivilege	2800	PageEditor.exe
Token: SeRestorePrivilege	2800	PageEditor.exe
Token: SeShutdownPrivilege	2800	PageEditor.exe
Token: SeDebugPrivilege	2800	PageEditor.exe
Token: SeSystemEnvironmentPrivilege	2800	PageEditor.exe
Token: SeRemoteShutdownPrivilege	2800	PageEditor.exe
Token: SeUndockPrivilege	2800	PageEditor.exe
Token: SeManageVolumePrivilege	2800	PageEditor.exe
Token: 33	2800	PageEditor.exe
Token: 34	2800	PageEditor.exe
Token: 35	2800	PageEditor.exe
Token: SeIncreaseQuotaPrivilege	2936	wmic.exe
Token: SeSecurityPrivilege	2936	wmic.exe
Token: SeTakeOwnershipPrivilege	2936	wmic.exe
Token: SeLoadDriverPrivilege	2936	wmic.exe
Token: SeSystemProfilePrivilege	2936	wmic.exe
Token: SeSystemtimePrivilege	2936	wmic.exe
Token: SeProfSingleProcessPrivilege	2936	wmic.exe
Token: SeIncBasePriorityPrivilege	2936	wmic.exe
Token: SeCreatePagefilePrivilege	2936	wmic.exe
Token: SeBackupPrivilege	2936	wmic.exe
Token: SeRestorePrivilege	2936	wmic.exe
Token: SeShutdownPrivilege	2936	wmic.exe
Token: SeDebugPrivilege	2936	wmic.exe
Token: SeSystemEnvironmentPrivilege	2936	wmic.exe
Token: SeRemoteShutdownPrivilege	2936	wmic.exe
Token: SeUndockPrivilege	2936	wmic.exe
Token: SeManageVolumePrivilege	2936	wmic.exe
Token: 33	2936	wmic.exe
Token: 34	2936	wmic.exe
Token: 35	2936	wmic.exe
Token: SeIncreaseQuotaPrivilege	2936	wmic.exe
Token: SeSecurityPrivilege	2936	wmic.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 2380	2844	cmd.exe	29
PID 2844 wrote to memory of 2380	2844	cmd.exe	29
PID 2844 wrote to memory of 2380	2844	cmd.exe	29
PID 2844 wrote to memory of 2340	2844	cmd.exe	30
PID 2844 wrote to memory of 2340	2844	cmd.exe	30
PID 2844 wrote to memory of 2340	2844	cmd.exe	30
PID 2844 wrote to memory of 1728	2844	cmd.exe	31
PID 2844 wrote to memory of 1728	2844	cmd.exe	31
PID 2844 wrote to memory of 1728	2844	cmd.exe	31
PID 2844 wrote to memory of 2856	2844	cmd.exe	32
PID 2844 wrote to memory of 2856	2844	cmd.exe	32
PID 2844 wrote to memory of 2856	2844	cmd.exe	32
PID 2844 wrote to memory of 2580	2844	cmd.exe	33
PID 2844 wrote to memory of 2580	2844	cmd.exe	33
PID 2844 wrote to memory of 2580	2844	cmd.exe	33
PID 2844 wrote to memory of 2696	2844	cmd.exe	34
PID 2844 wrote to memory of 2696	2844	cmd.exe	34
PID 2844 wrote to memory of 2696	2844	cmd.exe	34
PID 2844 wrote to memory of 2728	2844	cmd.exe	35
PID 2844 wrote to memory of 2728	2844	cmd.exe	35
PID 2844 wrote to memory of 2728	2844	cmd.exe	35
PID 2844 wrote to memory of 2800	2844	cmd.exe	36
PID 2844 wrote to memory of 2800	2844	cmd.exe	36
PID 2844 wrote to memory of 2800	2844	cmd.exe	36
PID 2696 wrote to memory of 2668	2696	C11Setup.exe	37
PID 2696 wrote to memory of 2668	2696	C11Setup.exe	37
PID 2696 wrote to memory of 2668	2696	C11Setup.exe	37
PID 2728 wrote to memory of 2936	2728	GuiLoader.exe	39
PID 2728 wrote to memory of 2936	2728	GuiLoader.exe	39
PID 2728 wrote to memory of 2936	2728	GuiLoader.exe	39

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\IndependenciesInstallation.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:2380
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2340
- C:\Windows\system32\timeout.exe
  timeout /t 3
  2⤵
  - Delays execution with timeout.exe
  PID:1728
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\msgbox.vbs"
  2⤵
  PID:2856
- C:\Windows\system32\timeout.exe
  timeout /t 4
  2⤵
  - Delays execution with timeout.exe
  PID:2580
- C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\C11Setup.exe
  C11Setup.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2696 -s 580
    3⤵
    PID:2668
- C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\GuiLoader.exe
  GuiLoader.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2936
- C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\PageEditor.exe
  PageEditor.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2696-31-0x0000000000D00000-0x0000000000D44000-memory.dmp

Filesize
272KB

Download
memory/2696-35-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

Filesize
9.9MB

Download
memory/2728-30-0x0000000001390000-0x00000000013D4000-memory.dmp

Filesize
272KB

Download
memory/2728-34-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

Filesize
9.9MB

Download
memory/2728-37-0x000000001A8F0000-0x000000001A970000-memory.dmp

Filesize
512KB

Download
memory/2728-38-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

Filesize
9.9MB

Download
memory/2800-29-0x0000000000200000-0x0000000000218000-memory.dmp

Filesize
96KB

Download
memory/2800-33-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

Filesize
9.9MB

Download
memory/2800-36-0x000000001A710000-0x000000001A790000-memory.dmp

Filesize
512KB

Download
memory/2800-39-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

Filesize
9.9MB

Download