asyncrat | fc1ad8d1483f0b1c94b55be7b7587b86485022ca4e62e6fb0c06e392dfaeecd2

Analysis

max time kernel
152s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2024 20:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

C11Bootstrapper/Properties/IndependenciesInstallation.bat
Size

489B
MD5

d8da01fb6f6288b044868f85228cbb10
SHA1

9d08c813ce59ab863c6ec3c68c336eed265c5e8a
SHA256

74416d022dde876ff622038a6359907da239bbd26ceb7024f5d39dd52f16c9de
SHA512

c92b83ba5513694e05cf908a747609dd6fd3c70944d04a9b8a62939f4372561e4feb567d158b0316853c50a0c241a1c8c075875746a1e538912ea91ff84c308e

Score

10^/10

asyncrat umbral default rat stealer

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

127.0.0.1:4449

Mutex

chhphkahmfnasuyziqc

Attributes

delay
1
install
false
install_folder
%Temp%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral6/memory/1096-0-0x000001CE061B0000-0x000001CE061F4000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 4 IoCs

evasion

pid	Process
5076	timeout.exe
4832	timeout.exe
4724	timeout.exe
4264	timeout.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
3588	C11Setup.exe
3588	C11Setup.exe
3588	C11Setup.exe
3588	C11Setup.exe
3588	C11Setup.exe
3588	C11Setup.exe
3588	C11Setup.exe
3588	C11Setup.exe
3588	C11Setup.exe
3588	C11Setup.exe
3588	C11Setup.exe
3588	C11Setup.exe
3588	C11Setup.exe
3588	C11Setup.exe
3588	C11Setup.exe
3588	C11Setup.exe
3588	C11Setup.exe
3588	C11Setup.exe
3588	C11Setup.exe
3588	C11Setup.exe
3588	C11Setup.exe
3588	C11Setup.exe
3588	C11Setup.exe
3588	C11Setup.exe
3588	C11Setup.exe
3588	C11Setup.exe
3588	C11Setup.exe
3588	C11Setup.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3588	C11Setup.exe
Token: SeDebugPrivilege	228	PageEditor.exe
Token: SeDebugPrivilege	1096	GuiLoader.exe
Token: SeIncreaseQuotaPrivilege	368	wmic.exe
Token: SeSecurityPrivilege	368	wmic.exe
Token: SeTakeOwnershipPrivilege	368	wmic.exe
Token: SeLoadDriverPrivilege	368	wmic.exe
Token: SeSystemProfilePrivilege	368	wmic.exe
Token: SeSystemtimePrivilege	368	wmic.exe
Token: SeProfSingleProcessPrivilege	368	wmic.exe
Token: SeIncBasePriorityPrivilege	368	wmic.exe
Token: SeCreatePagefilePrivilege	368	wmic.exe
Token: SeBackupPrivilege	368	wmic.exe
Token: SeRestorePrivilege	368	wmic.exe
Token: SeShutdownPrivilege	368	wmic.exe
Token: SeDebugPrivilege	368	wmic.exe
Token: SeSystemEnvironmentPrivilege	368	wmic.exe
Token: SeRemoteShutdownPrivilege	368	wmic.exe
Token: SeUndockPrivilege	368	wmic.exe
Token: SeManageVolumePrivilege	368	wmic.exe
Token: 33	368	wmic.exe
Token: 34	368	wmic.exe
Token: 35	368	wmic.exe
Token: 36	368	wmic.exe
Token: SeIncreaseQuotaPrivilege	368	wmic.exe
Token: SeSecurityPrivilege	368	wmic.exe
Token: SeTakeOwnershipPrivilege	368	wmic.exe
Token: SeLoadDriverPrivilege	368	wmic.exe
Token: SeSystemProfilePrivilege	368	wmic.exe
Token: SeSystemtimePrivilege	368	wmic.exe
Token: SeProfSingleProcessPrivilege	368	wmic.exe
Token: SeIncBasePriorityPrivilege	368	wmic.exe
Token: SeCreatePagefilePrivilege	368	wmic.exe
Token: SeBackupPrivilege	368	wmic.exe
Token: SeRestorePrivilege	368	wmic.exe
Token: SeShutdownPrivilege	368	wmic.exe
Token: SeDebugPrivilege	368	wmic.exe
Token: SeSystemEnvironmentPrivilege	368	wmic.exe
Token: SeRemoteShutdownPrivilege	368	wmic.exe
Token: SeUndockPrivilege	368	wmic.exe
Token: SeManageVolumePrivilege	368	wmic.exe
Token: 33	368	wmic.exe
Token: 34	368	wmic.exe
Token: 35	368	wmic.exe
Token: 36	368	wmic.exe
Token: SeIncreaseQuotaPrivilege	228	PageEditor.exe
Token: SeSecurityPrivilege	228	PageEditor.exe
Token: SeTakeOwnershipPrivilege	228	PageEditor.exe
Token: SeLoadDriverPrivilege	228	PageEditor.exe
Token: SeSystemProfilePrivilege	228	PageEditor.exe
Token: SeSystemtimePrivilege	228	PageEditor.exe
Token: SeProfSingleProcessPrivilege	228	PageEditor.exe
Token: SeIncBasePriorityPrivilege	228	PageEditor.exe
Token: SeCreatePagefilePrivilege	228	PageEditor.exe
Token: SeBackupPrivilege	228	PageEditor.exe
Token: SeRestorePrivilege	228	PageEditor.exe
Token: SeShutdownPrivilege	228	PageEditor.exe
Token: SeDebugPrivilege	228	PageEditor.exe
Token: SeSystemEnvironmentPrivilege	228	PageEditor.exe
Token: SeRemoteShutdownPrivilege	228	PageEditor.exe
Token: SeUndockPrivilege	228	PageEditor.exe
Token: SeManageVolumePrivilege	228	PageEditor.exe
Token: 33	228	PageEditor.exe
Token: 34	228	PageEditor.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3588	C11Setup.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 8 wrote to memory of 5076	8	cmd.exe	90
PID 8 wrote to memory of 5076	8	cmd.exe	90
PID 8 wrote to memory of 4832	8	cmd.exe	91
PID 8 wrote to memory of 4832	8	cmd.exe	91
PID 8 wrote to memory of 4724	8	cmd.exe	92
PID 8 wrote to memory of 4724	8	cmd.exe	92
PID 8 wrote to memory of 3896	8	cmd.exe	93
PID 8 wrote to memory of 3896	8	cmd.exe	93
PID 8 wrote to memory of 4264	8	cmd.exe	94
PID 8 wrote to memory of 4264	8	cmd.exe	94
PID 8 wrote to memory of 3588	8	cmd.exe	95
PID 8 wrote to memory of 3588	8	cmd.exe	95
PID 8 wrote to memory of 1096	8	cmd.exe	96
PID 8 wrote to memory of 1096	8	cmd.exe	96
PID 8 wrote to memory of 228	8	cmd.exe	97
PID 8 wrote to memory of 228	8	cmd.exe	97
PID 1096 wrote to memory of 368	1096	GuiLoader.exe	98
PID 1096 wrote to memory of 368	1096	GuiLoader.exe	98

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\IndependenciesInstallation.bat"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:8
- C:\Windows\system32\timeout.exe
  timeout /t 5
  2⤵
  - Delays execution with timeout.exe
  PID:5076
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4832
- C:\Windows\system32\timeout.exe
  timeout /t 3
  2⤵
  - Delays execution with timeout.exe
  PID:4724
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\msgbox.vbs"
  2⤵
  PID:3896
- C:\Windows\system32\timeout.exe
  timeout /t 4
  2⤵
  - Delays execution with timeout.exe
  PID:4264
- C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\C11Setup.exe
  C11Setup.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3588
- C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\GuiLoader.exe
  GuiLoader.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:368
- C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\PageEditor.exe
  PageEditor.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4124 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
memory/228-7-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp

Filesize
10.8MB

Download
memory/228-12-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp

Filesize
10.8MB

Download
memory/228-2-0x0000000000F00000-0x0000000000F18000-memory.dmp

Filesize
96KB

Download
memory/228-8-0x000000001BDF0000-0x000000001BE00000-memory.dmp

Filesize
64KB

Download
memory/1096-11-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp

Filesize
10.8MB

Download
memory/1096-4-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp

Filesize
10.8MB

Download
memory/1096-0-0x000001CE061B0000-0x000001CE061F4000-memory.dmp

Filesize
272KB

Download
memory/3588-3-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp

Filesize
10.8MB

Download
memory/3588-9-0x000000001AC80000-0x000000001AC90000-memory.dmp

Filesize
64KB

Download
memory/3588-1-0x0000000000020000-0x0000000000064000-memory.dmp

Filesize
272KB

Download
memory/3588-13-0x00007FFD774B0000-0x00007FFD77F71000-memory.dmp

Filesize
10.8MB

Download
memory/3588-14-0x000000001AC80000-0x000000001AC90000-memory.dmp

Filesize
64KB

Download