asyncrat | e13360fe12492ad8b6f72d8cbd0969cfab0003e9898d13afe1c5de7bbb143b1f

General

Target

Client.exe
Size

63KB
MD5

68a978592c6c5cc22da0b7dde87b2d44
SHA1

a0d7dd10bb29f769b68d6e7333dda1913b049250
SHA256

e13360fe12492ad8b6f72d8cbd0969cfab0003e9898d13afe1c5de7bbb143b1f
SHA512

b2a9963d7ddf8047a74d71aec720df1c3edec0dd0d17b7e6734addbe57b324bce103b322fdc174da979586f83856a75dc489d240e29114ff09d4ed50647054e5
SSDEEP

1536:QhB5LrUwk4XO01V5eeiIVrGbbXwUNeGODpqKmY7:QhB5LrUwk4XVVseXGbbX/NQgz

Score

10^/10

asyncrat client evasion rat

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Client

C2

uk2.localto.net:3793

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

1188 netsh.exe
2360 netsh.exe
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1432 sc.exe
Collects information from the system 1 TTPs 1 IoCs
Uses WMIC.exe to find detailed system information.

Data from Local System
T1005

Processes:

WMIC.exe

pid process

3936 WMIC.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1528 timeout.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

5004 tasklist.exe
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeNETSTAT.EXE

pid process

3680 ipconfig.exe
4428 NETSTAT.EXE
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

3776 systeminfo.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Client.exe

pid process

3468 Client.exe
3468 Client.exe
3468 Client.exe
3468 Client.exe

pid	process
1188	netsh.exe
2360	netsh.exe

pid	process
1432	sc.exe

pid	process
3936	WMIC.exe

pid	process
1528	timeout.exe

pid	process
5004	tasklist.exe

pid	process
3680	ipconfig.exe
4428	NETSTAT.EXE

pid	process
3776	systeminfo.exe

pid	process
3468	Client.exe
3468	Client.exe
3468	Client.exe
3468	Client.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Client.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	3468	Client.exe
Token: SeIncreaseQuotaPrivilege	3936	WMIC.exe
Token: SeSecurityPrivilege	3936	WMIC.exe
Token: SeTakeOwnershipPrivilege	3936	WMIC.exe
Token: SeLoadDriverPrivilege	3936	WMIC.exe
Token: SeSystemProfilePrivilege	3936	WMIC.exe
Token: SeSystemtimePrivilege	3936	WMIC.exe
Token: SeProfSingleProcessPrivilege	3936	WMIC.exe
Token: SeIncBasePriorityPrivilege	3936	WMIC.exe
Token: SeCreatePagefilePrivilege	3936	WMIC.exe
Token: SeBackupPrivilege	3936	WMIC.exe
Token: SeRestorePrivilege	3936	WMIC.exe
Token: SeShutdownPrivilege	3936	WMIC.exe
Token: SeDebugPrivilege	3936	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3936	WMIC.exe
Token: SeRemoteShutdownPrivilege	3936	WMIC.exe
Token: SeUndockPrivilege	3936	WMIC.exe
Token: SeManageVolumePrivilege	3936	WMIC.exe
Token: 33	3936	WMIC.exe
Token: 34	3936	WMIC.exe
Token: 35	3936	WMIC.exe
Token: 36	3936	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3936	WMIC.exe
Token: SeSecurityPrivilege	3936	WMIC.exe
Token: SeTakeOwnershipPrivilege	3936	WMIC.exe
Token: SeLoadDriverPrivilege	3936	WMIC.exe
Token: SeSystemProfilePrivilege	3936	WMIC.exe
Token: SeSystemtimePrivilege	3936	WMIC.exe
Token: SeProfSingleProcessPrivilege	3936	WMIC.exe
Token: SeIncBasePriorityPrivilege	3936	WMIC.exe
Token: SeCreatePagefilePrivilege	3936	WMIC.exe
Token: SeBackupPrivilege	3936	WMIC.exe
Token: SeRestorePrivilege	3936	WMIC.exe
Token: SeShutdownPrivilege	3936	WMIC.exe
Token: SeDebugPrivilege	3936	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3936	WMIC.exe
Token: SeRemoteShutdownPrivilege	3936	WMIC.exe
Token: SeUndockPrivilege	3936	WMIC.exe
Token: SeManageVolumePrivilege	3936	WMIC.exe
Token: 33	3936	WMIC.exe
Token: 34	3936	WMIC.exe
Token: 35	3936	WMIC.exe
Token: 36	3936	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3320	WMIC.exe
Token: SeSecurityPrivilege	3320	WMIC.exe
Token: SeTakeOwnershipPrivilege	3320	WMIC.exe
Token: SeLoadDriverPrivilege	3320	WMIC.exe
Token: SeSystemProfilePrivilege	3320	WMIC.exe
Token: SeSystemtimePrivilege	3320	WMIC.exe
Token: SeProfSingleProcessPrivilege	3320	WMIC.exe
Token: SeIncBasePriorityPrivilege	3320	WMIC.exe
Token: SeCreatePagefilePrivilege	3320	WMIC.exe
Token: SeBackupPrivilege	3320	WMIC.exe
Token: SeRestorePrivilege	3320	WMIC.exe
Token: SeShutdownPrivilege	3320	WMIC.exe
Token: SeDebugPrivilege	3320	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3320	WMIC.exe
Token: SeRemoteShutdownPrivilege	3320	WMIC.exe
Token: SeUndockPrivilege	3320	WMIC.exe
Token: SeManageVolumePrivilege	3320	WMIC.exe
Token: 33	3320	WMIC.exe
Token: 34	3320	WMIC.exe
Token: 35	3320	WMIC.exe
Token: 36	3320	WMIC.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

Client.execmd.exenet.exequery.exenet.exenet.exenet.exenet.execmd.exe

description	pid	process	target process
PID 3468 wrote to memory of 2560	3468	Client.exe	cmd.exe
PID 3468 wrote to memory of 2560	3468	Client.exe	cmd.exe
PID 3468 wrote to memory of 4236	3468	Client.exe	cmd.exe
PID 3468 wrote to memory of 4236	3468	Client.exe	cmd.exe
PID 4236 wrote to memory of 3776	4236	cmd.exe	systeminfo.exe
PID 4236 wrote to memory of 3776	4236	cmd.exe	systeminfo.exe
PID 4236 wrote to memory of 4968	4236	cmd.exe	HOSTNAME.EXE
PID 4236 wrote to memory of 4968	4236	cmd.exe	HOSTNAME.EXE
PID 4236 wrote to memory of 3936	4236	cmd.exe	WMIC.exe
PID 4236 wrote to memory of 3936	4236	cmd.exe	WMIC.exe
PID 4236 wrote to memory of 4576	4236	cmd.exe	net.exe
PID 4236 wrote to memory of 4576	4236	cmd.exe	net.exe
PID 4576 wrote to memory of 4040	4576	net.exe	net1.exe
PID 4576 wrote to memory of 4040	4576	net.exe	net1.exe
PID 4236 wrote to memory of 3884	4236	cmd.exe	query.exe
PID 4236 wrote to memory of 3884	4236	cmd.exe	query.exe
PID 3884 wrote to memory of 3552	3884	query.exe	quser.exe
PID 3884 wrote to memory of 3552	3884	query.exe	quser.exe
PID 4236 wrote to memory of 2388	4236	cmd.exe	net.exe
PID 4236 wrote to memory of 2388	4236	cmd.exe	net.exe
PID 2388 wrote to memory of 3368	2388	net.exe	net1.exe
PID 2388 wrote to memory of 3368	2388	net.exe	net1.exe
PID 4236 wrote to memory of 2680	4236	cmd.exe	net.exe
PID 4236 wrote to memory of 2680	4236	cmd.exe	net.exe
PID 2680 wrote to memory of 2184	2680	net.exe	net1.exe
PID 2680 wrote to memory of 2184	2680	net.exe	net1.exe
PID 4236 wrote to memory of 404	4236	cmd.exe	net.exe
PID 4236 wrote to memory of 404	4236	cmd.exe	net.exe
PID 404 wrote to memory of 1916	404	net.exe	net1.exe
PID 404 wrote to memory of 1916	404	net.exe	net1.exe
PID 4236 wrote to memory of 748	4236	cmd.exe	net.exe
PID 4236 wrote to memory of 748	4236	cmd.exe	net.exe
PID 748 wrote to memory of 5020	748	net.exe	net1.exe
PID 748 wrote to memory of 5020	748	net.exe	net1.exe
PID 4236 wrote to memory of 3320	4236	cmd.exe	WMIC.exe
PID 4236 wrote to memory of 3320	4236	cmd.exe	WMIC.exe
PID 4236 wrote to memory of 5004	4236	cmd.exe	tasklist.exe
PID 4236 wrote to memory of 5004	4236	cmd.exe	tasklist.exe
PID 4236 wrote to memory of 3680	4236	cmd.exe	ipconfig.exe
PID 4236 wrote to memory of 3680	4236	cmd.exe	ipconfig.exe
PID 4236 wrote to memory of 2656	4236	cmd.exe	ROUTE.EXE
PID 4236 wrote to memory of 2656	4236	cmd.exe	ROUTE.EXE
PID 4236 wrote to memory of 2688	4236	cmd.exe	ARP.EXE
PID 4236 wrote to memory of 2688	4236	cmd.exe	ARP.EXE
PID 4236 wrote to memory of 4428	4236	cmd.exe	NETSTAT.EXE
PID 4236 wrote to memory of 4428	4236	cmd.exe	NETSTAT.EXE
PID 4236 wrote to memory of 1432	4236	cmd.exe	sc.exe
PID 4236 wrote to memory of 1432	4236	cmd.exe	sc.exe
PID 4236 wrote to memory of 1188	4236	cmd.exe	netsh.exe
PID 4236 wrote to memory of 1188	4236	cmd.exe	netsh.exe
PID 4236 wrote to memory of 2360	4236	cmd.exe	netsh.exe
PID 4236 wrote to memory of 2360	4236	cmd.exe	netsh.exe
PID 3468 wrote to memory of 2344	3468	Client.exe	cmd.exe
PID 3468 wrote to memory of 2344	3468	Client.exe	cmd.exe
PID 2344 wrote to memory of 1528	2344	cmd.exe	timeout.exe
PID 2344 wrote to memory of 1528	2344	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3468

C:\Windows\SYSTEM32\cmd.exe
"cmd"
2⤵
PID:2560

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4236

C:\Windows\system32\systeminfo.exe
systeminfo
3⤵
- Gathers system information
PID:3776

C:\Windows\system32\HOSTNAME.EXE
hostname
3⤵
PID:4968

C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get caption,description,providername
3⤵
- Collects information from the system
- Suspicious use of AdjustPrivilegeToken
PID:3936

C:\Windows\system32\net.exe
net user
3⤵
- Suspicious use of WriteProcessMemory
PID:4576

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
4⤵
PID:4040

C:\Windows\system32\query.exe
query user
3⤵
- Suspicious use of WriteProcessMemory
PID:3884

C:\Windows\system32\quser.exe
"C:\Windows\system32\quser.exe"
4⤵
PID:3552

C:\Windows\system32\net.exe
net localgroup
3⤵
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
4⤵
PID:3368

C:\Windows\system32\net.exe
net localgroup administrators
3⤵
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators
4⤵
PID:2184

C:\Windows\system32\net.exe
net user guest
3⤵
- Suspicious use of WriteProcessMemory
PID:404

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user guest
4⤵
PID:1916

C:\Windows\system32\net.exe
net user administrator
3⤵
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user administrator
4⤵
PID:5020

C:\Windows\System32\Wbem\WMIC.exe
wmic startup get caption,command
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3320

C:\Windows\system32\tasklist.exe
tasklist /svc
3⤵
- Enumerates processes with tasklist
PID:5004

C:\Windows\system32\ipconfig.exe
ipconfig /all
3⤵
- Gathers network information
PID:3680

C:\Windows\system32\ROUTE.EXE
route print
3⤵
PID:2656

C:\Windows\system32\ARP.EXE
arp -a
3⤵
PID:2688

C:\Windows\system32\NETSTAT.EXE
netstat -ano
3⤵
- Gathers network information
PID:4428

C:\Windows\system32\sc.exe
sc query type= service state= all
3⤵
- Launches sc.exe
PID:1432

C:\Windows\system32\netsh.exe
netsh firewall show state
3⤵
- Modifies Windows Firewall
PID:1188

C:\Windows\system32\netsh.exe
netsh firewall show config
3⤵
- Modifies Windows Firewall
PID:2360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3C20.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:2344

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Account Manipulation

1

T1098

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Account Manipulation

1

T1098

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Discovery

Process Discovery

1

T1057

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3C20.tmp.bat
Filesize
158B

MD5
d3aa54ce507f6fccf97d8993a4933dad

SHA1
38ecdedf3f188c40fb4896418176699dcd0784db

SHA256
3b0d0d89ac3d0225248c866fbbee48c150cffff558fa5f7b3fee7bfa40b18afa

SHA512
d189b4bf06f99a3e19a3a4e06ea27c00d691695d1dcd0664ba90dfbd83596673c694daa1eeb6c15ba80deeacebd7a95add7432d965246a403d40357397944b57

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3468-10-0x000000001D470000-0x000000001D48C000-memory.dmp

Filesize
112KB

Download
memory/3468-11-0x000000001D4B0000-0x000000001D4CE000-memory.dmp

Filesize
120KB

Download
memory/3468-6-0x00007FFA51183000-0x00007FFA51185000-memory.dmp

Filesize
8KB

Download
memory/3468-7-0x00007FFA51180000-0x00007FFA51C42000-memory.dmp

Filesize
10.8MB

Download
memory/3468-8-0x00007FFA51180000-0x00007FFA51C42000-memory.dmp

Filesize
10.8MB

Download
memory/3468-9-0x000000001D4F0000-0x000000001D566000-memory.dmp

Filesize
472KB

Download
memory/3468-0-0x00007FFA51183000-0x00007FFA51185000-memory.dmp

Filesize
8KB

Download
memory/3468-3-0x00007FFA51180000-0x00007FFA51C42000-memory.dmp

Filesize
10.8MB

Download
memory/3468-12-0x0000000000F60000-0x0000000000F70000-memory.dmp

Filesize
64KB

Download
memory/3468-13-0x0000000000F90000-0x0000000000FA0000-memory.dmp

Filesize
64KB

Download
memory/3468-14-0x0000000000FA0000-0x0000000000FAE000-memory.dmp

Filesize
56KB

Download
memory/3468-2-0x00007FFA51180000-0x00007FFA51C42000-memory.dmp

Filesize
10.8MB

Download
memory/3468-17-0x0000000000FB0000-0x0000000001014000-memory.dmp

Filesize
400KB

Download
memory/3468-1-0x0000000000790000-0x00000000007A6000-memory.dmp

Filesize
88KB

Download
memory/3468-22-0x00007FFA51180000-0x00007FFA51C42000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing