asyncrat | 1f3918fc119080f9eca56848dac2119463f49198ab81f32ec8e3efd23863792a

Analysis

max time kernel
143s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-05-2024 15:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VenomRAT-V5.6-HVNC/ClientsFolder/Client.exe
Size

63KB
MD5

954df1329392b05e0f8d9fb6ef74e83e
SHA1

92e59f610990b0e4683ee381bcddf436dada0c7c
SHA256

515ac41d366bc9bee03e7d601a1f654cad95921b73fdd9ea75ee799c917c1a07
SHA512

678f416f70172cfe5199f75913aed533ac77336db08b5685ba2c249392f07aec812f2dd1e01435031c0c4d9ac45be6ce4525b1e397fa26f35ab461a002119ceb
SSDEEP

1536:4ZeNjfU/cNRPZNg/p6eeiIVrGbbXw4HoGCDpqKmY7:4ZeNjfU/clCpDeXGbbXb6gz

Score

10^/10

asyncrat venom clients rat

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

107.208.148.72:1492

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
true
install_file
something.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\something.exe	family_asyncrat

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Client.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation Client.exe
Executes dropped EXE 1 IoCs

Processes:

something.exe

pid process

1840 something.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

796 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4616 timeout.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Client.exe

pid	process
1840	something.exe

pid	process
796	schtasks.exe

pid	process
4616	timeout.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

Client.exe

pid	process
1240	Client.exe
1240	Client.exe
1240	Client.exe
1240	Client.exe
1240	Client.exe
1240	Client.exe
1240	Client.exe
1240	Client.exe
1240	Client.exe
1240	Client.exe
1240	Client.exe
1240	Client.exe
1240	Client.exe
1240	Client.exe
1240	Client.exe
1240	Client.exe
1240	Client.exe
1240	Client.exe
1240	Client.exe
1240	Client.exe
1240	Client.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Client.exesomething.exe

description pid process

Token: SeDebugPrivilege 1240 Client.exe
Token: SeDebugPrivilege 1840 something.exe

description	pid	process
Token: SeDebugPrivilege	1240	Client.exe
Token: SeDebugPrivilege	1840	something.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

Client.execmd.execmd.exe

description	pid	process	target process
PID 1240 wrote to memory of 1680	1240	Client.exe	cmd.exe
PID 1240 wrote to memory of 1680	1240	Client.exe	cmd.exe
PID 1240 wrote to memory of 2912	1240	Client.exe	cmd.exe
PID 1240 wrote to memory of 2912	1240	Client.exe	cmd.exe
PID 2912 wrote to memory of 4616	2912	cmd.exe	timeout.exe
PID 2912 wrote to memory of 4616	2912	cmd.exe	timeout.exe
PID 1680 wrote to memory of 796	1680	cmd.exe	schtasks.exe
PID 1680 wrote to memory of 796	1680	cmd.exe	schtasks.exe
PID 2912 wrote to memory of 1840	2912	cmd.exe	something.exe
PID 2912 wrote to memory of 1840	2912	cmd.exe	something.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\VenomRAT-V5.6-HVNC\ClientsFolder\Client.exe
"C:\Users\Admin\AppData\Local\Temp\VenomRAT-V5.6-HVNC\ClientsFolder\Client.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "something" /tr '"C:\Users\Admin\AppData\Roaming\something.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "something" /tr '"C:\Users\Admin\AppData\Roaming\something.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp517B.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:4616
- - C:\Users\Admin\AppData\Roaming\something.exe
    "C:\Users\Admin\AppData\Roaming\something.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp517B.tmp.bat

Filesize
153B

MD5
efb8ca3434d1ee659cd2c32d0a1ea231

SHA1
16222ef9ab2a6520813a0eb38ff964de733af0d6

SHA256
d1a7becd1dab9fb42e84d5e859068a149ceb88acd2909c05b243e01fe20fb649

SHA512
bc6bf78dccb69165e59aaf5cb63a21650f500592aa8ebc57bee0ede18387b779276ff6f803735a26a51214a031d689b7ad1792aee1ea1bf6fea579fb7b24c23d

Download Submit
C:\Users\Admin\AppData\Roaming\something.exe

Filesize
63KB

MD5
954df1329392b05e0f8d9fb6ef74e83e

SHA1
92e59f610990b0e4683ee381bcddf436dada0c7c

SHA256
515ac41d366bc9bee03e7d601a1f654cad95921b73fdd9ea75ee799c917c1a07

SHA512
678f416f70172cfe5199f75913aed533ac77336db08b5685ba2c249392f07aec812f2dd1e01435031c0c4d9ac45be6ce4525b1e397fa26f35ab461a002119ceb

Download Submit
memory/1240-0-0x00007FFEE95D3000-0x00007FFEE95D5000-memory.dmp

Filesize
8KB

Download
memory/1240-1-0x00000000008E0000-0x00000000008F6000-memory.dmp

Filesize
88KB

Download
memory/1240-2-0x00007FFEE95D0000-0x00007FFEEA091000-memory.dmp

Filesize
10.8MB

Download
memory/1240-7-0x00007FFEE95D0000-0x00007FFEEA091000-memory.dmp

Filesize
10.8MB

Download