asyncrat | 243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe
Size

74KB
MD5

48865d6cc53e8a2fc637da9f1ee5e353
SHA1

d655c548c01f91438d20f80bd9acab9f94073cef
SHA256

243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8
SHA512

acd3920bbb859c8e27334977cf7b5ec1bb035c38e1203cf40aea4caf33e4dcf8b3ac5e754d7a63973ec56186f3f2484530e897e58b4da169df34b1e469f78940
SSDEEP

1536:LUk0cxVGlCBiPMVQ0JpsIyb1bu/MIomRQzc+LVclN:LURcxVMWiPMVz/4b1bukIo+QXBY

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

Mutex

kjllrkvvfowjke

Attributes

delay
1
install
false
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/zAGEXn7M

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detects executables attemping to enumerate video devices using WMI 1 IoCs

resource	yara_rule
behavioral2/memory/1448-1-0x0000000000170000-0x0000000000188000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice

Legitimate hosting services abused for malware hosting/C2 1 TTPs 48 IoCs

Web Service

T1102

flow	ioc
16	pastebin.com
86	pastebin.com
101	pastebin.com
109	pastebin.com
111	pastebin.com
67	pastebin.com
87	pastebin.com
100	pastebin.com
104	pastebin.com
106	pastebin.com
114	pastebin.com
83	pastebin.com
112	pastebin.com
17	pastebin.com
30	pastebin.com
31	pastebin.com
59	pastebin.com
66	pastebin.com
68	pastebin.com
113	pastebin.com
115	pastebin.com
29	pastebin.com
38	pastebin.com
60	pastebin.com
80	pastebin.com
99	pastebin.com
55	pastebin.com
78	pastebin.com
81	pastebin.com
85	pastebin.com
105	pastebin.com
116	pastebin.com
61	pastebin.com
79	pastebin.com
82	pastebin.com
84	pastebin.com
92	pastebin.com
102	pastebin.com
36	pastebin.com
39	pastebin.com
41	pastebin.com
117	pastebin.com
40	pastebin.com
44	pastebin.com
57	pastebin.com
58	pastebin.com
65	pastebin.com
74	pastebin.com

Suspicious behavior: EnumeratesProcesses 49 IoCs

pid	Process
1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe
1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe
1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe
1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe
1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe
1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe
1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe
1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe
1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe
1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe
1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe
1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe
1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe
1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe
1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe
1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe
1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe
1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe
1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe
1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe
1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe
1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe
1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe
1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe
1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe
1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe
1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe
1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe
1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe
1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe
1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe
1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe
1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe
1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe
1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe
1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe
1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe
1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe
1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe
1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe
1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe
1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe
1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe
1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe
1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe
1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe
1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe
1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe
1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1448	243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe

C:\Users\Admin\AppData\Local\Temp\243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe
"C:\Users\Admin\AppData\Local\Temp\243107799d46411f4a919d7117eef4b5f1718dc997bf9ef316ed822ea93b29e8.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4180,i,11751898164297348119,13021661521765644467,262144 --variations-seed-version --mojo-platform-channel-handle=3928 /prefetch:8
1⤵
PID:1492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1448-0-0x00007FFB0E693000-0x00007FFB0E695000-memory.dmp

Filesize
8KB

Download
memory/1448-1-0x0000000000170000-0x0000000000188000-memory.dmp

Filesize
96KB

Download
memory/1448-3-0x00007FFB0E690000-0x00007FFB0F151000-memory.dmp

Filesize
10.8MB

Download
memory/1448-4-0x00007FFB0E690000-0x00007FFB0F151000-memory.dmp

Filesize
10.8MB

Download
memory/1448-5-0x00007FFB0E693000-0x00007FFB0E695000-memory.dmp

Filesize
8KB

Download
memory/1448-6-0x00007FFB0E690000-0x00007FFB0F151000-memory.dmp

Filesize
10.8MB

Download
memory/1448-7-0x00007FFB0E690000-0x00007FFB0F151000-memory.dmp

Filesize
10.8MB

Download