asyncrat | db3ea1dab8411c6d7409f85e51b7e6a009a91951b8a5a30e6a67abbeb375b811

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2024 11:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rat2222.exe
Size

73KB
MD5

4a540ddfe8301f190f1562071851cbef
SHA1

733f4781ca2aba8255619bfc758fa67e88d410ea
SHA256

db3ea1dab8411c6d7409f85e51b7e6a009a91951b8a5a30e6a67abbeb375b811
SHA512

64254eb649774d04db2e31d481ff24310bbf8ab837944fe881d5e10516c0c4162da59cfa4969f7902a28b670c2848b6290a5dbfc8092eb2772ba3c06690c5c55
SSDEEP

1536:RUKkcx9pXCTyPMV/Fqiev5WI7H1bJ/tMnQzcF6VclNi:RUDcx958yPMV9qzpH1bJGQoIYY

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

127.0.0.1:4449

Mutex

asdasdas

Attributes

delay
1
install
true
install_file
sasdasd.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	Rat2222.exe

Executes dropped EXE 1 IoCs

pid	Process
4480	sasdasd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1076	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4452	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2968	Rat2222.exe
2968	Rat2222.exe
2968	Rat2222.exe
2968	Rat2222.exe
2968	Rat2222.exe
2968	Rat2222.exe
2968	Rat2222.exe
2968	Rat2222.exe
2968	Rat2222.exe
2968	Rat2222.exe
2968	Rat2222.exe
2968	Rat2222.exe
2968	Rat2222.exe
2968	Rat2222.exe
2968	Rat2222.exe
2968	Rat2222.exe
2968	Rat2222.exe
2968	Rat2222.exe
2968	Rat2222.exe
2968	Rat2222.exe
2968	Rat2222.exe
2968	Rat2222.exe
2968	Rat2222.exe
2968	Rat2222.exe
2968	Rat2222.exe
2968	Rat2222.exe
2968	Rat2222.exe
2968	Rat2222.exe
2968	Rat2222.exe
2968	Rat2222.exe
2968	Rat2222.exe
4480	sasdasd.exe
4480	sasdasd.exe
4480	sasdasd.exe
4480	sasdasd.exe
4480	sasdasd.exe
4480	sasdasd.exe
4480	sasdasd.exe
4480	sasdasd.exe
4480	sasdasd.exe
4480	sasdasd.exe
4480	sasdasd.exe
4480	sasdasd.exe
4480	sasdasd.exe
4480	sasdasd.exe
4480	sasdasd.exe
4480	sasdasd.exe
4480	sasdasd.exe
4480	sasdasd.exe
4480	sasdasd.exe
4480	sasdasd.exe
4480	sasdasd.exe
4480	sasdasd.exe
4480	sasdasd.exe
4480	sasdasd.exe
4480	sasdasd.exe
4480	sasdasd.exe
4480	sasdasd.exe
4480	sasdasd.exe
4480	sasdasd.exe
4480	sasdasd.exe
4480	sasdasd.exe
4480	sasdasd.exe
4480	sasdasd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4480	sasdasd.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2968	Rat2222.exe
Token: SeDebugPrivilege	4480	sasdasd.exe
Token: SeDebugPrivilege	4968	Rat2222.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4480	sasdasd.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 936	2968	Rat2222.exe	87
PID 2968 wrote to memory of 936	2968	Rat2222.exe	87
PID 2968 wrote to memory of 1844	2968	Rat2222.exe	88
PID 2968 wrote to memory of 1844	2968	Rat2222.exe	88
PID 1844 wrote to memory of 1076	1844	cmd.exe	91
PID 1844 wrote to memory of 1076	1844	cmd.exe	91
PID 936 wrote to memory of 4452	936	cmd.exe	92
PID 936 wrote to memory of 4452	936	cmd.exe	92
PID 1844 wrote to memory of 4480	1844	cmd.exe	98
PID 1844 wrote to memory of 4480	1844	cmd.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Rat2222.exe
"C:\Users\Admin\AppData\Local\Temp\Rat2222.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "sasdasd" /tr '"C:\Users\Admin\AppData\Roaming\sasdasd.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "sasdasd" /tr '"C:\Users\Admin\AppData\Roaming\sasdasd.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDBD9.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1076
- - C:\Users\Admin\AppData\Roaming\sasdasd.exe
    "C:\Users\Admin\AppData\Roaming\sasdasd.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4480

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4452

C:\Users\Admin\Desktop\Rat2222.exe
"C:\Users\Admin\Desktop\Rat2222.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:4988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Rat2222.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDBD9.tmp.bat

Filesize
151B

MD5
8ac11ff2e65448063d7d4fcba2d6d24a

SHA1
5bae622ce6eae8fedd4eedc2a97448faf7447594

SHA256
294c4c7e349f3d2b7659747688c405813afbf9064ee762225430ee17539ba941

SHA512
a7461d49af3e1e6fcf3dba98f1ae93505509947b26100bd832623a00394b424e8f8fb9f436a068dd34b53abb59b0e55790e70d760b7075c50dd327d8cf0d5f3b

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Users\Admin\AppData\Roaming\sasdasd.exe

Filesize
73KB

MD5
4a540ddfe8301f190f1562071851cbef

SHA1
733f4781ca2aba8255619bfc758fa67e88d410ea

SHA256
db3ea1dab8411c6d7409f85e51b7e6a009a91951b8a5a30e6a67abbeb375b811

SHA512
64254eb649774d04db2e31d481ff24310bbf8ab837944fe881d5e10516c0c4162da59cfa4969f7902a28b670c2848b6290a5dbfc8092eb2772ba3c06690c5c55

Download Submit
memory/2968-0-0x00007FFA42513000-0x00007FFA42515000-memory.dmp

Filesize
8KB

Download
memory/2968-1-0x00000000007D0000-0x00000000007E6000-memory.dmp

Filesize
88KB

Download
memory/2968-3-0x00007FFA42510000-0x00007FFA42FD1000-memory.dmp

Filesize
10.8MB

Download
memory/2968-8-0x00007FFA42510000-0x00007FFA42FD1000-memory.dmp

Filesize
10.8MB

Download
memory/2968-9-0x00007FFA42510000-0x00007FFA42FD1000-memory.dmp

Filesize
10.8MB

Download