asyncrat | 17dc9571dbd7e094dd65a862adfcde7328a3c3e45c9053ba99bff638e7918b4e

Analysis

max time kernel
70s
max time network
66s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2024 00:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Wave.exe
Size

74KB
MD5

31548bc072b604c0617e5ebcf7fc60b4
SHA1

035e68c49525e477ca5e61f77e1f8fdd4955b722
SHA256

17dc9571dbd7e094dd65a862adfcde7328a3c3e45c9053ba99bff638e7918b4e
SHA512

9848a6406fa2b6ff3046dd147eb94583fb637a2598dc332905b2a98e171814d3d76554bcf54a909503577fab85ccccf29ae475f614edd3f30e0a62afe8696cb1
SSDEEP

1536:mUJQcxAz6/CTGPMVfe9VdQuDI6H1bf/gqcnSQzcaLVclN:mUWcxAW/4GPMVfe9VdQsH1bfQnSQLBY

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

Mutex

WindowsRuntimeBrokerService

Attributes

delay
1
install
true
install_file
Microsoft\Windows\Themes\RuntimeBroker.exe
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/xcd2XZ5Q

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x000400000002299c-12.dat	family_asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	Wave.exe

Executes dropped EXE 1 IoCs

pid	Process
1232	RuntimeBroker.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
31	pastebin.com
32	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4968	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2924	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2464	Wave.exe
2464	Wave.exe
2464	Wave.exe
2464	Wave.exe
2464	Wave.exe
2464	Wave.exe
2464	Wave.exe
2464	Wave.exe
2464	Wave.exe
2464	Wave.exe
2464	Wave.exe
2464	Wave.exe
2464	Wave.exe
2464	Wave.exe
2464	Wave.exe
2464	Wave.exe
2464	Wave.exe
2464	Wave.exe
2464	Wave.exe
2464	Wave.exe
2464	Wave.exe
2464	Wave.exe
2464	Wave.exe
1232	RuntimeBroker.exe
1232	RuntimeBroker.exe
1232	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2464	Wave.exe
Token: SeDebugPrivilege	2464	Wave.exe
Token: SeDebugPrivilege	1232	RuntimeBroker.exe
Token: SeDebugPrivilege	1232	RuntimeBroker.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1232	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 228	2464	Wave.exe	87
PID 2464 wrote to memory of 228	2464	Wave.exe	87
PID 2464 wrote to memory of 344	2464	Wave.exe	89
PID 2464 wrote to memory of 344	2464	Wave.exe	89
PID 228 wrote to memory of 2924	228	cmd.exe	91
PID 228 wrote to memory of 2924	228	cmd.exe	91
PID 344 wrote to memory of 4968	344	cmd.exe	92
PID 344 wrote to memory of 4968	344	cmd.exe	92
PID 344 wrote to memory of 1232	344	cmd.exe	98
PID 344 wrote to memory of 1232	344	cmd.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "RuntimeBroker" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\RuntimeBroker.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "RuntimeBroker" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\RuntimeBroker.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9182.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:344
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:4968
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9182.tmp.bat

Filesize
182B

MD5
8237f840695e45810cd80d2abd1eb744

SHA1
f93d5012b67846fe1d1301d2c5bcd09c8e67f477

SHA256
3decbbaf12494843546a6a9effad9ad5c369f04f85847c8495892369f12bc958

SHA512
50d0eaaaf3cd18d907e74f845c566a267debcd49657ed87d7a5406bfbb82d7b5907342f4163bd47c11a1322a2e8e6af006e4823ca3f43c941a4bf64b6e6971ad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\RuntimeBroker.exe

Filesize
74KB

MD5
31548bc072b604c0617e5ebcf7fc60b4

SHA1
035e68c49525e477ca5e61f77e1f8fdd4955b722

SHA256
17dc9571dbd7e094dd65a862adfcde7328a3c3e45c9053ba99bff638e7918b4e

SHA512
9848a6406fa2b6ff3046dd147eb94583fb637a2598dc332905b2a98e171814d3d76554bcf54a909503577fab85ccccf29ae475f614edd3f30e0a62afe8696cb1

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Users\Admin\Desktop\ApproveRedo.mpeg3

Filesize
608KB

MD5
bf864ec6a82534cbcc11088af0c019fe

SHA1
45c3a4c6dba265f28dbce14a14172cbcf3a3d07a

SHA256
ec8215ecd813d89886f04f5c97807b7969e1a0a87c22733d128554a9fc677f4e

SHA512
f33935ecfbc815b253e7be014a36fac2d9700aedd89ff8d7dfde82fd5a86c9ed64b4f0d0173321b9ff33551c5b02a5b85a5d05078933004268a898634e50c3ce

Download Submit
C:\Users\Admin\Desktop\AssertAdd.jpg

Filesize
444KB

MD5
c3ef5fb9f7693d886a3376a340dd77c1

SHA1
f73b813e94510bcc57ceecc564039d2c7331ec8c

SHA256
8e7cf3b97dfaa6f34f93c34a34b625ea388ac9cbe9a474a251e620b4d5f66005

SHA512
c30c12c5efff244e530951a1e7aa5407da4f14c634d46f4623eb40b3d84043a7b354ffafde56f90f88335ec0438ec4f08c069140a7d8d32f20145ad0e7b4c017

Download Submit
C:\Users\Admin\Desktop\BlockRedo.reg

Filesize
740KB

MD5
7447df8d9f0c54a6a3bbc93157848eb2

SHA1
d9b95f6f7e1051777471bc8b21e19cfe6c71dbf6

SHA256
74f7ed144a58a22cf9086fcb336cd0d3b7c01d1eb1864f8602f5ddbf2784436a

SHA512
ee242937ba6aa17a2bdb9a1a88ab4f3306ce1574bf52fce0e6083d96432a1cf1378dce2055f76ee74b80f683162976da2f46d58905842ae5cab951f8228e4fc5

Download Submit
C:\Users\Admin\Desktop\ClearEdit.mid

Filesize
970KB

MD5
35ff7586d59d7247d5ce9f8029135df3

SHA1
ba33b830c98094009d9554504bd9854756f14624

SHA256
dbd8e9e6437cff9c153f323aaee62e7048648efe90c10dc5074d5c0641929dbf

SHA512
68030e4cbb0c162d1c1587a7672f7f539980e1aebfa6b78a27108b60e07d123f3587e5990e836cb6a3ca4356ca8cfb2100af0a341f509b5b2aacc12a6bc90b2a

Download Submit
C:\Users\Admin\Desktop\ClearSuspend.mov

Filesize
1003KB

MD5
9cc4caf7427dd8ee6d3f37a938bfebac

SHA1
8b93468662cd39eb62c3d200464d46a3b963df0e

SHA256
3abbbc26121721a6dccfbc6a0ad6739f1a847f86f838f98ce5d2b77df15be34c

SHA512
39183efdcc926435b31da60a331c260ad3935d4f9eefc534c8a91f19637e1f36cd560cf07cbb0ead06ba5d6c02bdd66baf8f72f804a52458d0cf2d5217af8ce9

Download Submit
C:\Users\Admin\Desktop\CloseSkip.search-ms

Filesize
477KB

MD5
986027221c6e2400bb8e7a1e9dc4fa94

SHA1
e6ad23428f0e4a48e9f8819de02857d0f24a765a

SHA256
189eaf29f0667715adb319a4f5044a9af5ee2901b27529162270d24563a31ef0

SHA512
7984e76f6dc79bb9c5e372aae41facdabc41187c77efeaecf1b9cf260c3a4c4333b48ca5e6393303e8fb8f534489c465f47594030a746a79aaae2b443c49376b

Download Submit
C:\Users\Admin\Desktop\DenyRead.xht

Filesize
641KB

MD5
f311c2161c2050d5634679c5c6f5e260

SHA1
c4095c76d85fe62a1b92863bcff6aae9a92e0185

SHA256
000238fbe759a1d3c5f54e24076359e0441663b5b9fabbbb15922c6c4b8f1044

SHA512
36f9a95121a72189e373e78596328c782ca80030fac67f915f9ee6a306a4d31fe0f688a2e4b205ed38924cb0a3d019a7726a7de1e5b3abc016f6c1b4333f3db4

Download Submit
C:\Users\Admin\Desktop\DenyResume.vdw

Filesize
575KB

MD5
b1212234e785e3e28c8e902c8fffc269

SHA1
96c62c2e2598d895bb7771770e71e9656fa52bd5

SHA256
8c305d93e5c277a8d5af1b74bee045a651102a1137e174b9f78756b107c9cf3d

SHA512
46ea20d9a54fcf79920aa2bbe47f7c25d34d0dbf997c3d60a60373e1e44557dccd1c9a8ff1f76a6107cc35a9e117a7fba34051a830ea76de24f56b7f91ef728d

Download Submit
C:\Users\Admin\Desktop\DisableSelect.avi

Filesize
904KB

MD5
1711b2b9d06c4580034e5433ae05d3a8

SHA1
cfb4a828f138b4490447f41c9072fe6130542d03

SHA256
e3de4c820351816f0d55539d7b1ea739ec26f06dd0d5fcd2dbd8b141b5cf92e8

SHA512
8247d4af72af26bb4aba44014ebd6a0325d8410ac2041798a2128d3d4b3736d7de298a364869ec29a33f7ad66ad29d7d0bfc24c1dcd421dc51996bab34bfb211

Download Submit
C:\Users\Admin\Desktop\ImportSend.scf

Filesize
707KB

MD5
6a121ce5e66c9f40a93a00675f0270ea

SHA1
78ea77344bca4677eceb4826569d75d1024127f9

SHA256
27ce962f904810c9e341b8132516ee2c73122a4c96a520d6d9d858b376c67764

SHA512
f60a58a278a56fe361412040b597da890fa55c17e2c3be21cae1ce7f3d1109d84d6e54abea5026ba8f03fc5a9279ac373861616ede20ed37cd6e549063b46447

Download Submit
C:\Users\Admin\Desktop\ImportShow.asp

Filesize
806KB

MD5
da382949c9947855862826dce6766e0f

SHA1
386249ba4ef69fb075f34f54ef1d72b47a5c6cd4

SHA256
a432b40eac2160a438f0d9415fe201139860411caab9a5d10a8230c31a547254

SHA512
a944da6b370122a84d2db95563ce3df4333867e35692cb6d66513ae74b2458b643fe288d3a17d501286cae8722c1f1d2859b7885ccfd3ec4a5c0b724df4912e5

Download Submit
C:\Users\Admin\Desktop\LimitSplit.midi

Filesize
542KB

MD5
9d1e94ae11eacbf89b383cbc2a96ac22

SHA1
55e5951ae9348e9bee4d890bd1723d80f6201f30

SHA256
6c9ba6d80e5176098b3ee6dbd86c4827665325b4e55b4205b0efb4f775c14ee7

SHA512
b024f1e5e3e5a7bf3ffbad361efa74257cfc17cb0039f0156ac813512c4106b233214627db2b18509c5114e19726936d6eb718ff17aa13673cf084d6e6decdfc

Download Submit
C:\Users\Admin\Desktop\MountExpand.wps

Filesize
411KB

MD5
6366d9f7383923bd18ea4b0d1b0a899c

SHA1
59bdb6e7429cec7939936dec1c22f11076fde224

SHA256
f34e1fb411c331ddad8ee6d930ebbdef7a74658f547b4fbedf31cf5cae6f8471

SHA512
0ef327516b38813f0d264b59bc8d103dd2e661c6e820c65474fc43b6c57eb3ac0c1ccd6531d21a15d86af9329a458c547ac41b2429e9f64478fad106d8fc28ef

Download Submit
C:\Users\Admin\Desktop\MountGet.wdp

Filesize
1.0MB

MD5
a90adb5a546e737477e8f30fea743caf

SHA1
8d74ba9d879c735805bf03b24fa78b798b84299d

SHA256
5acefb1b7a369aec88abd806ecc73ebaa227416b3ef55fe850cb75de3bdbb8f9

SHA512
2840c999142d68db68caeea2eed0f00c511d004e430a3ec50468a8633947ecff8443d0d5d1ee663401859f194855c1a2e266beb1618f8697468328d13bc4984d

Download Submit
C:\Users\Admin\Desktop\NewExport.xps

Filesize
510KB

MD5
da5cd029e60dc72f383d43b593197e30

SHA1
f3ad157156a364a88f89bad4bf72a76988d0874a

SHA256
0ca800d3088e73716ffb34818b390b8a900c02670e35d2d7d9bf1faca08b94f9

SHA512
4da5f784baa572e2140982a5414a034af98e6ff8c4fd9bd6fe4fd27a44da2fc02896922e69cac751e07c08fbb4ae648c0d500db61a16cb7e030be0a0b6c87cbf

Download Submit
C:\Users\Admin\Desktop\PushJoin.dib

Filesize
674KB

MD5
f993342b522e116507bf7493f2b4f181

SHA1
85f94cedb042c34763f4be8d948bae5f7e3306c8

SHA256
ce2efab37003c455800a060fb2732308eaf0c4fe83e4b5113c8b65046b0e271e

SHA512
06658517a78c29a5b5670473125f857fe988b3d8c0a2e0a4e712573a0b1203a3c34cdcde7e7551c95c711fa249587691b50c776c603d51f9c365641ac7fd8560

Download Submit
C:\Users\Admin\Desktop\RegisterPush.rm

Filesize
839KB

MD5
8939161c027a4e6c04470a941494d430

SHA1
f018889e814473531f6a30e3aa63565158e0de3c

SHA256
ac4b7a8c6a8bb3c3f5f27e132454203a312963cef4c4c0b345099b019758634f

SHA512
5dedf3fe9a47e74b9ac538fc39f3a08e27b5c3b0462a864b7fec126ee64667f20cd5f109923b79b5845348ae5b8da1b5af79bdc8f0dba624136841a2d0378394

Download Submit
C:\Users\Admin\Desktop\ResolveDisconnect.dib

Filesize
378KB

MD5
f0fc22ab0387a3fcf4684f397959b1e4

SHA1
d89f464d1a137a3d650cbb1beecb5a9b7916ce4c

SHA256
e832cd383b637dfd8a2f794f13dc60b3e2e96a29e52986fcc1595227dbadaf58

SHA512
4d3b224b3243aba960984926281f5d53ab1e2a91cc27a62647e89aa9a40f5eddb57d1e015559d0c6decafe0f7714ea91bb54f5b3b9924e48f380b1eee677769c

Download Submit
C:\Users\Admin\Desktop\SaveConvert.vdw

Filesize
937KB

MD5
ab075bcef8d269c300f6ff552a801fde

SHA1
90bbd91ea47c035f8c0f3c60c7990c9e729492bf

SHA256
4093bf93b78351734fdc71f9e19a4922c4372e3c5942314b59a2ddacb57ff136

SHA512
cdf9fb6f03c58132cf79cc28ba74e374d87abfeb6bde9b1cb152d40b16440f3965e93261942facd4aa792989ebf37ae13890606fe0d5605250093715436df7ac

Download Submit
C:\Users\Admin\Desktop\SelectSend.otf

Filesize
1.4MB

MD5
1de0fcbfdff3687db856b2523e3785e9

SHA1
b790cb976cc07c4dba3eb5b4d4ada68a9b438814

SHA256
a21a38322fc270d6a728e01b53594b20853d696d8f109594b2e09c5e500349d9

SHA512
2615189789e751b9e1cebc34f62a49a156b7d75879d48fa427c17dc15628846da065df58e461c04dfea61ab7e260666280cdf039c31c0d07228795c4b218599e

Download Submit
C:\Users\Admin\Desktop\SendConvert.wps

Filesize
773KB

MD5
46d3e4a66a5d210fc492376c7ca545e7

SHA1
9f57fa8fb598a4df5a354f991a05fc72f5a8e587

SHA256
bf4312b93732f22fcdc39cf1dc0419c3c35b73eeb8480b45af749c901cb73ce8

SHA512
1cd5b7f1c018f5448fc3665be18666d7c27062c23f459b3bc4ae80d3216ccafe7c0c5929afd1d0c4b2e6d19d4bd05f2fa4eb2d6c0e454e69ff7f5d43fe10a10e

Download Submit
C:\Users\Admin\Desktop\StartRegister.doc

Filesize
1.0MB

MD5
c6d9574ef35ec77b89dba8971c624824

SHA1
6eb5703c3de283e4b5e47f91dea8356131b07520

SHA256
b085c27151fc259f01b459806deca243d0f344a3c7a6d53a23a4d6b9a6e68cb0

SHA512
af1e73fa0ceaeaa398dc985fbcd4528b33b87c303efcb0a9ee4d259696361ec08c9248cba5df793d0a5ac58ae11e8cb9a81fe289214259889b1e9369fb80a4ab

Download Submit
C:\Users\Admin\Desktop\UndoAssert.wmx

Filesize
872KB

MD5
baafc4ffdee1650791584a6c94994b09

SHA1
c5641e968ccdc2650878361bac648a293c078b80

SHA256
b243f0b84ab491ca204924f283f31e03467d942dddf79362cae038080f764097

SHA512
2f3cb4b3da552d6aedadd302d9c38da533e5cbbff3776a1fb71f18b767f2587619e16597b28823a75a8bafc69514fd73955c7820c46a62aa66f235c81206b591

Download Submit
memory/1232-19-0x000000001E520000-0x000000001E53E000-memory.dmp

Filesize
120KB

Download
memory/1232-18-0x000000001DBF0000-0x000000001DC00000-memory.dmp

Filesize
64KB

Download
memory/1232-17-0x000000001E580000-0x000000001E5F6000-memory.dmp

Filesize
472KB

Download
memory/2464-9-0x00007FFCD8600000-0x00007FFCD90C1000-memory.dmp

Filesize
10.8MB

Download
memory/2464-1-0x0000000000B90000-0x0000000000BA8000-memory.dmp

Filesize
96KB

Download
memory/2464-0-0x00007FFCD8603000-0x00007FFCD8605000-memory.dmp

Filesize
8KB

Download
memory/2464-3-0x00007FFCD8600000-0x00007FFCD90C1000-memory.dmp

Filesize
10.8MB

Download
memory/2464-8-0x00007FFCD8600000-0x00007FFCD90C1000-memory.dmp

Filesize
10.8MB

Download