asyncrat | b943b9894fcf740d87809358cf35438a5bfacf19eed4178a2d452e412f7040b3

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
01-08-2024 11:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

6.8MB
MD5

6d8b8dc75b6fca0503eb61189709eddc
SHA1

688bda04fc02f658940c9adcea9328265e464c98
SHA256

b943b9894fcf740d87809358cf35438a5bfacf19eed4178a2d452e412f7040b3
SHA512

abb64bbf5cefba249f960128ccd03914ce061437c6229c09e0fd67e774a554d93185b7e97015fc193ad36b54b021fec361a8500d45ca120b625e17d24ce9e9a3
SSDEEP

98304:EqSNZW+AnS2Kw/dGUQHnBjeG6AdaPambRQPhz6umF6oD/TWp5JmR+2DJJsgdiAbk:EqSsye0dCnbRI3oGpKR+irVqM6bk8

Score

10^/10

asyncrat default rat upx

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

193.161.193.99:53757

Mutex

jcbvehblkexi

Attributes

delay
1
install
true
install_file
Loader.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

VenomRAT 2 IoCs

Detects VenomRAT.

rat

resource	yara_rule
behavioral1/files/0x0032000000016cdf-11.dat	VenomRAT
behavioral1/memory/2644-15-0x0000000000370000-0x0000000000388000-memory.dmp	VenomRAT

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0032000000016cdf-11.dat	family_asyncrat

Executes dropped EXE 4 IoCs

pid	Process
2628	Built.exe
2644	Client.exe
480	Built.exe
1200	Process not Found

Loads dropped DLL 3 IoCs

pid	Process
2732	Loader.exe
2628	Built.exe
480	Built.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0005000000019259-41.dat	upx
behavioral1/memory/480-44-0x000007FEEDA60000-0x000007FEEE048000-memory.dmp	upx

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeDebugPrivilege	2732	Loader.exe
Token: SeDebugPrivilege	2644	Client.exe
Token: SeIncreaseQuotaPrivilege	2644	Client.exe
Token: SeSecurityPrivilege	2644	Client.exe
Token: SeTakeOwnershipPrivilege	2644	Client.exe
Token: SeLoadDriverPrivilege	2644	Client.exe
Token: SeSystemProfilePrivilege	2644	Client.exe
Token: SeSystemtimePrivilege	2644	Client.exe
Token: SeProfSingleProcessPrivilege	2644	Client.exe
Token: SeIncBasePriorityPrivilege	2644	Client.exe
Token: SeCreatePagefilePrivilege	2644	Client.exe
Token: SeBackupPrivilege	2644	Client.exe
Token: SeRestorePrivilege	2644	Client.exe
Token: SeShutdownPrivilege	2644	Client.exe
Token: SeDebugPrivilege	2644	Client.exe
Token: SeSystemEnvironmentPrivilege	2644	Client.exe
Token: SeRemoteShutdownPrivilege	2644	Client.exe
Token: SeUndockPrivilege	2644	Client.exe
Token: SeManageVolumePrivilege	2644	Client.exe
Token: 33	2644	Client.exe
Token: 34	2644	Client.exe
Token: 35	2644	Client.exe
Token: SeIncreaseQuotaPrivilege	2644	Client.exe
Token: SeSecurityPrivilege	2644	Client.exe
Token: SeTakeOwnershipPrivilege	2644	Client.exe
Token: SeLoadDriverPrivilege	2644	Client.exe
Token: SeSystemProfilePrivilege	2644	Client.exe
Token: SeSystemtimePrivilege	2644	Client.exe
Token: SeProfSingleProcessPrivilege	2644	Client.exe
Token: SeIncBasePriorityPrivilege	2644	Client.exe
Token: SeCreatePagefilePrivilege	2644	Client.exe
Token: SeBackupPrivilege	2644	Client.exe
Token: SeRestorePrivilege	2644	Client.exe
Token: SeShutdownPrivilege	2644	Client.exe
Token: SeDebugPrivilege	2644	Client.exe
Token: SeSystemEnvironmentPrivilege	2644	Client.exe
Token: SeRemoteShutdownPrivilege	2644	Client.exe
Token: SeUndockPrivilege	2644	Client.exe
Token: SeManageVolumePrivilege	2644	Client.exe
Token: 33	2644	Client.exe
Token: 34	2644	Client.exe
Token: 35	2644	Client.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2628	2732	Loader.exe	31
PID 2732 wrote to memory of 2628	2732	Loader.exe	31
PID 2732 wrote to memory of 2628	2732	Loader.exe	31
PID 2732 wrote to memory of 2644	2732	Loader.exe	32
PID 2732 wrote to memory of 2644	2732	Loader.exe	32
PID 2732 wrote to memory of 2644	2732	Loader.exe	32
PID 2628 wrote to memory of 480	2628	Built.exe	33
PID 2628 wrote to memory of 480	2628	Built.exe	33
PID 2628 wrote to memory of 480	2628	Built.exe	33

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Users\Admin\AppData\Local\Temp\Built.exe
    "C:\Users\Admin\AppData\Local\Temp\Built.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:480
- C:\Users\Admin\AppData\Local\Temp\Client.exe
  "C:\Users\Admin\AppData\Local\Temp\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
74KB

MD5
ebc24021778a88f078b2c676e04ab8ba

SHA1
cdcca27fcf3be6f1281c4bf0c47151ac90221a44

SHA256
2a3b9cc433d052fa723f3eaea7685fff10f916c2129f9d1c699bfaae381a6ffe

SHA512
e341b23d856c14fb7f20bad7860c6b3839e46aeafd5d0d9299b8f0399016dfeb4912c0309ebf6c6d17bf3216b457538b826380986be0ca4daceeabb7201bfa67

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26282\python311.dll

Filesize
1.6MB

MD5
bb46b85029b543b70276ad8e4c238799

SHA1
123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c

SHA256
72c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0

SHA512
5e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31

Download Submit
\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
6.9MB

MD5
6598fd689a0d5f964dcea08c179f9438

SHA1
694a9ad9326cde43bbc2266f3140659554732e34

SHA256
554d1180a2ab2b2b5b019883eae3872d3bc515e518bb494b8606d222d66a555b

SHA512
dbb707023939e4d4d7ad048747f57000c6086e612e3034d3307ee5e8557c554a6f4635b0d51bb33c9310038d35e2b4940538ebe33c2242530520efad1f657bee

Download Submit
memory/480-44-0x000007FEEDA60000-0x000007FEEE048000-memory.dmp

Filesize
5.9MB

Download
memory/2644-15-0x0000000000370000-0x0000000000388000-memory.dmp

Filesize
96KB

Download
memory/2644-40-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp

Filesize
9.9MB

Download
memory/2644-43-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp

Filesize
9.9MB

Download
memory/2644-46-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp

Filesize
9.9MB

Download
memory/2732-0-0x000007FEF5D83000-0x000007FEF5D84000-memory.dmp

Filesize
4KB

Download
memory/2732-1-0x0000000000B00000-0x00000000011D8000-memory.dmp

Filesize
6.8MB

Download
memory/2732-2-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp

Filesize
9.9MB

Download
memory/2732-14-0x000007FEF5D80000-0x000007FEF676C000-memory.dmp

Filesize
9.9MB

Download