asyncrat | ddb108688775b154e5fdcba09cd8b204e8de3c355772c3136c1c72e9cb2e6c9d

Analysis

max time kernel
239s
max time network
240s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
04-08-2024 22:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

6.8MB
MD5

2c07c81a8d5f9214b84fbc719bc05cd9
SHA1

4290e1e9b958e60a6f14a4e02fbecac28ba11506
SHA256

ddb108688775b154e5fdcba09cd8b204e8de3c355772c3136c1c72e9cb2e6c9d
SHA512

ed2049df3988f23360e1b3ea7cf0bdb2af6543dcef9cf29464174003af74fea74cc3aa5b4f5085a5b2b47d6fb0e528bd09035377a353f83931a5ddea8b3ec2f0
SSDEEP

196608:DqCSDQ52eJbdmRnNwjsWfGRyHXXGQ/3k:DMQzIRniIW+RyHXX/Pk

Score

10^/10

asyncrat default rat upx

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

193.161.193.99:53757

Mutex

tdzrvimddbca

Attributes

delay
1
install
true
install_file
System32.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0034000000016140-12.dat	family_asyncrat

Executes dropped EXE 4 IoCs

pid	Process
2920	Built.exe
2060	Client.exe
2716	Built.exe
1188	Process not Found

Loads dropped DLL 3 IoCs

pid	Process
1724	Loader.exe
2920	Built.exe
2716	Built.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00050000000187a7-40.dat	upx
behavioral1/memory/2716-43-0x000007FEED090000-0x000007FEED678000-memory.dmp	upx

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeDebugPrivilege	1724	Loader.exe
Token: SeDebugPrivilege	2060	Client.exe
Token: SeIncreaseQuotaPrivilege	2060	Client.exe
Token: SeSecurityPrivilege	2060	Client.exe
Token: SeTakeOwnershipPrivilege	2060	Client.exe
Token: SeLoadDriverPrivilege	2060	Client.exe
Token: SeSystemProfilePrivilege	2060	Client.exe
Token: SeSystemtimePrivilege	2060	Client.exe
Token: SeProfSingleProcessPrivilege	2060	Client.exe
Token: SeIncBasePriorityPrivilege	2060	Client.exe
Token: SeCreatePagefilePrivilege	2060	Client.exe
Token: SeBackupPrivilege	2060	Client.exe
Token: SeRestorePrivilege	2060	Client.exe
Token: SeShutdownPrivilege	2060	Client.exe
Token: SeDebugPrivilege	2060	Client.exe
Token: SeSystemEnvironmentPrivilege	2060	Client.exe
Token: SeRemoteShutdownPrivilege	2060	Client.exe
Token: SeUndockPrivilege	2060	Client.exe
Token: SeManageVolumePrivilege	2060	Client.exe
Token: 33	2060	Client.exe
Token: 34	2060	Client.exe
Token: 35	2060	Client.exe
Token: SeIncreaseQuotaPrivilege	2060	Client.exe
Token: SeSecurityPrivilege	2060	Client.exe
Token: SeTakeOwnershipPrivilege	2060	Client.exe
Token: SeLoadDriverPrivilege	2060	Client.exe
Token: SeSystemProfilePrivilege	2060	Client.exe
Token: SeSystemtimePrivilege	2060	Client.exe
Token: SeProfSingleProcessPrivilege	2060	Client.exe
Token: SeIncBasePriorityPrivilege	2060	Client.exe
Token: SeCreatePagefilePrivilege	2060	Client.exe
Token: SeBackupPrivilege	2060	Client.exe
Token: SeRestorePrivilege	2060	Client.exe
Token: SeShutdownPrivilege	2060	Client.exe
Token: SeDebugPrivilege	2060	Client.exe
Token: SeSystemEnvironmentPrivilege	2060	Client.exe
Token: SeRemoteShutdownPrivilege	2060	Client.exe
Token: SeUndockPrivilege	2060	Client.exe
Token: SeManageVolumePrivilege	2060	Client.exe
Token: 33	2060	Client.exe
Token: 34	2060	Client.exe
Token: 35	2060	Client.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 2920	1724	Loader.exe	31
PID 1724 wrote to memory of 2920	1724	Loader.exe	31
PID 1724 wrote to memory of 2920	1724	Loader.exe	31
PID 1724 wrote to memory of 2060	1724	Loader.exe	32
PID 1724 wrote to memory of 2060	1724	Loader.exe	32
PID 1724 wrote to memory of 2060	1724	Loader.exe	32
PID 2920 wrote to memory of 2716	2920	Built.exe	33
PID 2920 wrote to memory of 2716	2920	Built.exe	33
PID 2920 wrote to memory of 2716	2920	Built.exe	33

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Users\Admin\AppData\Local\Temp\Built.exe
    "C:\Users\Admin\AppData\Local\Temp\Built.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2716
- C:\Users\Admin\AppData\Local\Temp\Client.exe
  "C:\Users\Admin\AppData\Local\Temp\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
74KB

MD5
18c6b9b81821b6207ea5b91834417bfd

SHA1
662ebe7328f8daaa534d6091337e993e10d85d8d

SHA256
5b2a4357ad1133c780fc4d77bfe6a3413b8db40384d4e3c25ea0471b1cf58e48

SHA512
a81bc2eb2c4fa70f320a6e8e5e4ab2d39d8ccaa291f7ba02547e9c92e9d315645e3d0d3e4cf82a05d67b05d23669b5dd9f8bd828f5d78f65458829b72f83e445

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\python311.dll

Filesize
1.6MB

MD5
bb46b85029b543b70276ad8e4c238799

SHA1
123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c

SHA256
72c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0

SHA512
5e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31

Download Submit
\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
6.9MB

MD5
92805f3188b62a013792725e9328ee8d

SHA1
cb495bfb771b33356168e3a7d8935665cdba0ed1

SHA256
fbe112efeaa3acb04b2bd3e584488c1c14229ddf5559105ab53a70156744d45f

SHA512
b9d93cd4f8af75f5d188cc99076fe766330aec3c98ba9069532e5df20d91f11b61c81960fa68f50d70959e92e0ac3bb5204932121057f9af3ea00fd99af831ff

Download Submit
memory/1724-0-0x000007FEF5BB3000-0x000007FEF5BB4000-memory.dmp

Filesize
4KB

Download
memory/1724-1-0x0000000001210000-0x00000000018E8000-memory.dmp

Filesize
6.8MB

Download
memory/1724-2-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download
memory/1724-13-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download
memory/2060-22-0x0000000001190000-0x00000000011A8000-memory.dmp

Filesize
96KB

Download
memory/2060-41-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download
memory/2060-45-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download
memory/2060-49-0x000007FEF5BB0000-0x000007FEF659C000-memory.dmp

Filesize
9.9MB

Download
memory/2716-43-0x000007FEED090000-0x000007FEED678000-memory.dmp

Filesize
5.9MB

Download