asyncrat | 7ce2d225442252064d744be1c38e9c1572dd355bbbaf7fa411ce79e41288dfca

Analysis

max time kernel
127s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/08/2024, 14:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

919b43661894503a00d44ffd1174d613.exe
Size

64KB
MD5

919b43661894503a00d44ffd1174d613
SHA1

c510009fb7bad735e35a10c0ebe925d730ca961f
SHA256

7ce2d225442252064d744be1c38e9c1572dd355bbbaf7fa411ce79e41288dfca
SHA512

5019e86e2c0585aa59d7c14b4a0b03c911440487b9bd843db0a6138861e46274f17d72deea09429b650c5976aa9bf03d7427d65b26cc4b65c0c0bd9f1b19997b
SSDEEP

768:N9aGzWs/9PiPJ5eit9JSTLavfU4OnsD3q66T1+4SCv7mqb2nRpwH1oDjoUhPGnPP:vaW90TekUJyq6OqGbbUwDuGnPpqKmY7

Score

10^/10

asyncrat discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

server.underground-cheat.xyz:4449

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
true
install_file
Host Process for Windows.exe
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.8

blue.o7lab.me:7777

server.underground-cheat.xyz:7777

Mutex

RPYntXGt1eJi

Attributes

delay
3
install
true
install_file
WinUpdate.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral2/files/0x0007000000016985-9.dat	family_asyncrat
behavioral2/files/0x000900000002342d-25.dat	family_asyncrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	919b43661894503a00d44ffd1174d613.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Host Process for Windows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	$77svchost.exe

Executes dropped EXE 3 IoCs

pid	Process
2268	Host Process for Windows.exe
1408	$77svchost.exe
392	WinUpdate.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

pid	Process
3404	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	$77svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinUpdate.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
1064	timeout.exe
3792	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3144	schtasks.exe
2744	schtasks.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
1668	919b43661894503a00d44ffd1174d613.exe
1668	919b43661894503a00d44ffd1174d613.exe
1668	919b43661894503a00d44ffd1174d613.exe
1668	919b43661894503a00d44ffd1174d613.exe
1668	919b43661894503a00d44ffd1174d613.exe
1668	919b43661894503a00d44ffd1174d613.exe
1668	919b43661894503a00d44ffd1174d613.exe
1668	919b43661894503a00d44ffd1174d613.exe
1668	919b43661894503a00d44ffd1174d613.exe
1668	919b43661894503a00d44ffd1174d613.exe
1668	919b43661894503a00d44ffd1174d613.exe
1668	919b43661894503a00d44ffd1174d613.exe
1668	919b43661894503a00d44ffd1174d613.exe
1668	919b43661894503a00d44ffd1174d613.exe
1668	919b43661894503a00d44ffd1174d613.exe
1668	919b43661894503a00d44ffd1174d613.exe
1668	919b43661894503a00d44ffd1174d613.exe
1668	919b43661894503a00d44ffd1174d613.exe
1668	919b43661894503a00d44ffd1174d613.exe
3404	powershell.exe
3404	powershell.exe
2268	Host Process for Windows.exe
1408	$77svchost.exe
1408	$77svchost.exe
1408	$77svchost.exe
1408	$77svchost.exe
1408	$77svchost.exe
1408	$77svchost.exe
1408	$77svchost.exe
1408	$77svchost.exe
1408	$77svchost.exe
1408	$77svchost.exe
1408	$77svchost.exe
1408	$77svchost.exe
1408	$77svchost.exe
1408	$77svchost.exe
1408	$77svchost.exe
1408	$77svchost.exe
1408	$77svchost.exe
1408	$77svchost.exe
1408	$77svchost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1668	919b43661894503a00d44ffd1174d613.exe
Token: SeDebugPrivilege	2268	Host Process for Windows.exe
Token: SeDebugPrivilege	3404	powershell.exe
Token: SeDebugPrivilege	1408	$77svchost.exe
Token: SeDebugPrivilege	392	WinUpdate.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 5004	1668	919b43661894503a00d44ffd1174d613.exe	85
PID 1668 wrote to memory of 5004	1668	919b43661894503a00d44ffd1174d613.exe	85
PID 1668 wrote to memory of 4328	1668	919b43661894503a00d44ffd1174d613.exe	87
PID 1668 wrote to memory of 4328	1668	919b43661894503a00d44ffd1174d613.exe	87
PID 4328 wrote to memory of 1064	4328	cmd.exe	89
PID 4328 wrote to memory of 1064	4328	cmd.exe	89
PID 5004 wrote to memory of 3144	5004	cmd.exe	90
PID 5004 wrote to memory of 3144	5004	cmd.exe	90
PID 4328 wrote to memory of 2268	4328	cmd.exe	91
PID 4328 wrote to memory of 2268	4328	cmd.exe	91
PID 2268 wrote to memory of 1940	2268	Host Process for Windows.exe	93
PID 2268 wrote to memory of 1940	2268	Host Process for Windows.exe	93
PID 1940 wrote to memory of 3404	1940	cmd.exe	95
PID 1940 wrote to memory of 3404	1940	cmd.exe	95
PID 3404 wrote to memory of 1408	3404	powershell.exe	96
PID 3404 wrote to memory of 1408	3404	powershell.exe	96
PID 3404 wrote to memory of 1408	3404	powershell.exe	96
PID 1408 wrote to memory of 4788	1408	$77svchost.exe	97
PID 1408 wrote to memory of 4788	1408	$77svchost.exe	97
PID 1408 wrote to memory of 4788	1408	$77svchost.exe	97
PID 1408 wrote to memory of 4564	1408	$77svchost.exe	99
PID 1408 wrote to memory of 4564	1408	$77svchost.exe	99
PID 1408 wrote to memory of 4564	1408	$77svchost.exe	99
PID 4564 wrote to memory of 3792	4564	cmd.exe	101
PID 4564 wrote to memory of 3792	4564	cmd.exe	101
PID 4564 wrote to memory of 3792	4564	cmd.exe	101
PID 4788 wrote to memory of 2744	4788	cmd.exe	102
PID 4788 wrote to memory of 2744	4788	cmd.exe	102
PID 4788 wrote to memory of 2744	4788	cmd.exe	102
PID 4564 wrote to memory of 392	4564	cmd.exe	103
PID 4564 wrote to memory of 392	4564	cmd.exe	103
PID 4564 wrote to memory of 392	4564	cmd.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\919b43661894503a00d44ffd1174d613.exe
"C:\Users\Admin\AppData\Local\Temp\919b43661894503a00d44ffd1174d613.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Host Process for Windows" /tr '"C:\Users\Admin\AppData\Roaming\Host Process for Windows.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5004
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "Host Process for Windows" /tr '"C:\Users\Admin\AppData\Roaming\Host Process for Windows.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8136.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4328
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1064
- - C:\Users\Admin\AppData\Roaming\Host Process for Windows.exe
    "C:\Users\Admin\AppData\Roaming\Host Process for Windows.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\$77svchost.exe"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1940
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\$77svchost.exe"'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3404
      - C:\Users\Admin\AppData\Local\Temp\$77svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\$77svchost.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WinUpdate" /tr '"C:\Users\Admin\AppData\Roaming\WinUpdate.exe"' & exit
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "WinUpdate" /tr '"C:\Users\Admin\AppData\Roaming\WinUpdate.exe"'
        8⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBB61.tmp.bat""
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        8⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:3792
        
        C:\Users\Admin\AppData\Roaming\WinUpdate.exe
        
        "C:\Users\Admin\AppData\Roaming\WinUpdate.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$77svchost.exe

Filesize
45KB

MD5
a44a767dba207c04c74afae17144f787

SHA1
fa14f38216e259be5b181c825719f1c864691a5f

SHA256
26eaa5bce06cadc54cb4990fabb1b9150966ef720b07a836ef2bd456360246b2

SHA512
7dfd6e182ac9f16b29843cb0eabaa7db02fa3ee59c65c7822d9213859c4a7185d0fdcd1d51747a11b4fdd3a7947ea14fdc7fa583c13b4d3edf50b8d6d3178619

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1oxjdk4d.5s1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8136.tmp.bat

Filesize
168B

MD5
58d79c36468d78cf584ab86bae9d197c

SHA1
39906d9d00e3b468872ef7e3b5759342d14b3551

SHA256
002100a5f79db56cd58af0c1cc7558bcee69e1499dffae89c07890bf0023cb7c

SHA512
16a6790793d3043befe8b842388b394bc8d04d013c24d6d9911d56f5b58448a97ab8075751f70e01b4cd31805ea5af29891987e10453c400c6e261b5232ade12

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBB61.tmp.bat

Filesize
153B

MD5
adffb21220aac74ea0b1175c313d30b2

SHA1
924453a51d771f210e94bd5661f816b689904878

SHA256
469a9b1eb0a46f5fa401fd9881643bf204ecdab5f9535f5abf4b9424df7f87d1

SHA512
e958fd0b01178f7b7d55bf28a41008889b6528f9150b1c371a549acfe81b22a78baaefed5866eb43ed5d82b7f552f527f7833cdd79ca2e1546c5a00099f200e2

Download Submit
C:\Users\Admin\AppData\Roaming\Host Process for Windows.exe

Filesize
64KB

MD5
919b43661894503a00d44ffd1174d613

SHA1
c510009fb7bad735e35a10c0ebe925d730ca961f

SHA256
7ce2d225442252064d744be1c38e9c1572dd355bbbaf7fa411ce79e41288dfca

SHA512
5019e86e2c0585aa59d7c14b4a0b03c911440487b9bd843db0a6138861e46274f17d72deea09429b650c5976aa9bf03d7427d65b26cc4b65c0c0bd9f1b19997b

Download Submit
memory/1408-29-0x0000000000E20000-0x0000000000E32000-memory.dmp

Filesize
72KB

Download
memory/1408-30-0x00000000057B0000-0x000000000584C000-memory.dmp

Filesize
624KB

Download
memory/1668-0-0x00007FFC001D3000-0x00007FFC001D5000-memory.dmp

Filesize
8KB

Download
memory/1668-2-0x00007FFC001D0000-0x00007FFC00C91000-memory.dmp

Filesize
10.8MB

Download
memory/1668-1-0x0000000000D20000-0x0000000000D36000-memory.dmp

Filesize
88KB

Download
memory/1668-39-0x00007FFC001D0000-0x00007FFC00C91000-memory.dmp

Filesize
10.8MB

Download
memory/2268-11-0x000000001BA70000-0x000000001BAE6000-memory.dmp

Filesize
472KB

Download
memory/2268-12-0x0000000002200000-0x000000000220E000-memory.dmp

Filesize
56KB

Download
memory/2268-13-0x00000000023B0000-0x00000000023CE000-memory.dmp

Filesize
120KB

Download
memory/3404-15-0x000001EB77860000-0x000001EB77882000-memory.dmp

Filesize
136KB

Download