Analysis

  • max time kernel
    149s
  • max time network
    137s
  • platform
    windows10-1703_x64
  • resource
    win10-20240611-en
  • resource tags

    arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
  • submitted
    04-08-2024 19:32

General

  • Target

    Client.exe

  • Size

    63KB

  • MD5

    730fffd38140c61bade2c837099a4f0d

  • SHA1

    615a5bd706eb2676aedaa39fc6927cecef1aae29

  • SHA256

    e61f184859c51a4c0213f7481455a711ea45b0c8f8ee241f1e32cb873c10fa28

  • SHA512

    51b1a5f9fc240a2174cb7f6e6c2874e875b5045882a5d6e8ce3584a6e343285013be3bf9a6425e0e17f18215ae6fb574a23a2317b38453c84324f457b86429e1

  • SSDEEP

    1536:SJWnX1QHsrLhSBjCeeiIVrGbbXwTPGGDpqKmY7:SJWnX1QHsrLqjbeXGbbXQgz

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

C2

127.0.0.1:4449

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes
  • delay

    1

  • install

    true

  • install_file

    microsoft_edge.exe

  • install_folder

    %AppData%

aes.plain
1
TQhANtWMxXPLJxv6YCiEHW3nFvaOt4q6

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Async RAT payload 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client.exe
    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4676
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "microsoft_edge" /tr '"C:\Users\Admin\AppData\Roaming\microsoft_edge.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1508
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "microsoft_edge" /tr '"C:\Users\Admin\AppData\Roaming\microsoft_edge.exe"'
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2992
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDC46.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4964
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:1992
      • C:\Users\Admin\AppData\Roaming\microsoft_edge.exe
        "C:\Users\Admin\AppData\Roaming\microsoft_edge.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4740
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4656

    Network

    • flag-us
      DNS
      43.229.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      43.229.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      9.179.89.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      9.179.89.13.in-addr.arpa
      IN PTR
      Response
    • 127.0.0.1:4449
      microsoft_edge.exe
    • 127.0.0.1:4449
      microsoft_edge.exe
    • 127.0.0.1:4449
      microsoft_edge.exe
    • 127.0.0.1:4449
      microsoft_edge.exe
    • 127.0.0.1:4449
      microsoft_edge.exe
    • 127.0.0.1:4449
      microsoft_edge.exe
    • 127.0.0.1:4449
      microsoft_edge.exe
    • 127.0.0.1:4449
      microsoft_edge.exe
    • 127.0.0.1:4449
      microsoft_edge.exe
    • 127.0.0.1:4449
      microsoft_edge.exe
    • 127.0.0.1:4449
      microsoft_edge.exe
    • 127.0.0.1:4449
      microsoft_edge.exe
    • 127.0.0.1:4449
      microsoft_edge.exe
    • 127.0.0.1:4449
      microsoft_edge.exe
    • 127.0.0.1:4449
      microsoft_edge.exe
    • 127.0.0.1:4449
      microsoft_edge.exe
    • 127.0.0.1:4449
      microsoft_edge.exe
    • 127.0.0.1:4449
      microsoft_edge.exe
    • 127.0.0.1:4449
      microsoft_edge.exe
    • 127.0.0.1:4449
      microsoft_edge.exe
    • 127.0.0.1:4449
      microsoft_edge.exe
    • 127.0.0.1:4449
      microsoft_edge.exe
    • 127.0.0.1:4449
      microsoft_edge.exe
    • 127.0.0.1:4449
      microsoft_edge.exe
    • 8.8.8.8:53
      43.229.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      43.229.111.52.in-addr.arpa

    • 8.8.8.8:53
      9.179.89.13.in-addr.arpa
      dns
      70 B
      144 B
      1
      1

      DNS Request

      9.179.89.13.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpDC46.tmp.bat

      Filesize

      158B

      MD5

      852dd56954547ae87a120aa00beb452b

      SHA1

      f9429ae568e5d3b6afacc1479aaf0fc6006497ce

      SHA256

      ff8e9eed94643972cd33083fd32fb62516fb85b6aeb63bc8d773b0fb8cb1e514

      SHA512

      ecebf87d992c2136a3d11aaed0d21a1586b54b1993aa4f6eac0469426ad2c9149945f5bdc8e55817614b8305e4b73dd460bb947f2061d0a4ea9418b6573d9651

    • C:\Users\Admin\AppData\Roaming\microsoft_edge.exe

      Filesize

      63KB

      MD5

      730fffd38140c61bade2c837099a4f0d

      SHA1

      615a5bd706eb2676aedaa39fc6927cecef1aae29

      SHA256

      e61f184859c51a4c0213f7481455a711ea45b0c8f8ee241f1e32cb873c10fa28

      SHA512

      51b1a5f9fc240a2174cb7f6e6c2874e875b5045882a5d6e8ce3584a6e343285013be3bf9a6425e0e17f18215ae6fb574a23a2317b38453c84324f457b86429e1

    • memory/4676-1-0x00000000008B0000-0x00000000008C6000-memory.dmp

      Filesize

      88KB

    • memory/4676-0-0x00007FFC5B563000-0x00007FFC5B564000-memory.dmp

      Filesize

      4KB

    • memory/4676-2-0x00007FFC5B560000-0x00007FFC5BF4C000-memory.dmp

      Filesize

      9.9MB

    • memory/4676-3-0x00007FFC5B560000-0x00007FFC5BF4C000-memory.dmp

      Filesize

      9.9MB

    • memory/4676-9-0x00007FFC5B560000-0x00007FFC5BF4C000-memory.dmp

      Filesize

      9.9MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.