asyncrat | 3b03a24bfde864b0d8b17213f7f2deb6d7e3f5f74b34d3b601cbadd961b904fc

Analysis

max time kernel
148s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 01:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3b03a24bfde864b0d8b17213f7f2deb6d7e3f5f74b34d3b601cbadd961b904fc.exe
Size

204KB
MD5

dfcfcd78d212140c3b087d315d5ed33b
SHA1

a3a5f02aa532c70f3452763ed6fbdfa03a7fac44
SHA256

3b03a24bfde864b0d8b17213f7f2deb6d7e3f5f74b34d3b601cbadd961b904fc
SHA512

8dd40a9d957745926f519f97a03a5727f79f120477aa624e7f8f48d6b5275f6b45df4ee998868dd4ff738f9851a0aac32df13b1674ca528cdf5fefc731ed4da7
SSDEEP

3072:dURcxswS6PMVSsl3H1bNSGQNWwfBtOEp7ybMj/0vU7yZED+CDgbB+Y:d3S6PMVNVbR0W6mEpmbMjgU7yZf8

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Mutex

server.underground-cheat.xyz

Attributes

delay
1
install
true
install_file
WinUpdate.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x000e0000000233df-11.dat	family_asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	3b03a24bfde864b0d8b17213f7f2deb6d7e3f5f74b34d3b601cbadd961b904fc.exe

Executes dropped EXE 1 IoCs

pid	Process
2448	WinUpdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3432	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1776	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2512	3b03a24bfde864b0d8b17213f7f2deb6d7e3f5f74b34d3b601cbadd961b904fc.exe
2512	3b03a24bfde864b0d8b17213f7f2deb6d7e3f5f74b34d3b601cbadd961b904fc.exe
2512	3b03a24bfde864b0d8b17213f7f2deb6d7e3f5f74b34d3b601cbadd961b904fc.exe
2512	3b03a24bfde864b0d8b17213f7f2deb6d7e3f5f74b34d3b601cbadd961b904fc.exe
2512	3b03a24bfde864b0d8b17213f7f2deb6d7e3f5f74b34d3b601cbadd961b904fc.exe
2512	3b03a24bfde864b0d8b17213f7f2deb6d7e3f5f74b34d3b601cbadd961b904fc.exe
2512	3b03a24bfde864b0d8b17213f7f2deb6d7e3f5f74b34d3b601cbadd961b904fc.exe
2512	3b03a24bfde864b0d8b17213f7f2deb6d7e3f5f74b34d3b601cbadd961b904fc.exe
2512	3b03a24bfde864b0d8b17213f7f2deb6d7e3f5f74b34d3b601cbadd961b904fc.exe
2512	3b03a24bfde864b0d8b17213f7f2deb6d7e3f5f74b34d3b601cbadd961b904fc.exe
2512	3b03a24bfde864b0d8b17213f7f2deb6d7e3f5f74b34d3b601cbadd961b904fc.exe
2512	3b03a24bfde864b0d8b17213f7f2deb6d7e3f5f74b34d3b601cbadd961b904fc.exe
2512	3b03a24bfde864b0d8b17213f7f2deb6d7e3f5f74b34d3b601cbadd961b904fc.exe
2512	3b03a24bfde864b0d8b17213f7f2deb6d7e3f5f74b34d3b601cbadd961b904fc.exe
2512	3b03a24bfde864b0d8b17213f7f2deb6d7e3f5f74b34d3b601cbadd961b904fc.exe
2512	3b03a24bfde864b0d8b17213f7f2deb6d7e3f5f74b34d3b601cbadd961b904fc.exe
2512	3b03a24bfde864b0d8b17213f7f2deb6d7e3f5f74b34d3b601cbadd961b904fc.exe
2512	3b03a24bfde864b0d8b17213f7f2deb6d7e3f5f74b34d3b601cbadd961b904fc.exe
2512	3b03a24bfde864b0d8b17213f7f2deb6d7e3f5f74b34d3b601cbadd961b904fc.exe
2512	3b03a24bfde864b0d8b17213f7f2deb6d7e3f5f74b34d3b601cbadd961b904fc.exe
2512	3b03a24bfde864b0d8b17213f7f2deb6d7e3f5f74b34d3b601cbadd961b904fc.exe
2448	WinUpdate.exe
2448	WinUpdate.exe
2448	WinUpdate.exe
2448	WinUpdate.exe
2448	WinUpdate.exe
2448	WinUpdate.exe
2448	WinUpdate.exe
2448	WinUpdate.exe
2448	WinUpdate.exe
2448	WinUpdate.exe
2448	WinUpdate.exe
2448	WinUpdate.exe
2448	WinUpdate.exe
2448	WinUpdate.exe
2448	WinUpdate.exe
2448	WinUpdate.exe
2448	WinUpdate.exe
2448	WinUpdate.exe
2448	WinUpdate.exe
2448	WinUpdate.exe
2448	WinUpdate.exe
2448	WinUpdate.exe
2448	WinUpdate.exe
2448	WinUpdate.exe
2448	WinUpdate.exe
2448	WinUpdate.exe
2448	WinUpdate.exe
2448	WinUpdate.exe
2448	WinUpdate.exe
2448	WinUpdate.exe
2448	WinUpdate.exe
2448	WinUpdate.exe
2448	WinUpdate.exe
2448	WinUpdate.exe
2448	WinUpdate.exe
2448	WinUpdate.exe
2448	WinUpdate.exe
2448	WinUpdate.exe
2448	WinUpdate.exe
2448	WinUpdate.exe
2448	WinUpdate.exe
2448	WinUpdate.exe
2448	WinUpdate.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2512	3b03a24bfde864b0d8b17213f7f2deb6d7e3f5f74b34d3b601cbadd961b904fc.exe
Token: SeDebugPrivilege	2448	WinUpdate.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2448	WinUpdate.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 3184	2512	3b03a24bfde864b0d8b17213f7f2deb6d7e3f5f74b34d3b601cbadd961b904fc.exe	88
PID 2512 wrote to memory of 3184	2512	3b03a24bfde864b0d8b17213f7f2deb6d7e3f5f74b34d3b601cbadd961b904fc.exe	88
PID 2512 wrote to memory of 4984	2512	3b03a24bfde864b0d8b17213f7f2deb6d7e3f5f74b34d3b601cbadd961b904fc.exe	90
PID 2512 wrote to memory of 4984	2512	3b03a24bfde864b0d8b17213f7f2deb6d7e3f5f74b34d3b601cbadd961b904fc.exe	90
PID 4984 wrote to memory of 3432	4984	cmd.exe	92
PID 4984 wrote to memory of 3432	4984	cmd.exe	92
PID 3184 wrote to memory of 1776	3184	cmd.exe	93
PID 3184 wrote to memory of 1776	3184	cmd.exe	93
PID 4984 wrote to memory of 2448	4984	cmd.exe	94
PID 4984 wrote to memory of 2448	4984	cmd.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3b03a24bfde864b0d8b17213f7f2deb6d7e3f5f74b34d3b601cbadd961b904fc.exe
"C:\Users\Admin\AppData\Local\Temp\3b03a24bfde864b0d8b17213f7f2deb6d7e3f5f74b34d3b601cbadd961b904fc.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WinUpdate" /tr '"C:\Users\Admin\AppData\Roaming\WinUpdate.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3184
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "WinUpdate" /tr '"C:\Users\Admin\AppData\Roaming\WinUpdate.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD30F.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3432
- - C:\Users\Admin\AppData\Roaming\WinUpdate.exe
    "C:\Users\Admin\AppData\Roaming\WinUpdate.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD30F.tmp.bat

Filesize
153B

MD5
d9027aa23428f789c5324fe20baab584

SHA1
7cfefedd35cfc2b234c7f200d1e5b572e6119183

SHA256
6ab2c6b595b424742d414dc3c88567abdbe3c06882906697145f07a5b2fe0671

SHA512
1138d4b90ff57ed2863f8ae97139fd5b1942cc1f96aef92e6f6585d11dae1e8e81415a271981628c95d38cc5dcf0cf8eaa96b99c696104ef0b45b82140912c3a

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Users\Admin\AppData\Roaming\WinUpdate.exe

Filesize
204KB

MD5
dfcfcd78d212140c3b087d315d5ed33b

SHA1
a3a5f02aa532c70f3452763ed6fbdfa03a7fac44

SHA256
3b03a24bfde864b0d8b17213f7f2deb6d7e3f5f74b34d3b601cbadd961b904fc

SHA512
8dd40a9d957745926f519f97a03a5727f79f120477aa624e7f8f48d6b5275f6b45df4ee998868dd4ff738f9851a0aac32df13b1674ca528cdf5fefc731ed4da7

Download Submit
memory/2512-0-0x00007FFCECE23000-0x00007FFCECE25000-memory.dmp

Filesize
8KB

Download
memory/2512-1-0x00000000001B0000-0x00000000001E8000-memory.dmp

Filesize
224KB

Download
memory/2512-3-0x00007FFCECE20000-0x00007FFCED8E1000-memory.dmp

Filesize
10.8MB

Download
memory/2512-8-0x00007FFCECE20000-0x00007FFCED8E1000-memory.dmp

Filesize
10.8MB

Download