asyncrat | bbfda112b2d2742ec593b14cf9a0d2558cedaa24ae89d0cc9b5c94b94705c772

Analysis

max time kernel
149s
max time network
156s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05-08-2024 06:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnneSalt.bin.exe
Size

1.7MB
MD5

0dac2872a9c5b21289499db3dcd2f18d
SHA1

6b81e35f85e2675372b1abe5c1e0b2aff5b71729
SHA256

bbfda112b2d2742ec593b14cf9a0d2558cedaa24ae89d0cc9b5c94b94705c772
SHA512

2bb2c356b2782f1217c57e3422e5fdfd6b41e4b25bcbdfec1e4707c4874127e70c4ae249eba20f5c158d994d5b5c30cc0c84cc9396d6895f2b625ac1e1bd3b76
SSDEEP

49152:EzQfCT0ay5jIRZRQ+uGZU9zQfCT0ay5jIRZRQ+uGZURH9:ZNlIm2U6NlIm2URH9

Score

10^/10

asyncrat crypted discovery rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.2

Botnet

Crypted

154.216.20.190:4449

Mutex

iwrodgxclqca

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 2628 created 1196	2628	Boxing.pif	20
PID 2628 created 1196	2628	Boxing.pif	20
PID 2628 created 1196	2628	Boxing.pif	20

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftServe.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftServe.url	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2628	Boxing.pif
2984	RegAsm.exe

Loads dropped DLL 3 IoCs

pid	Process
2716	cmd.exe
2628	Boxing.pif
2984	RegAsm.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2860	tasklist.exe
2648	tasklist.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\BadlyAssured	AnneSalt.bin.exe
File opened for modification	C:\Windows\SkinHd	AnneSalt.bin.exe
File opened for modification	C:\Windows\UnsignedProcedures	AnneSalt.bin.exe
File opened for modification	C:\Windows\AccompaniedLongest	AnneSalt.bin.exe
File opened for modification	C:\Windows\VermontDisplaying	AnneSalt.bin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnneSalt.bin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boxing.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2536	schtasks.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
2628	Boxing.pif
2628	Boxing.pif
2628	Boxing.pif
2628	Boxing.pif
2628	Boxing.pif
2628	Boxing.pif
2628	Boxing.pif
2628	Boxing.pif
2628	Boxing.pif
2628	Boxing.pif
2628	Boxing.pif
2628	Boxing.pif
2628	Boxing.pif
2628	Boxing.pif
2628	Boxing.pif
2628	Boxing.pif
2628	Boxing.pif
2628	Boxing.pif
2628	Boxing.pif
2628	Boxing.pif
2628	Boxing.pif
2984	RegAsm.exe
2984	RegAsm.exe
2984	RegAsm.exe
2984	RegAsm.exe
2984	RegAsm.exe
2984	RegAsm.exe
2984	RegAsm.exe
2984	RegAsm.exe
2984	RegAsm.exe
2984	RegAsm.exe
2984	RegAsm.exe
2984	RegAsm.exe
2984	RegAsm.exe
2628	Boxing.pif
2984	RegAsm.exe
2984	RegAsm.exe
2984	RegAsm.exe
2984	RegAsm.exe
2984	RegAsm.exe
2984	RegAsm.exe
2984	RegAsm.exe
2984	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2860	tasklist.exe
Token: SeDebugPrivilege	2648	tasklist.exe
Token: SeDebugPrivilege	2984	RegAsm.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2628	Boxing.pif
2628	Boxing.pif
2628	Boxing.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2628	Boxing.pif
2628	Boxing.pif
2628	Boxing.pif

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2984	RegAsm.exe

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2716	2240	AnneSalt.bin.exe	29
PID 2240 wrote to memory of 2716	2240	AnneSalt.bin.exe	29
PID 2240 wrote to memory of 2716	2240	AnneSalt.bin.exe	29
PID 2240 wrote to memory of 2716	2240	AnneSalt.bin.exe	29
PID 2716 wrote to memory of 2860	2716	cmd.exe	31
PID 2716 wrote to memory of 2860	2716	cmd.exe	31
PID 2716 wrote to memory of 2860	2716	cmd.exe	31
PID 2716 wrote to memory of 2860	2716	cmd.exe	31
PID 2716 wrote to memory of 2808	2716	cmd.exe	32
PID 2716 wrote to memory of 2808	2716	cmd.exe	32
PID 2716 wrote to memory of 2808	2716	cmd.exe	32
PID 2716 wrote to memory of 2808	2716	cmd.exe	32
PID 2716 wrote to memory of 2648	2716	cmd.exe	34
PID 2716 wrote to memory of 2648	2716	cmd.exe	34
PID 2716 wrote to memory of 2648	2716	cmd.exe	34
PID 2716 wrote to memory of 2648	2716	cmd.exe	34
PID 2716 wrote to memory of 2176	2716	cmd.exe	35
PID 2716 wrote to memory of 2176	2716	cmd.exe	35
PID 2716 wrote to memory of 2176	2716	cmd.exe	35
PID 2716 wrote to memory of 2176	2716	cmd.exe	35
PID 2716 wrote to memory of 2636	2716	cmd.exe	36
PID 2716 wrote to memory of 2636	2716	cmd.exe	36
PID 2716 wrote to memory of 2636	2716	cmd.exe	36
PID 2716 wrote to memory of 2636	2716	cmd.exe	36
PID 2716 wrote to memory of 2032	2716	cmd.exe	37
PID 2716 wrote to memory of 2032	2716	cmd.exe	37
PID 2716 wrote to memory of 2032	2716	cmd.exe	37
PID 2716 wrote to memory of 2032	2716	cmd.exe	37
PID 2716 wrote to memory of 1300	2716	cmd.exe	38
PID 2716 wrote to memory of 1300	2716	cmd.exe	38
PID 2716 wrote to memory of 1300	2716	cmd.exe	38
PID 2716 wrote to memory of 1300	2716	cmd.exe	38
PID 2716 wrote to memory of 2628	2716	cmd.exe	39
PID 2716 wrote to memory of 2628	2716	cmd.exe	39
PID 2716 wrote to memory of 2628	2716	cmd.exe	39
PID 2716 wrote to memory of 2628	2716	cmd.exe	39
PID 2716 wrote to memory of 2688	2716	cmd.exe	40
PID 2716 wrote to memory of 2688	2716	cmd.exe	40
PID 2716 wrote to memory of 2688	2716	cmd.exe	40
PID 2716 wrote to memory of 2688	2716	cmd.exe	40
PID 2628 wrote to memory of 840	2628	Boxing.pif	41
PID 2628 wrote to memory of 840	2628	Boxing.pif	41
PID 2628 wrote to memory of 840	2628	Boxing.pif	41
PID 2628 wrote to memory of 840	2628	Boxing.pif	41
PID 2628 wrote to memory of 2152	2628	Boxing.pif	43
PID 2628 wrote to memory of 2152	2628	Boxing.pif	43
PID 2628 wrote to memory of 2152	2628	Boxing.pif	43
PID 2628 wrote to memory of 2152	2628	Boxing.pif	43
PID 840 wrote to memory of 2536	840	cmd.exe	44
PID 840 wrote to memory of 2536	840	cmd.exe	44
PID 840 wrote to memory of 2536	840	cmd.exe	44
PID 840 wrote to memory of 2536	840	cmd.exe	44
PID 2628 wrote to memory of 2984	2628	Boxing.pif	46
PID 2628 wrote to memory of 2984	2628	Boxing.pif	46
PID 2628 wrote to memory of 2984	2628	Boxing.pif	46
PID 2628 wrote to memory of 2984	2628	Boxing.pif	46
PID 2628 wrote to memory of 2984	2628	Boxing.pif	46
PID 2628 wrote to memory of 2984	2628	Boxing.pif	46
PID 2628 wrote to memory of 2984	2628	Boxing.pif	46
PID 2628 wrote to memory of 2984	2628	Boxing.pif	46
PID 2628 wrote to memory of 2984	2628	Boxing.pif	46

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\AnneSalt.bin.exe
  "C:\Users\Admin\AppData\Local\Temp\AnneSalt.bin.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Technique Technique.cmd & Technique.cmd & exit
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2860
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2808
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2648
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2176
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 79556
      4⤵
      System Location Discovery: System Language Discovery
      PID:2636
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "SpecificationsRemainExtraIntellectual" Compile
      4⤵
      System Location Discovery: System Language Discovery
      PID:2032
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Cruz + Occupations + Grab + Recovery 79556\J
      4⤵
      System Location Discovery: System Language Discovery
      PID:1300
  - - C:\Users\Admin\AppData\Local\Temp\79556\Boxing.pif
      Boxing.pif J
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2628
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:2688
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks.exe /create /tn "Characteristic" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SwiftTech Solutions\SwiftServe.js'" /sc minute /mo 5 /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /create /tn "Characteristic" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SwiftTech Solutions\SwiftServe.js'" /sc minute /mo 5 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2536
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftServe.url" & echo URL="C:\Users\Admin\AppData\Local\SwiftTech Solutions\SwiftServe.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftServe.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:2152
- C:\Users\Admin\AppData\Local\Temp\79556\RegAsm.exe
  C:\Users\Admin\AppData\Local\Temp\79556\RegAsm.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\79556\Boxing.pif

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\79556\J

Filesize
278KB

MD5
b2e6e302cb23ae84658d99f73c139456

SHA1
b47bb97d64b9e8f90db4d917061c3af4ef7c17ae

SHA256
27df426d3d4512ff09b0d059ae53e24496d4432ed9f6b9efed400f73415c860f

SHA512
289d47f6cb257c6c4eca1503ed40d48b955cf2f2ad1b83a2700edbf9401308ec8c7433baba9fcf9489a6d8e5da47e5fd3d2b092b312efb75c9e972eab0b322da

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF72D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compile

Filesize
394B

MD5
55a0f1e05ed876e96b6c5f9cbbda78ac

SHA1
fcbb892e290a579f26886ac84c4539d6993b3be1

SHA256
c7b444d54142d1795e214dbc91f06a8e974026e140189426c5ef9a4d5886ea74

SHA512
5e89bd6d1af8deecee5accd9c635a5cad58a53c41894b616ad70b68e7255bd7388a80ee2793152a6546d78ac50653c04e8a6aaf94e74478f2b27a4e6c54dba22

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cruz

Filesize
89KB

MD5
8f4a5b010b7cb90553cf568f1d2bd98d

SHA1
4041ad0b71db5c392a838f0ed691712a345ce8e0

SHA256
dd87802796eebb443f87ea935aa63ca3e23800f55e5306270e06fc4a2877fe73

SHA512
f8f6a00b0606f797dc3c24784ac4ee26d55ba5846558382dbccdba09f1b7fc9c7e1090cd587f257ed3b6522130965e90c0415edd0cd187bd22f52460cce3b1d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Grab

Filesize
89KB

MD5
2a54696eae0dc63b2611919701934dce

SHA1
6d83ffdfd99d301777e38be32016be812bae22f7

SHA256
d9e418a2b921a2af33c8945e845687c62dd9051bb3f1a7e3fdab79e881ccdedb

SHA512
3f52a3c5448293350c364fb86ad7aa0226bb98d4bfb79bbb4747499c9b9eab866b7909959e2630d44b2fd1fb14031abc77296876fcd2fa1fe4a74bc9c89e33eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Latina

Filesize
872KB

MD5
d3b504f21a2f988a193f98208eb28ed1

SHA1
e3fe20b94a8b87c51b2890556fd0718c58a5beae

SHA256
ce2417b4c6b4fadfdc01dae1ebc742ef070d4e1ff12bde4b7323bfa93d572261

SHA512
a928a0b389f2ec85ed7d9e2d1a470139e4875bf0f51c85f04531954275081c1e89010d332c969782ab6c20ce6741be26b1751c50163cac34a9fd290e2fc13267

Download Submit
C:\Users\Admin\AppData\Local\Temp\Occupations

Filesize
96KB

MD5
6d754fb0eb9681681690f3fca2d9c1f3

SHA1
d7e2c3ab953436e8ba363ac075488aacb74eae0d

SHA256
db7b1d3765ff6f201d06fc7497880a89433f8df51265d5b58a8083f8d5121390

SHA512
8f4c228f1ec4d4c762fe7bf8dfef4d8f156efcc89c98a0bb7f616debbae854fe3cfc31c260a0028ce4584bdbf2712abf9b4384e95815fb2cb6e4fc630c9a9a71

Download Submit
C:\Users\Admin\AppData\Local\Temp\Recovery

Filesize
4KB

MD5
e94004c4d1254e913f9612b487ce4957

SHA1
9a9f754bcdc57238c8a321372c227040d997532b

SHA256
bfcdbdbfa1f86e24813735c2a73bee6382b2950df9203a77af70c39a8ba57da6

SHA512
ef4b44356ca09dcd778913b882293447338f915b9553de3583c2934aacb222176bffc1f1c4dae70047c45a5353e6e4e17481e4b697577ca2c30ee69f55e8b587

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB2D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Technique

Filesize
13KB

MD5
90456de89fc27ac572f83b7f8da14c44

SHA1
ddbaf2a62eeafd1931af5ba262d7406e23af996a

SHA256
f3b6d7fa3c66667893fdfb84ca52d67f203db629d0b8efb5c069ffd1b3fc28b8

SHA512
dffe46a2fd483e8a146c36cafd441d229eb022dd22cc06ea21b31dce922d793cfa5b697e1272aafd110e36d74230271c40bcc3c8546f3970e392655d48130e00

Download Submit
\Users\Admin\AppData\Local\Temp\79556\RegAsm.exe

Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
memory/2984-33-0x0000000000090000-0x00000000000A8000-memory.dmp

Filesize
96KB

Download
memory/2984-35-0x0000000000090000-0x00000000000A8000-memory.dmp

Filesize
96KB

Download
memory/2984-36-0x0000000000090000-0x00000000000A8000-memory.dmp

Filesize
96KB

Download