Overview

overview

10

Static

static

10

Client.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    426s
  • max time network
    428s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-08-2024 11:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client.exe

  • Size

    63KB

  • MD5

    6792e3cba8bc62b41b1f0a4191b54f76

  • SHA1

    19bc015894335187e7a02705abc6277459d114d7

  • SHA256

    55d756c6acb37cdbb96f04df302755086b82b9b7b40285d8b7e3888cb01875f7

  • SHA512

    2aff2ce90e54793302811640ae7f640a7121f48d5afde558a2a6adec5275032a73d0cbe1140462aa4f8a3c3e39d7c60efbabd7847e994708d04b9757b813b3be

  • SSDEEP

    768:N9jeW5MbhiPG5Si99JaWcXveeObMbNqV1+RSCv7mqb2nIpwH1oySq7hPGmDpqKYC:bkbdDHeeiIVrGbbXwtbGmDpqKmY7

Score
10/10
asyncratvenom clientsrat

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

C2

mode-clusters.gl.at.ply.gg:36304

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes
  • delay

    1

  • install

    true

  • install_file

    $77-Anti Root.exe

  • install_folder

    %Temp%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 52 IoCs
  • Suspicious use of SendNotifyMessage 52 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client.exe
    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1068
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77-Anti Root" /tr '"C:\Users\Admin\AppData\Local\Temp\$77-Anti Root.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1920
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "$77-Anti Root" /tr '"C:\Users\Admin\AppData\Local\Temp\$77-Anti Root.exe"'
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2016
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8CCF.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2912
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:5028
      • C:\Users\Admin\AppData\Local\Temp\$77-Anti Root.exe
        "C:\Users\Admin\AppData\Local\Temp\$77-Anti Root.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3204
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "$77-Anti Root"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3420
          • C:\Windows\system32\schtasks.exe
            schtasks /delete /f /tn "$77-Anti Root"
            5⤵
              PID:4300
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD354.tmp.bat""
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1936
            • C:\Windows\system32\timeout.exe
              timeout 3
              5⤵
              • Delays execution with timeout.exe
              PID:4832
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4172
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
        PID:4360
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        1⤵
          PID:4856
        • C:\Windows\system32\taskmgr.exe
          "C:\Windows\system32\taskmgr.exe" /4
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:3208
        • C:\Windows\system32\taskmgr.exe
          "C:\Windows\system32\taskmgr.exe" /4
          1⤵
          • Checks SCSI registry key(s)
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:1848

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
          Filesize

          64KB

          MD5

          d2fb266b97caff2086bf0fa74eddb6b2

          SHA1

          2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

          SHA256

          b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

          SHA512

          c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

          Download Submit

        • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
          Filesize

          4B

          MD5

          f49655f856acb8884cc0ace29216f511

          SHA1

          cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

          SHA256

          7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

          SHA512

          599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

          Download Submit

        • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
          Filesize

          944B

          MD5

          6bd369f7c74a28194c991ed1404da30f

          SHA1

          0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

          SHA256

          878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

          SHA512

          8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\$77-Anti Root.exe
          Filesize

          63KB

          MD5

          6792e3cba8bc62b41b1f0a4191b54f76

          SHA1

          19bc015894335187e7a02705abc6277459d114d7

          SHA256

          55d756c6acb37cdbb96f04df302755086b82b9b7b40285d8b7e3888cb01875f7

          SHA512

          2aff2ce90e54793302811640ae7f640a7121f48d5afde558a2a6adec5275032a73d0cbe1140462aa4f8a3c3e39d7c60efbabd7847e994708d04b9757b813b3be

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmp8CCF.tmp.bat
          Filesize

          160B

          MD5

          db870d27e5097a6984b13f89d9a87ce0

          SHA1

          7d9699bc53c2c87325c129a00f13bbcfc7b6be7a

          SHA256

          dfddf6b58591af183f7496b787b58c5d26a23789c28ea594a21458b6b329bcf7

          SHA512

          1c434c1b8b6a973ed131b153c4c95d79cdd507dfdcbcf0e542b294c436942eb917ec8b653b54d3d236b72d9d4c5e0692e7549737c4b440ca5a525e9c2eb5ba3c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmpD354.tmp.bat
          Filesize

          165B

          MD5

          ed1ecc95441a3c976d6a39a49ec0de75

          SHA1

          a546ac2286028afda1a574f77e54878437e9b966

          SHA256

          f99029ec649917b965183cc1ba866b26c74f655ad70c91c07ff68ce6c517acd6

          SHA512

          617ef47497d283cc9c9ec8a5d427b90496d9210189685ca9ab1c5ef1ca5ba7dd8df1c7b19ff0d66da30e2f06552d8b17ccfe35301bb2d43a646fb0cf24b1486e

          Download Submit

        • memory/1068-1-0x0000000000E90000-0x0000000000EA6000-memory.dmp

          Filesize

          88KB

          Download

        • memory/1068-2-0x00007FFFEC4A0000-0x00007FFFECF61000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1068-7-0x00007FFFEC4A0000-0x00007FFFECF61000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1068-0-0x00007FFFEC4A3000-0x00007FFFEC4A5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1848-43-0x000001EA94780000-0x000001EA94781000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1848-33-0x000001EA94780000-0x000001EA94781000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1848-35-0x000001EA94780000-0x000001EA94781000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1848-45-0x000001EA94780000-0x000001EA94781000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1848-44-0x000001EA94780000-0x000001EA94781000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1848-42-0x000001EA94780000-0x000001EA94781000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1848-41-0x000001EA94780000-0x000001EA94781000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1848-40-0x000001EA94780000-0x000001EA94781000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1848-34-0x000001EA94780000-0x000001EA94781000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3204-25-0x000000001BDE0000-0x000000001BE56000-memory.dmp

          Filesize

          472KB

          Download

        • memory/3204-28-0x000000001B080000-0x000000001B090000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3204-27-0x000000001B060000-0x000000001B07E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/3204-26-0x000000001B000000-0x000000001B064000-memory.dmp

          Filesize

          400KB

          Download

        • memory/4172-16-0x000002B865B20000-0x000002B865B21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4172-17-0x000002B865B20000-0x000002B865B21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4172-18-0x000002B865B20000-0x000002B865B21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4172-19-0x000002B865B20000-0x000002B865B21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4172-20-0x000002B865B20000-0x000002B865B21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4172-21-0x000002B865B20000-0x000002B865B21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4172-15-0x000002B865B20000-0x000002B865B21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4172-10-0x000002B865B20000-0x000002B865B21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4172-11-0x000002B865B20000-0x000002B865B21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4172-9-0x000002B865B20000-0x000002B865B21000-memory.dmp

          Filesize

          4KB

          Download