asyncrat | bbfda112b2d2742ec593b14cf9a0d2558cedaa24ae89d0cc9b5c94b94705c772

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10-08-2024 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbfda112b2d2742ec593b14cf9a0d2558cedaa24ae89d0cc9b5c94b94705c772.exe
Size

1.7MB
MD5

0dac2872a9c5b21289499db3dcd2f18d
SHA1

6b81e35f85e2675372b1abe5c1e0b2aff5b71729
SHA256

bbfda112b2d2742ec593b14cf9a0d2558cedaa24ae89d0cc9b5c94b94705c772
SHA512

2bb2c356b2782f1217c57e3422e5fdfd6b41e4b25bcbdfec1e4707c4874127e70c4ae249eba20f5c158d994d5b5c30cc0c84cc9396d6895f2b625ac1e1bd3b76
SSDEEP

49152:EzQfCT0ay5jIRZRQ+uGZU9zQfCT0ay5jIRZRQ+uGZURH9:ZNlIm2U6NlIm2URH9

Score

10^/10

asyncrat crypted discovery rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.2

Botnet

Crypted

154.216.20.190:4449

Mutex

iwrodgxclqca

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 4772 created 3440	4772	Boxing.pif	56
PID 4772 created 3440	4772	Boxing.pif	56
PID 4772 created 3440	4772	Boxing.pif	56

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	bbfda112b2d2742ec593b14cf9a0d2558cedaa24ae89d0cc9b5c94b94705c772.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftServe.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftServe.url	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
4772	Boxing.pif
3232	RegAsm.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
4904	tasklist.exe
4692	tasklist.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SkinHd	bbfda112b2d2742ec593b14cf9a0d2558cedaa24ae89d0cc9b5c94b94705c772.exe
File opened for modification	C:\Windows\UnsignedProcedures	bbfda112b2d2742ec593b14cf9a0d2558cedaa24ae89d0cc9b5c94b94705c772.exe
File opened for modification	C:\Windows\AccompaniedLongest	bbfda112b2d2742ec593b14cf9a0d2558cedaa24ae89d0cc9b5c94b94705c772.exe
File opened for modification	C:\Windows\VermontDisplaying	bbfda112b2d2742ec593b14cf9a0d2558cedaa24ae89d0cc9b5c94b94705c772.exe
File opened for modification	C:\Windows\BadlyAssured	bbfda112b2d2742ec593b14cf9a0d2558cedaa24ae89d0cc9b5c94b94705c772.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boxing.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bbfda112b2d2742ec593b14cf9a0d2558cedaa24ae89d0cc9b5c94b94705c772.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3472	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4772	Boxing.pif
4772	Boxing.pif
4772	Boxing.pif
4772	Boxing.pif
4772	Boxing.pif
4772	Boxing.pif
4772	Boxing.pif
4772	Boxing.pif
4772	Boxing.pif
4772	Boxing.pif
4772	Boxing.pif
4772	Boxing.pif
4772	Boxing.pif
4772	Boxing.pif
4772	Boxing.pif
4772	Boxing.pif
4772	Boxing.pif
4772	Boxing.pif
4772	Boxing.pif
4772	Boxing.pif
4772	Boxing.pif
4772	Boxing.pif
4772	Boxing.pif
4772	Boxing.pif
4772	Boxing.pif
4772	Boxing.pif
4772	Boxing.pif
4772	Boxing.pif
4772	Boxing.pif
4772	Boxing.pif
4772	Boxing.pif
4772	Boxing.pif
4772	Boxing.pif
4772	Boxing.pif
4772	Boxing.pif
4772	Boxing.pif
4772	Boxing.pif
4772	Boxing.pif
4772	Boxing.pif
4772	Boxing.pif
4772	Boxing.pif
4772	Boxing.pif
3232	RegAsm.exe
3232	RegAsm.exe
3232	RegAsm.exe
3232	RegAsm.exe
3232	RegAsm.exe
3232	RegAsm.exe
3232	RegAsm.exe
3232	RegAsm.exe
3232	RegAsm.exe
3232	RegAsm.exe
3232	RegAsm.exe
4772	Boxing.pif
4772	Boxing.pif
3232	RegAsm.exe
3232	RegAsm.exe
3232	RegAsm.exe
3232	RegAsm.exe
3232	RegAsm.exe
3232	RegAsm.exe
3232	RegAsm.exe
3232	RegAsm.exe
3232	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4904	tasklist.exe
Token: SeDebugPrivilege	4692	tasklist.exe
Token: SeDebugPrivilege	3232	RegAsm.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4772	Boxing.pif
4772	Boxing.pif
4772	Boxing.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4772	Boxing.pif
4772	Boxing.pif
4772	Boxing.pif

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3232	RegAsm.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 3612 wrote to memory of 2196	3612	bbfda112b2d2742ec593b14cf9a0d2558cedaa24ae89d0cc9b5c94b94705c772.exe	84
PID 3612 wrote to memory of 2196	3612	bbfda112b2d2742ec593b14cf9a0d2558cedaa24ae89d0cc9b5c94b94705c772.exe	84
PID 3612 wrote to memory of 2196	3612	bbfda112b2d2742ec593b14cf9a0d2558cedaa24ae89d0cc9b5c94b94705c772.exe	84
PID 2196 wrote to memory of 4904	2196	cmd.exe	89
PID 2196 wrote to memory of 4904	2196	cmd.exe	89
PID 2196 wrote to memory of 4904	2196	cmd.exe	89
PID 2196 wrote to memory of 3596	2196	cmd.exe	90
PID 2196 wrote to memory of 3596	2196	cmd.exe	90
PID 2196 wrote to memory of 3596	2196	cmd.exe	90
PID 2196 wrote to memory of 4692	2196	cmd.exe	92
PID 2196 wrote to memory of 4692	2196	cmd.exe	92
PID 2196 wrote to memory of 4692	2196	cmd.exe	92
PID 2196 wrote to memory of 2516	2196	cmd.exe	93
PID 2196 wrote to memory of 2516	2196	cmd.exe	93
PID 2196 wrote to memory of 2516	2196	cmd.exe	93
PID 2196 wrote to memory of 4216	2196	cmd.exe	94
PID 2196 wrote to memory of 4216	2196	cmd.exe	94
PID 2196 wrote to memory of 4216	2196	cmd.exe	94
PID 2196 wrote to memory of 4028	2196	cmd.exe	95
PID 2196 wrote to memory of 4028	2196	cmd.exe	95
PID 2196 wrote to memory of 4028	2196	cmd.exe	95
PID 2196 wrote to memory of 4456	2196	cmd.exe	96
PID 2196 wrote to memory of 4456	2196	cmd.exe	96
PID 2196 wrote to memory of 4456	2196	cmd.exe	96
PID 2196 wrote to memory of 4772	2196	cmd.exe	97
PID 2196 wrote to memory of 4772	2196	cmd.exe	97
PID 2196 wrote to memory of 4772	2196	cmd.exe	97
PID 2196 wrote to memory of 540	2196	cmd.exe	98
PID 2196 wrote to memory of 540	2196	cmd.exe	98
PID 2196 wrote to memory of 540	2196	cmd.exe	98
PID 4772 wrote to memory of 60	4772	Boxing.pif	99
PID 4772 wrote to memory of 60	4772	Boxing.pif	99
PID 4772 wrote to memory of 60	4772	Boxing.pif	99
PID 4772 wrote to memory of 372	4772	Boxing.pif	101
PID 4772 wrote to memory of 372	4772	Boxing.pif	101
PID 4772 wrote to memory of 372	4772	Boxing.pif	101
PID 60 wrote to memory of 3472	60	cmd.exe	103
PID 60 wrote to memory of 3472	60	cmd.exe	103
PID 60 wrote to memory of 3472	60	cmd.exe	103
PID 4772 wrote to memory of 3232	4772	Boxing.pif	110
PID 4772 wrote to memory of 3232	4772	Boxing.pif	110
PID 4772 wrote to memory of 3232	4772	Boxing.pif	110
PID 4772 wrote to memory of 3232	4772	Boxing.pif	110
PID 4772 wrote to memory of 3232	4772	Boxing.pif	110

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3440
- C:\Users\Admin\AppData\Local\Temp\bbfda112b2d2742ec593b14cf9a0d2558cedaa24ae89d0cc9b5c94b94705c772.exe
  "C:\Users\Admin\AppData\Local\Temp\bbfda112b2d2742ec593b14cf9a0d2558cedaa24ae89d0cc9b5c94b94705c772.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3612
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Technique Technique.cmd & Technique.cmd & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4904
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3596
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4692
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2516
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 79556
      4⤵
      System Location Discovery: System Language Discovery
      PID:4216
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "SpecificationsRemainExtraIntellectual" Compile
      4⤵
      System Location Discovery: System Language Discovery
      PID:4028
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Cruz + Occupations + Grab + Recovery 79556\J
      4⤵
      System Location Discovery: System Language Discovery
      PID:4456
  - - C:\Users\Admin\AppData\Local\Temp\79556\Boxing.pif
      Boxing.pif J
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4772
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:540
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks.exe /create /tn "Characteristic" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SwiftTech Solutions\SwiftServe.js'" /sc minute /mo 5 /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:60
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /create /tn "Characteristic" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SwiftTech Solutions\SwiftServe.js'" /sc minute /mo 5 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3472
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftServe.url" & echo URL="C:\Users\Admin\AppData\Local\SwiftTech Solutions\SwiftServe.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwiftServe.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:372
- C:\Users\Admin\AppData\Local\Temp\79556\RegAsm.exe
  C:\Users\Admin\AppData\Local\Temp\79556\RegAsm.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\79556\Boxing.pif

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\79556\J

Filesize
278KB

MD5
b2e6e302cb23ae84658d99f73c139456

SHA1
b47bb97d64b9e8f90db4d917061c3af4ef7c17ae

SHA256
27df426d3d4512ff09b0d059ae53e24496d4432ed9f6b9efed400f73415c860f

SHA512
289d47f6cb257c6c4eca1503ed40d48b955cf2f2ad1b83a2700edbf9401308ec8c7433baba9fcf9489a6d8e5da47e5fd3d2b092b312efb75c9e972eab0b322da

Download Submit
C:\Users\Admin\AppData\Local\Temp\79556\RegAsm.exe

Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compile

Filesize
394B

MD5
55a0f1e05ed876e96b6c5f9cbbda78ac

SHA1
fcbb892e290a579f26886ac84c4539d6993b3be1

SHA256
c7b444d54142d1795e214dbc91f06a8e974026e140189426c5ef9a4d5886ea74

SHA512
5e89bd6d1af8deecee5accd9c635a5cad58a53c41894b616ad70b68e7255bd7388a80ee2793152a6546d78ac50653c04e8a6aaf94e74478f2b27a4e6c54dba22

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cruz

Filesize
89KB

MD5
8f4a5b010b7cb90553cf568f1d2bd98d

SHA1
4041ad0b71db5c392a838f0ed691712a345ce8e0

SHA256
dd87802796eebb443f87ea935aa63ca3e23800f55e5306270e06fc4a2877fe73

SHA512
f8f6a00b0606f797dc3c24784ac4ee26d55ba5846558382dbccdba09f1b7fc9c7e1090cd587f257ed3b6522130965e90c0415edd0cd187bd22f52460cce3b1d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Grab

Filesize
89KB

MD5
2a54696eae0dc63b2611919701934dce

SHA1
6d83ffdfd99d301777e38be32016be812bae22f7

SHA256
d9e418a2b921a2af33c8945e845687c62dd9051bb3f1a7e3fdab79e881ccdedb

SHA512
3f52a3c5448293350c364fb86ad7aa0226bb98d4bfb79bbb4747499c9b9eab866b7909959e2630d44b2fd1fb14031abc77296876fcd2fa1fe4a74bc9c89e33eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Latina

Filesize
872KB

MD5
d3b504f21a2f988a193f98208eb28ed1

SHA1
e3fe20b94a8b87c51b2890556fd0718c58a5beae

SHA256
ce2417b4c6b4fadfdc01dae1ebc742ef070d4e1ff12bde4b7323bfa93d572261

SHA512
a928a0b389f2ec85ed7d9e2d1a470139e4875bf0f51c85f04531954275081c1e89010d332c969782ab6c20ce6741be26b1751c50163cac34a9fd290e2fc13267

Download Submit
C:\Users\Admin\AppData\Local\Temp\Occupations

Filesize
96KB

MD5
6d754fb0eb9681681690f3fca2d9c1f3

SHA1
d7e2c3ab953436e8ba363ac075488aacb74eae0d

SHA256
db7b1d3765ff6f201d06fc7497880a89433f8df51265d5b58a8083f8d5121390

SHA512
8f4c228f1ec4d4c762fe7bf8dfef4d8f156efcc89c98a0bb7f616debbae854fe3cfc31c260a0028ce4584bdbf2712abf9b4384e95815fb2cb6e4fc630c9a9a71

Download Submit
C:\Users\Admin\AppData\Local\Temp\Recovery

Filesize
4KB

MD5
e94004c4d1254e913f9612b487ce4957

SHA1
9a9f754bcdc57238c8a321372c227040d997532b

SHA256
bfcdbdbfa1f86e24813735c2a73bee6382b2950df9203a77af70c39a8ba57da6

SHA512
ef4b44356ca09dcd778913b882293447338f915b9553de3583c2934aacb222176bffc1f1c4dae70047c45a5353e6e4e17481e4b697577ca2c30ee69f55e8b587

Download Submit
C:\Users\Admin\AppData\Local\Temp\Technique

Filesize
13KB

MD5
90456de89fc27ac572f83b7f8da14c44

SHA1
ddbaf2a62eeafd1931af5ba262d7406e23af996a

SHA256
f3b6d7fa3c66667893fdfb84ca52d67f203db629d0b8efb5c069ffd1b3fc28b8

SHA512
dffe46a2fd483e8a146c36cafd441d229eb022dd22cc06ea21b31dce922d793cfa5b697e1272aafd110e36d74230271c40bcc3c8546f3970e392655d48130e00

Download Submit
memory/3232-29-0x0000000000DD0000-0x0000000000DE8000-memory.dmp

Filesize
96KB

Download
memory/3232-32-0x0000000005C50000-0x00000000061F4000-memory.dmp

Filesize
5.6MB

Download
memory/3232-34-0x0000000005A40000-0x0000000005AD2000-memory.dmp

Filesize
584KB

Download
memory/3232-35-0x00000000059E0000-0x00000000059EA000-memory.dmp

Filesize
40KB

Download