asyncrat | 0e05714577948291d4d194ea8ddf6f8cc12dcdd31f01ba2195c0c4afb952cef6

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e05714577948291d4d194ea8ddf6f8cc12dcdd31f01ba2195c0c4afb952cef6.exe
Size

73KB
MD5

4e6a72392f01ffb3bae293a6c4b955d1
SHA1

ab6910a9f4482e8409e35be2953cd8b26385927c
SHA256

0e05714577948291d4d194ea8ddf6f8cc12dcdd31f01ba2195c0c4afb952cef6
SHA512

24c5894443c641876c4969ab1e56e7833f09f0984e296a9a5dcc6f26138d9d22daf90f9c6fcd3f7114f1754656d42d1560965047b3353c40ac21f3d016a79a5c
SSDEEP

1536:IU9ccx4y3lCl6PMVy1aievkWIKH1bI/91LgsQzcX3VclN:IU+cx4yVy6PMVgazbH1bIVxgsQilY

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

Mutex

xpjcrciguzejg

Attributes

delay
1
install
true
install_file
WIN64.exe
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/WPTghhr7

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

VenomRAT 2 IoCs

Detects VenomRAT.

rat

resource	yara_rule
behavioral2/memory/2008-1-0x00000000009A0000-0x00000000009B6000-memory.dmp	VenomRAT
behavioral2/files/0x00060000000226c6-12.dat	VenomRAT

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	0e05714577948291d4d194ea8ddf6f8cc12dcdd31f01ba2195c0c4afb952cef6.exe

Executes dropped EXE 1 IoCs

pid	Process
3116	WIN64.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
25	pastebin.com
24	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2984	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1152	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2008	0e05714577948291d4d194ea8ddf6f8cc12dcdd31f01ba2195c0c4afb952cef6.exe
2008	0e05714577948291d4d194ea8ddf6f8cc12dcdd31f01ba2195c0c4afb952cef6.exe
2008	0e05714577948291d4d194ea8ddf6f8cc12dcdd31f01ba2195c0c4afb952cef6.exe
2008	0e05714577948291d4d194ea8ddf6f8cc12dcdd31f01ba2195c0c4afb952cef6.exe
2008	0e05714577948291d4d194ea8ddf6f8cc12dcdd31f01ba2195c0c4afb952cef6.exe
2008	0e05714577948291d4d194ea8ddf6f8cc12dcdd31f01ba2195c0c4afb952cef6.exe
2008	0e05714577948291d4d194ea8ddf6f8cc12dcdd31f01ba2195c0c4afb952cef6.exe
2008	0e05714577948291d4d194ea8ddf6f8cc12dcdd31f01ba2195c0c4afb952cef6.exe
2008	0e05714577948291d4d194ea8ddf6f8cc12dcdd31f01ba2195c0c4afb952cef6.exe
2008	0e05714577948291d4d194ea8ddf6f8cc12dcdd31f01ba2195c0c4afb952cef6.exe
2008	0e05714577948291d4d194ea8ddf6f8cc12dcdd31f01ba2195c0c4afb952cef6.exe
2008	0e05714577948291d4d194ea8ddf6f8cc12dcdd31f01ba2195c0c4afb952cef6.exe
2008	0e05714577948291d4d194ea8ddf6f8cc12dcdd31f01ba2195c0c4afb952cef6.exe
2008	0e05714577948291d4d194ea8ddf6f8cc12dcdd31f01ba2195c0c4afb952cef6.exe
2008	0e05714577948291d4d194ea8ddf6f8cc12dcdd31f01ba2195c0c4afb952cef6.exe
2008	0e05714577948291d4d194ea8ddf6f8cc12dcdd31f01ba2195c0c4afb952cef6.exe
2008	0e05714577948291d4d194ea8ddf6f8cc12dcdd31f01ba2195c0c4afb952cef6.exe
2008	0e05714577948291d4d194ea8ddf6f8cc12dcdd31f01ba2195c0c4afb952cef6.exe
2008	0e05714577948291d4d194ea8ddf6f8cc12dcdd31f01ba2195c0c4afb952cef6.exe
2008	0e05714577948291d4d194ea8ddf6f8cc12dcdd31f01ba2195c0c4afb952cef6.exe
2008	0e05714577948291d4d194ea8ddf6f8cc12dcdd31f01ba2195c0c4afb952cef6.exe
2008	0e05714577948291d4d194ea8ddf6f8cc12dcdd31f01ba2195c0c4afb952cef6.exe
2008	0e05714577948291d4d194ea8ddf6f8cc12dcdd31f01ba2195c0c4afb952cef6.exe
3116	WIN64.exe
3116	WIN64.exe
3116	WIN64.exe
3116	WIN64.exe
3116	WIN64.exe
3116	WIN64.exe
3116	WIN64.exe
3116	WIN64.exe
3116	WIN64.exe
3116	WIN64.exe
3116	WIN64.exe
3116	WIN64.exe
3116	WIN64.exe
3116	WIN64.exe
3116	WIN64.exe
3116	WIN64.exe
3116	WIN64.exe
3116	WIN64.exe
3116	WIN64.exe
3116	WIN64.exe
3116	WIN64.exe
3116	WIN64.exe
3116	WIN64.exe
3116	WIN64.exe
3116	WIN64.exe
3116	WIN64.exe
3116	WIN64.exe
3116	WIN64.exe
3116	WIN64.exe
3116	WIN64.exe
3116	WIN64.exe
3116	WIN64.exe
3116	WIN64.exe
3116	WIN64.exe
3116	WIN64.exe
3116	WIN64.exe
3116	WIN64.exe
3116	WIN64.exe
3116	WIN64.exe
3116	WIN64.exe
3116	WIN64.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2008	0e05714577948291d4d194ea8ddf6f8cc12dcdd31f01ba2195c0c4afb952cef6.exe
Token: SeDebugPrivilege	3116	WIN64.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3116	WIN64.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 3096	2008	0e05714577948291d4d194ea8ddf6f8cc12dcdd31f01ba2195c0c4afb952cef6.exe	92
PID 2008 wrote to memory of 3096	2008	0e05714577948291d4d194ea8ddf6f8cc12dcdd31f01ba2195c0c4afb952cef6.exe	92
PID 2008 wrote to memory of 4616	2008	0e05714577948291d4d194ea8ddf6f8cc12dcdd31f01ba2195c0c4afb952cef6.exe	94
PID 2008 wrote to memory of 4616	2008	0e05714577948291d4d194ea8ddf6f8cc12dcdd31f01ba2195c0c4afb952cef6.exe	94
PID 4616 wrote to memory of 2984	4616	cmd.exe	97
PID 4616 wrote to memory of 2984	4616	cmd.exe	97
PID 3096 wrote to memory of 1152	3096	cmd.exe	96
PID 3096 wrote to memory of 1152	3096	cmd.exe	96
PID 4616 wrote to memory of 3116	4616	cmd.exe	103
PID 4616 wrote to memory of 3116	4616	cmd.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0e05714577948291d4d194ea8ddf6f8cc12dcdd31f01ba2195c0c4afb952cef6.exe
"C:\Users\Admin\AppData\Local\Temp\0e05714577948291d4d194ea8ddf6f8cc12dcdd31f01ba2195c0c4afb952cef6.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WIN64" /tr '"C:\Users\Admin\AppData\Roaming\WIN64.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3096
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "WIN64" /tr '"C:\Users\Admin\AppData\Roaming\WIN64.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp32C3.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4616
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2984
- - C:\Users\Admin\AppData\Roaming\WIN64.exe
    "C:\Users\Admin\AppData\Roaming\WIN64.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4372,i,3239535018877284530,3457823197501312703,262144 --variations-seed-version --mojo-platform-channel-handle=1036 /prefetch:8
1⤵
PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp32C3.tmp.bat

Filesize
149B

MD5
52248ee12f6fed4b2e82c8220fc220d7

SHA1
cb9c765bbf74201aab86ffd80d34a4878360cd0c

SHA256
d5f441667ff31b00ce82b09475f058e3227c05a1d059a5dc0e388bf89745a2f9

SHA512
b499228379c69b297b193de4a7771f1cf04686f8ba781a6788cc370a9d4b10aafc08035a9a84ee0287484f1e15ed66535c4cf4feab81886b0bcf060f6c303401

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Users\Admin\AppData\Roaming\WIN64.exe

Filesize
73KB

MD5
4e6a72392f01ffb3bae293a6c4b955d1

SHA1
ab6910a9f4482e8409e35be2953cd8b26385927c

SHA256
0e05714577948291d4d194ea8ddf6f8cc12dcdd31f01ba2195c0c4afb952cef6

SHA512
24c5894443c641876c4969ab1e56e7833f09f0984e296a9a5dcc6f26138d9d22daf90f9c6fcd3f7114f1754656d42d1560965047b3353c40ac21f3d016a79a5c

Download Submit
memory/2008-0-0x00007FF888EE3000-0x00007FF888EE5000-memory.dmp

Filesize
8KB

Download
memory/2008-1-0x00000000009A0000-0x00000000009B6000-memory.dmp

Filesize
88KB

Download
memory/2008-3-0x00007FF888EE0000-0x00007FF8899A1000-memory.dmp

Filesize
10.8MB

Download
memory/2008-8-0x00007FF888EE0000-0x00007FF8899A1000-memory.dmp

Filesize
10.8MB

Download
memory/2008-9-0x00007FF888EE0000-0x00007FF8899A1000-memory.dmp

Filesize
10.8MB

Download