asyncrat | 3f2af23e28f5eaa2e87e5b558dc35827e1ec26c9d0d801204317d4b68d8a34e2

General

Target

3f2af23e28f5eaa2e87e5b558dc35827e1ec26c9d0d801204317d4b68d8a34e2.exe
Size

74KB
MD5

50141588d141a3e39e77b728a3102cc3
SHA1

100024df2be8d4ea2b9ea727c06a0558ed630b1e
SHA256

3f2af23e28f5eaa2e87e5b558dc35827e1ec26c9d0d801204317d4b68d8a34e2
SHA512

aa8a71f5be56f1f1ccbfed2703bd19faccc4bf81213cdc82d558093449664233bc1de57c7f7dbd7d05bf0c47ae33fc955fd43a2f3b9bbe531684e5d53783cf16
SSDEEP

1536:1ULkcxVKpC6yPMVKe9VdQuDI6H1bf/MUM4WZdXQzcGLVclN:1UocxVENyPMVKe9VdQsH1bfyhQfBY

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

Mutex

aztddokpdxbvrrzhk

Attributes

delay
1
install
false
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/LwwcrLg4

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

VenomRAT 1 IoCs

Detects VenomRAT.

rat

Processes:

resource	yara_rule
behavioral1/memory/600-1-0x0000000000EF0000-0x0000000000F08000-memory.dmp	VenomRAT

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
5	pastebin.com
4	pastebin.com

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

3f2af23e28f5eaa2e87e5b558dc35827e1ec26c9d0d801204317d4b68d8a34e2.exe

pid	Process
600	3f2af23e28f5eaa2e87e5b558dc35827e1ec26c9d0d801204317d4b68d8a34e2.exe
600	3f2af23e28f5eaa2e87e5b558dc35827e1ec26c9d0d801204317d4b68d8a34e2.exe
600	3f2af23e28f5eaa2e87e5b558dc35827e1ec26c9d0d801204317d4b68d8a34e2.exe
600	3f2af23e28f5eaa2e87e5b558dc35827e1ec26c9d0d801204317d4b68d8a34e2.exe
600	3f2af23e28f5eaa2e87e5b558dc35827e1ec26c9d0d801204317d4b68d8a34e2.exe
600	3f2af23e28f5eaa2e87e5b558dc35827e1ec26c9d0d801204317d4b68d8a34e2.exe
600	3f2af23e28f5eaa2e87e5b558dc35827e1ec26c9d0d801204317d4b68d8a34e2.exe
600	3f2af23e28f5eaa2e87e5b558dc35827e1ec26c9d0d801204317d4b68d8a34e2.exe
600	3f2af23e28f5eaa2e87e5b558dc35827e1ec26c9d0d801204317d4b68d8a34e2.exe
600	3f2af23e28f5eaa2e87e5b558dc35827e1ec26c9d0d801204317d4b68d8a34e2.exe
600	3f2af23e28f5eaa2e87e5b558dc35827e1ec26c9d0d801204317d4b68d8a34e2.exe
600	3f2af23e28f5eaa2e87e5b558dc35827e1ec26c9d0d801204317d4b68d8a34e2.exe
600	3f2af23e28f5eaa2e87e5b558dc35827e1ec26c9d0d801204317d4b68d8a34e2.exe
600	3f2af23e28f5eaa2e87e5b558dc35827e1ec26c9d0d801204317d4b68d8a34e2.exe
600	3f2af23e28f5eaa2e87e5b558dc35827e1ec26c9d0d801204317d4b68d8a34e2.exe
600	3f2af23e28f5eaa2e87e5b558dc35827e1ec26c9d0d801204317d4b68d8a34e2.exe
600	3f2af23e28f5eaa2e87e5b558dc35827e1ec26c9d0d801204317d4b68d8a34e2.exe
600	3f2af23e28f5eaa2e87e5b558dc35827e1ec26c9d0d801204317d4b68d8a34e2.exe
600	3f2af23e28f5eaa2e87e5b558dc35827e1ec26c9d0d801204317d4b68d8a34e2.exe
600	3f2af23e28f5eaa2e87e5b558dc35827e1ec26c9d0d801204317d4b68d8a34e2.exe
600	3f2af23e28f5eaa2e87e5b558dc35827e1ec26c9d0d801204317d4b68d8a34e2.exe
600	3f2af23e28f5eaa2e87e5b558dc35827e1ec26c9d0d801204317d4b68d8a34e2.exe
600	3f2af23e28f5eaa2e87e5b558dc35827e1ec26c9d0d801204317d4b68d8a34e2.exe
600	3f2af23e28f5eaa2e87e5b558dc35827e1ec26c9d0d801204317d4b68d8a34e2.exe
600	3f2af23e28f5eaa2e87e5b558dc35827e1ec26c9d0d801204317d4b68d8a34e2.exe
600	3f2af23e28f5eaa2e87e5b558dc35827e1ec26c9d0d801204317d4b68d8a34e2.exe
600	3f2af23e28f5eaa2e87e5b558dc35827e1ec26c9d0d801204317d4b68d8a34e2.exe
600	3f2af23e28f5eaa2e87e5b558dc35827e1ec26c9d0d801204317d4b68d8a34e2.exe
600	3f2af23e28f5eaa2e87e5b558dc35827e1ec26c9d0d801204317d4b68d8a34e2.exe
600	3f2af23e28f5eaa2e87e5b558dc35827e1ec26c9d0d801204317d4b68d8a34e2.exe
600	3f2af23e28f5eaa2e87e5b558dc35827e1ec26c9d0d801204317d4b68d8a34e2.exe
600	3f2af23e28f5eaa2e87e5b558dc35827e1ec26c9d0d801204317d4b68d8a34e2.exe
600	3f2af23e28f5eaa2e87e5b558dc35827e1ec26c9d0d801204317d4b68d8a34e2.exe
600	3f2af23e28f5eaa2e87e5b558dc35827e1ec26c9d0d801204317d4b68d8a34e2.exe
600	3f2af23e28f5eaa2e87e5b558dc35827e1ec26c9d0d801204317d4b68d8a34e2.exe
600	3f2af23e28f5eaa2e87e5b558dc35827e1ec26c9d0d801204317d4b68d8a34e2.exe
600	3f2af23e28f5eaa2e87e5b558dc35827e1ec26c9d0d801204317d4b68d8a34e2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3f2af23e28f5eaa2e87e5b558dc35827e1ec26c9d0d801204317d4b68d8a34e2.exe

description	pid	Process
Token: SeDebugPrivilege	600	3f2af23e28f5eaa2e87e5b558dc35827e1ec26c9d0d801204317d4b68d8a34e2.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

3f2af23e28f5eaa2e87e5b558dc35827e1ec26c9d0d801204317d4b68d8a34e2.exe

pid	Process
600	3f2af23e28f5eaa2e87e5b558dc35827e1ec26c9d0d801204317d4b68d8a34e2.exe

C:\Users\Admin\AppData\Local\Temp\3f2af23e28f5eaa2e87e5b558dc35827e1ec26c9d0d801204317d4b68d8a34e2.exe
"C:\Users\Admin\AppData\Local\Temp\3f2af23e28f5eaa2e87e5b558dc35827e1ec26c9d0d801204317d4b68d8a34e2.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/600-0-0x000007FEF4BF3000-0x000007FEF4BF4000-memory.dmp

Filesize
4KB

Download
memory/600-1-0x0000000000EF0000-0x0000000000F08000-memory.dmp

Filesize
96KB

Download
memory/600-3-0x000007FEF4BF0000-0x000007FEF55DC000-memory.dmp

Filesize
9.9MB

Download
memory/600-4-0x000007FEF4BF0000-0x000007FEF55DC000-memory.dmp

Filesize
9.9MB

Download
memory/600-5-0x000007FEF4BF3000-0x000007FEF4BF4000-memory.dmp

Filesize
4KB

Download
memory/600-6-0x000007FEF4BF0000-0x000007FEF55DC000-memory.dmp

Filesize
9.9MB

Download
memory/600-7-0x000007FEF4BF0000-0x000007FEF55DC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads