asyncrat | 54c8f9450de555446717778304d80f8897f249ac612cebf6d4d939334d95e6f4

General

Target

54c8f9450de555446717778304d80f8897f249ac612cebf6d4d939334d95e6f4.exe
Size

74KB
MD5

576589c04e1be32a1bfc12c9a3632e0b
SHA1

77e636cee6dfddbf4bfc51d1c10e4ca11c96384a
SHA256

54c8f9450de555446717778304d80f8897f249ac612cebf6d4d939334d95e6f4
SHA512

007340d9d4702ec503e95c57b55c64e11d8b84bb0e2c3d72c2eb11706afe39ce4783d096584801bc554696ef975cf884eaf21a1c0bd0188b1184f548128033b1
SSDEEP

1536:2UvNwcxKHXwzCtmPMVP4ef0qHIFH1bW/WXx9QzcqLVclN:2UvicxK8WmPMVP4ecH1bWu3QbBY

Score

10^/10

asyncrat deneme rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

deneme

C2

127.0.0.1:4449

127.0.0.1:1604

Mutex

gsekihlnjqbrzdniobl

Attributes

delay
1
install
true
install_file
deneme.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

VenomRAT 3 IoCs

Detects VenomRAT.

rat

resource	yara_rule
behavioral1/memory/2400-1-0x00000000010D0000-0x00000000010E8000-memory.dmp	VenomRAT
behavioral1/files/0x0033000000015cc6-16.dat	VenomRAT
behavioral1/memory/2740-18-0x0000000000350000-0x0000000000368000-memory.dmp	VenomRAT

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0033000000015cc6-16.dat	family_asyncrat

Executes dropped EXE 1 IoCs

pid	Process
2740	deneme.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2944	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2792	schtasks.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
2400	54c8f9450de555446717778304d80f8897f249ac612cebf6d4d939334d95e6f4.exe
2400	54c8f9450de555446717778304d80f8897f249ac612cebf6d4d939334d95e6f4.exe
2400	54c8f9450de555446717778304d80f8897f249ac612cebf6d4d939334d95e6f4.exe
2740	deneme.exe
2740	deneme.exe
2740	deneme.exe
2740	deneme.exe
2740	deneme.exe
2740	deneme.exe
2740	deneme.exe
2740	deneme.exe
2740	deneme.exe
2740	deneme.exe
2740	deneme.exe
2740	deneme.exe
2740	deneme.exe
2740	deneme.exe
2740	deneme.exe
2740	deneme.exe
2740	deneme.exe
2740	deneme.exe
2740	deneme.exe
2740	deneme.exe
2740	deneme.exe
2740	deneme.exe
2740	deneme.exe
2740	deneme.exe
2740	deneme.exe
2740	deneme.exe
2740	deneme.exe
2740	deneme.exe
2740	deneme.exe
2740	deneme.exe
2740	deneme.exe
2740	deneme.exe
2740	deneme.exe
2740	deneme.exe
2740	deneme.exe
2740	deneme.exe
2740	deneme.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2400	54c8f9450de555446717778304d80f8897f249ac612cebf6d4d939334d95e6f4.exe
Token: SeDebugPrivilege	2740	deneme.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2740	deneme.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2812	2400	54c8f9450de555446717778304d80f8897f249ac612cebf6d4d939334d95e6f4.exe	30
PID 2400 wrote to memory of 2812	2400	54c8f9450de555446717778304d80f8897f249ac612cebf6d4d939334d95e6f4.exe	30
PID 2400 wrote to memory of 2812	2400	54c8f9450de555446717778304d80f8897f249ac612cebf6d4d939334d95e6f4.exe	30
PID 2400 wrote to memory of 2120	2400	54c8f9450de555446717778304d80f8897f249ac612cebf6d4d939334d95e6f4.exe	31
PID 2400 wrote to memory of 2120	2400	54c8f9450de555446717778304d80f8897f249ac612cebf6d4d939334d95e6f4.exe	31
PID 2400 wrote to memory of 2120	2400	54c8f9450de555446717778304d80f8897f249ac612cebf6d4d939334d95e6f4.exe	31
PID 2812 wrote to memory of 2792	2812	cmd.exe	34
PID 2812 wrote to memory of 2792	2812	cmd.exe	34
PID 2812 wrote to memory of 2792	2812	cmd.exe	34
PID 2120 wrote to memory of 2944	2120	cmd.exe	35
PID 2120 wrote to memory of 2944	2120	cmd.exe	35
PID 2120 wrote to memory of 2944	2120	cmd.exe	35
PID 2120 wrote to memory of 2740	2120	cmd.exe	36
PID 2120 wrote to memory of 2740	2120	cmd.exe	36
PID 2120 wrote to memory of 2740	2120	cmd.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\54c8f9450de555446717778304d80f8897f249ac612cebf6d4d939334d95e6f4.exe
"C:\Users\Admin\AppData\Local\Temp\54c8f9450de555446717778304d80f8897f249ac612cebf6d4d939334d95e6f4.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "deneme" /tr '"C:\Users\Admin\AppData\Roaming\deneme.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "deneme" /tr '"C:\Users\Admin\AppData\Roaming\deneme.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2792
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp87F5.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2944
- - C:\Users\Admin\AppData\Roaming\deneme.exe
    "C:\Users\Admin\AppData\Roaming\deneme.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp87F5.tmp.bat

Filesize
150B

MD5
ea943045c4b122749303227af8050a17

SHA1
004617efbc639311acbdaf803c29ff30d078dbe9

SHA256
7ffe454032e19cae2ff89fe6e49a46d2da3b2ef6a374a5167bd5c0fa7d28315c

SHA512
79db4338518357867328dfec8f5a981cbfc44d497ec344735719403c66d9a35e9a923d7953461758c23ccdc566c853708708b673b40c9d06e8dc20d4a8910d79

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Users\Admin\AppData\Roaming\deneme.exe

Filesize
74KB

MD5
576589c04e1be32a1bfc12c9a3632e0b

SHA1
77e636cee6dfddbf4bfc51d1c10e4ca11c96384a

SHA256
54c8f9450de555446717778304d80f8897f249ac612cebf6d4d939334d95e6f4

SHA512
007340d9d4702ec503e95c57b55c64e11d8b84bb0e2c3d72c2eb11706afe39ce4783d096584801bc554696ef975cf884eaf21a1c0bd0188b1184f548128033b1

Download Submit
memory/2400-0-0x000007FEF5AD3000-0x000007FEF5AD4000-memory.dmp

Filesize
4KB

Download
memory/2400-1-0x00000000010D0000-0x00000000010E8000-memory.dmp

Filesize
96KB

Download
memory/2400-3-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp

Filesize
9.9MB

Download
memory/2400-13-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp

Filesize
9.9MB

Download
memory/2400-12-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp

Filesize
9.9MB

Download
memory/2740-18-0x0000000000350000-0x0000000000368000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads