asyncrat | ba8547e96b9046215ec49a0a645292796318e539fdfe52b1c1f39f9960114ed5

Analysis

max time kernel
150s
max time network
136s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
18-08-2024 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba8547e96b9046215ec49a0a645292796318e539fdfe52b1c1f39f9960114ed5.exe
Size

104KB
MD5

a619d978d3c0d9e5af0596c4bb4070f1
SHA1

6354d3920979c0d075f685b7d2cf869f60b45cf7
SHA256

ba8547e96b9046215ec49a0a645292796318e539fdfe52b1c1f39f9960114ed5
SHA512

e2819c30e08d23246ac01b188e8f34547fb0291833d2692bd1917b211b936e46d2be1d85fb73fabc8ec5240e081767538804c3b93a3aa0a443b36570c4678f87
SSDEEP

3072:QURcxVMWiPMVye9VdQsH1bfDFuBQAjZqMN7iY:QwWiPMVyaesVbMBrvG

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

Mutex

pwsbendzcg

Attributes

delay
1
install
false
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/5jPfwjnH

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

VenomRAT 1 IoCs

Detects VenomRAT.

rat

resource	yara_rule
behavioral1/memory/1584-1-0x00000000003E0000-0x0000000000400000-memory.dmp	VenomRAT

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
5	pastebin.com

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1584	ba8547e96b9046215ec49a0a645292796318e539fdfe52b1c1f39f9960114ed5.exe
1584	ba8547e96b9046215ec49a0a645292796318e539fdfe52b1c1f39f9960114ed5.exe
1584	ba8547e96b9046215ec49a0a645292796318e539fdfe52b1c1f39f9960114ed5.exe
1584	ba8547e96b9046215ec49a0a645292796318e539fdfe52b1c1f39f9960114ed5.exe
1584	ba8547e96b9046215ec49a0a645292796318e539fdfe52b1c1f39f9960114ed5.exe
1584	ba8547e96b9046215ec49a0a645292796318e539fdfe52b1c1f39f9960114ed5.exe
1584	ba8547e96b9046215ec49a0a645292796318e539fdfe52b1c1f39f9960114ed5.exe
1584	ba8547e96b9046215ec49a0a645292796318e539fdfe52b1c1f39f9960114ed5.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1584	ba8547e96b9046215ec49a0a645292796318e539fdfe52b1c1f39f9960114ed5.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1584	ba8547e96b9046215ec49a0a645292796318e539fdfe52b1c1f39f9960114ed5.exe

C:\Users\Admin\AppData\Local\Temp\ba8547e96b9046215ec49a0a645292796318e539fdfe52b1c1f39f9960114ed5.exe
"C:\Users\Admin\AppData\Local\Temp\ba8547e96b9046215ec49a0a645292796318e539fdfe52b1c1f39f9960114ed5.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1584-0-0x000007FEF5813000-0x000007FEF5814000-memory.dmp

Filesize
4KB

Download
memory/1584-1-0x00000000003E0000-0x0000000000400000-memory.dmp

Filesize
128KB

Download
memory/1584-3-0x000007FEF5810000-0x000007FEF61FC000-memory.dmp

Filesize
9.9MB

Download
memory/1584-4-0x000007FEF5810000-0x000007FEF61FC000-memory.dmp

Filesize
9.9MB

Download
memory/1584-5-0x000007FEF5813000-0x000007FEF5814000-memory.dmp

Filesize
4KB

Download
memory/1584-6-0x000007FEF5810000-0x000007FEF61FC000-memory.dmp

Filesize
9.9MB

Download