asyncrat | dfe9397e7afa5e416a4827800d4dccbd7b835b22fe99911a647a7e39a1608aba

General

Target

dfe9397e7afa5e416a4827800d4dccbd7b835b22fe99911a647a7e39a1608aba.exe
Size

497KB
MD5

a445d0fe9709f20aa55f213f430d2bf9
SHA1

1f929533e0057f48c75769fb2a912de259da14b7
SHA256

dfe9397e7afa5e416a4827800d4dccbd7b835b22fe99911a647a7e39a1608aba
SHA512

097b64d675acf5e6047af23233ad4c2a74b2c8a9cdaed63f633cb2e59f331d12262decb3835f40031a02bb5baef957b1831fdc7afe456788fa8f9d816efbed49
SSDEEP

6144:0XaWPMVW6BVb/4ADOMpkMQ2SAYUa/qqdhxMho:0Xaxt4AtB8A/abMe

Score

10^/10

asyncrat blu rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

blu

C2

194.26.192.154:4449

Mutex

blu

Attributes

delay
1
install
true
install_file
system32.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

VenomRAT 3 IoCs

Detects VenomRAT.

rat

resource	yara_rule
behavioral1/memory/2620-1-0x0000000000930000-0x00000000009B2000-memory.dmp	VenomRAT
behavioral1/files/0x000d0000000160a8-16.dat	VenomRAT
behavioral1/memory/2476-18-0x0000000000140000-0x00000000001C2000-memory.dmp	VenomRAT

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000d0000000160a8-16.dat	family_asyncrat

Executes dropped EXE 1 IoCs

pid	Process
2476	system32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2556	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2472	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2620	dfe9397e7afa5e416a4827800d4dccbd7b835b22fe99911a647a7e39a1608aba.exe
2620	dfe9397e7afa5e416a4827800d4dccbd7b835b22fe99911a647a7e39a1608aba.exe
2620	dfe9397e7afa5e416a4827800d4dccbd7b835b22fe99911a647a7e39a1608aba.exe
2476	system32.exe
2476	system32.exe
2476	system32.exe
2476	system32.exe
2476	system32.exe
2476	system32.exe
2476	system32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2620	dfe9397e7afa5e416a4827800d4dccbd7b835b22fe99911a647a7e39a1608aba.exe
Token: SeDebugPrivilege	2476	system32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2476	system32.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 2696	2620	dfe9397e7afa5e416a4827800d4dccbd7b835b22fe99911a647a7e39a1608aba.exe	29
PID 2620 wrote to memory of 2696	2620	dfe9397e7afa5e416a4827800d4dccbd7b835b22fe99911a647a7e39a1608aba.exe	29
PID 2620 wrote to memory of 2696	2620	dfe9397e7afa5e416a4827800d4dccbd7b835b22fe99911a647a7e39a1608aba.exe	29
PID 2620 wrote to memory of 2548	2620	dfe9397e7afa5e416a4827800d4dccbd7b835b22fe99911a647a7e39a1608aba.exe	30
PID 2620 wrote to memory of 2548	2620	dfe9397e7afa5e416a4827800d4dccbd7b835b22fe99911a647a7e39a1608aba.exe	30
PID 2620 wrote to memory of 2548	2620	dfe9397e7afa5e416a4827800d4dccbd7b835b22fe99911a647a7e39a1608aba.exe	30
PID 2548 wrote to memory of 2556	2548	cmd.exe	33
PID 2548 wrote to memory of 2556	2548	cmd.exe	33
PID 2548 wrote to memory of 2556	2548	cmd.exe	33
PID 2696 wrote to memory of 2472	2696	cmd.exe	34
PID 2696 wrote to memory of 2472	2696	cmd.exe	34
PID 2696 wrote to memory of 2472	2696	cmd.exe	34
PID 2548 wrote to memory of 2476	2548	cmd.exe	35
PID 2548 wrote to memory of 2476	2548	cmd.exe	35
PID 2548 wrote to memory of 2476	2548	cmd.exe	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\dfe9397e7afa5e416a4827800d4dccbd7b835b22fe99911a647a7e39a1608aba.exe
"C:\Users\Admin\AppData\Local\Temp\dfe9397e7afa5e416a4827800d4dccbd7b835b22fe99911a647a7e39a1608aba.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "system32" /tr '"C:\Users\Admin\AppData\Roaming\system32.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "system32" /tr '"C:\Users\Admin\AppData\Roaming\system32.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2472
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1A73.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2556
- - C:\Users\Admin\AppData\Roaming\system32.exe
    "C:\Users\Admin\AppData\Roaming\system32.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1A73.tmp.bat

Filesize
152B

MD5
67c1b3081ac61f58c59e86c6e0ffbfc0

SHA1
a841b43539e784aed39c2afd7f474dc7b3c97d5a

SHA256
f1289de7e95f40d4b2ec891fcebeeb10025753a76304e29f458f34b010de4633

SHA512
1d698491b33ee037031067de925690e23bb8f36d938901ec2e76c4f4a0f4106810850bca73afd06829d5c23072f3e936efdc78b43eda5c0259174687a40319f9

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Users\Admin\AppData\Roaming\system32.exe

Filesize
497KB

MD5
a445d0fe9709f20aa55f213f430d2bf9

SHA1
1f929533e0057f48c75769fb2a912de259da14b7

SHA256
dfe9397e7afa5e416a4827800d4dccbd7b835b22fe99911a647a7e39a1608aba

SHA512
097b64d675acf5e6047af23233ad4c2a74b2c8a9cdaed63f633cb2e59f331d12262decb3835f40031a02bb5baef957b1831fdc7afe456788fa8f9d816efbed49

Download Submit
memory/2476-18-0x0000000000140000-0x00000000001C2000-memory.dmp

Filesize
520KB

Download
memory/2620-0-0x000007FEF5673000-0x000007FEF5674000-memory.dmp

Filesize
4KB

Download
memory/2620-1-0x0000000000930000-0x00000000009B2000-memory.dmp

Filesize
520KB

Download
memory/2620-3-0x000007FEF5670000-0x000007FEF605C000-memory.dmp

Filesize
9.9MB

Download
memory/2620-11-0x000007FEF5670000-0x000007FEF605C000-memory.dmp

Filesize
9.9MB

Download
memory/2620-13-0x000007FEF5670000-0x000007FEF605C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads