asyncrat | 269d075e3c034c75dd202678f7508d0b90e06fb06ab1fb8eb970b70f7bffeb7e

Analysis

max time kernel
29s
max time network
32s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
09/09/2024, 03:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

r6core.exe
Size

135KB
MD5

9a37880c5ffefb36ebc2ad17b8a2ad85
SHA1

ac00f0071d2f95606c9963f2d6156c73e547b556
SHA256

269d075e3c034c75dd202678f7508d0b90e06fb06ab1fb8eb970b70f7bffeb7e
SHA512

889b557cf1a79c467b75d26d5749780feefd8a920ecf8f26ba8a0478d946fca19beddfa18bf59d6eac56ace7c4017245b1191117a5e7b8b306aa8333d09622c7
SSDEEP

1536:bSGOtP1YjItQqXZ0Hh4Swxw5kFzZN0qhXLIEWTQWmt04KvST6EUg6z/8Tap325Y5:bktXWB4SwykFNXLqTQBtLKtxJp3v4eZ

Score

10^/10

asyncrat nymeria defense_evasion discovery rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Nymeria

94.232.249.235:4449

94.232.249.235:13001

Mutex

uzzpgldlipcvvtx

Attributes

delay
1
install
false
install_folder
%Temp%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Executes dropped EXE 1 IoCs

pid	Process
3540	nopu.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3540 set thread context of 3632	3540	nopu.exe	83

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	r6core.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3384	powershell.exe
3384	powershell.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	3632	csc.exe
Token: SeDebugPrivilege	3384	powershell.exe
Token: SeIncreaseQuotaPrivilege	3632	csc.exe
Token: SeSecurityPrivilege	3632	csc.exe
Token: SeTakeOwnershipPrivilege	3632	csc.exe
Token: SeLoadDriverPrivilege	3632	csc.exe
Token: SeSystemProfilePrivilege	3632	csc.exe
Token: SeSystemtimePrivilege	3632	csc.exe
Token: SeProfSingleProcessPrivilege	3632	csc.exe
Token: SeIncBasePriorityPrivilege	3632	csc.exe
Token: SeCreatePagefilePrivilege	3632	csc.exe
Token: SeBackupPrivilege	3632	csc.exe
Token: SeRestorePrivilege	3632	csc.exe
Token: SeShutdownPrivilege	3632	csc.exe
Token: SeDebugPrivilege	3632	csc.exe
Token: SeSystemEnvironmentPrivilege	3632	csc.exe
Token: SeRemoteShutdownPrivilege	3632	csc.exe
Token: SeUndockPrivilege	3632	csc.exe
Token: SeManageVolumePrivilege	3632	csc.exe
Token: 33	3632	csc.exe
Token: 34	3632	csc.exe
Token: 35	3632	csc.exe
Token: 36	3632	csc.exe
Token: SeIncreaseQuotaPrivilege	3632	csc.exe
Token: SeSecurityPrivilege	3632	csc.exe
Token: SeTakeOwnershipPrivilege	3632	csc.exe
Token: SeLoadDriverPrivilege	3632	csc.exe
Token: SeSystemProfilePrivilege	3632	csc.exe
Token: SeSystemtimePrivilege	3632	csc.exe
Token: SeProfSingleProcessPrivilege	3632	csc.exe
Token: SeIncBasePriorityPrivilege	3632	csc.exe
Token: SeCreatePagefilePrivilege	3632	csc.exe
Token: SeBackupPrivilege	3632	csc.exe
Token: SeRestorePrivilege	3632	csc.exe
Token: SeShutdownPrivilege	3632	csc.exe
Token: SeDebugPrivilege	3632	csc.exe
Token: SeSystemEnvironmentPrivilege	3632	csc.exe
Token: SeRemoteShutdownPrivilege	3632	csc.exe
Token: SeUndockPrivilege	3632	csc.exe
Token: SeManageVolumePrivilege	3632	csc.exe
Token: 33	3632	csc.exe
Token: 34	3632	csc.exe
Token: 35	3632	csc.exe
Token: 36	3632	csc.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 3384	2380	r6core.exe	80
PID 2380 wrote to memory of 3384	2380	r6core.exe	80
PID 2380 wrote to memory of 3384	2380	r6core.exe	80
PID 2380 wrote to memory of 3540	2380	r6core.exe	82
PID 2380 wrote to memory of 3540	2380	r6core.exe	82
PID 3540 wrote to memory of 3632	3540	nopu.exe	83
PID 3540 wrote to memory of 3632	3540	nopu.exe	83
PID 3540 wrote to memory of 3632	3540	nopu.exe	83
PID 3540 wrote to memory of 3632	3540	nopu.exe	83
PID 3540 wrote to memory of 3632	3540	nopu.exe	83
PID 3540 wrote to memory of 3632	3540	nopu.exe	83

C:\Users\Admin\AppData\Local\Temp\r6core.exe
"C:\Users\Admin\AppData\Local\Temp\r6core.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAZQBwACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGgAcgBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHMAdQBsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAbAB0ACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3384
- C:\Users\Admin\AppData\Local\Temp\nopu.exe
  "C:\Users\Admin\AppData\Local\Temp\nopu.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3540
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a5y4kq1f.nwu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nopu.exe

Filesize
126KB

MD5
21aa889aaa988c257ec75cdf60803b66

SHA1
ad70aa9e9479153a6c9043ce493fcd7de8ee4aef

SHA256
c434a99e79aadd1c40cf84791b396caee931eda1c0fd5036663fa62827915d4d

SHA512
a69d191b5896dc1dd4f8221bb4592dd227534aa4eeb2cfaec0f9420b8632c1f8526287a609ffc5f3c2f141bce5932a77783f17b967cdd32b184901d22a6f48f5

Download Submit
memory/3384-32-0x0000000005F30000-0x0000000005F7C000-memory.dmp

Filesize
304KB

Download
memory/3384-52-0x0000000007520000-0x000000000753A000-memory.dmp

Filesize
104KB

Download
memory/3384-55-0x0000000007510000-0x0000000007518000-memory.dmp

Filesize
32KB

Download
memory/3384-16-0x000000007494E000-0x000000007494F000-memory.dmp

Filesize
4KB

Download
memory/3384-17-0x0000000004A00000-0x0000000004A36000-memory.dmp

Filesize
216KB

Download
memory/3384-18-0x0000000005070000-0x000000000569A000-memory.dmp

Filesize
6.2MB

Download
memory/3384-19-0x0000000005000000-0x0000000005022000-memory.dmp

Filesize
136KB

Download
memory/3384-20-0x0000000005710000-0x0000000005776000-memory.dmp

Filesize
408KB

Download
memory/3384-21-0x0000000005780000-0x00000000057E6000-memory.dmp

Filesize
408KB

Download
memory/3384-33-0x0000000006E50000-0x0000000006E84000-memory.dmp

Filesize
208KB

Download
memory/3384-30-0x0000000005970000-0x0000000005CC7000-memory.dmp

Filesize
3.3MB

Download
memory/3384-34-0x0000000070A20000-0x0000000070A6C000-memory.dmp

Filesize
304KB

Download
memory/3384-51-0x0000000007430000-0x0000000007445000-memory.dmp

Filesize
84KB

Download
memory/3384-50-0x0000000007420000-0x000000000742E000-memory.dmp

Filesize
56KB

Download
memory/3384-31-0x0000000005E80000-0x0000000005E9E000-memory.dmp

Filesize
120KB

Download
memory/3384-43-0x0000000006480000-0x000000000649E000-memory.dmp

Filesize
120KB

Download
memory/3384-44-0x0000000006EA0000-0x0000000006F44000-memory.dmp

Filesize
656KB

Download
memory/3384-45-0x0000000007820000-0x0000000007E9A000-memory.dmp

Filesize
6.5MB

Download
memory/3384-46-0x00000000071D0000-0x00000000071EA000-memory.dmp

Filesize
104KB

Download
memory/3384-47-0x0000000007260000-0x000000000726A000-memory.dmp

Filesize
40KB

Download
memory/3384-48-0x0000000007460000-0x00000000074F6000-memory.dmp

Filesize
600KB

Download
memory/3384-49-0x00000000073E0000-0x00000000073F1000-memory.dmp

Filesize
68KB

Download
memory/3540-11-0x00007FFC3A433000-0x00007FFC3A435000-memory.dmp

Filesize
8KB

Download
memory/3540-12-0x0000000000E70000-0x0000000000E92000-memory.dmp

Filesize
136KB

Download
memory/3540-54-0x00007FFC3A430000-0x00007FFC3AEF2000-memory.dmp

Filesize
10.8MB

Download
memory/3540-15-0x00007FFC3A430000-0x00007FFC3AEF2000-memory.dmp

Filesize
10.8MB

Download
memory/3632-13-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download