asyncrat | 08f7f44b07fb6e06a731314aaaaa0d4ee2aa1f98b3ce45437e5b150c0ba6575e

Analysis

max time kernel
145s
max time network
154s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-09-2024 07:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SpotifyPatch.exe
Size

129KB
MD5

4ed5ceebb1fd4b6bbc4eb963676f4ac1
SHA1

b3c2f3900fa231849697c008c3deedbf0d2510f4
SHA256

08f7f44b07fb6e06a731314aaaaa0d4ee2aa1f98b3ce45437e5b150c0ba6575e
SHA512

cbc6a1f5a07dedeee42bc50a731a83f2d8eb6faf918484e16d947f7f0c041e3203ac151b75017d2418b054e6e4f6b09efd75f2bdb4fdcb7efcc10b44c7ad3664
SSDEEP

1536:ckbdDbhR3fV9BJbFXGbbwSo9ljVGKc27pqKmY7:c8DbhR3tdlGbbwx91Hoz

Score

10^/10

asyncrat venom clients rat

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

127.0.0.1:4449

127.0.0.1:4140

147.185.221.21:4449

147.185.221.21:4140

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
true
install_file
SpotifyICL.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\SpotifyICL.exe	family_asyncrat

Executes dropped EXE 1 IoCs

Processes:

SpotifyICL.exe

pid process

2824 SpotifyICL.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2200 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

1580 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

SpotifyPatch.exe

pid process

1096 SpotifyPatch.exe
1096 SpotifyPatch.exe
1096 SpotifyPatch.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

SpotifyPatch.exeSpotifyICL.exe

description pid process

Token: SeDebugPrivilege 1096 SpotifyPatch.exe
Token: SeDebugPrivilege 2824 SpotifyICL.exe

pid	process
2824	SpotifyICL.exe

pid	process
2200	timeout.exe

pid	process
1580	schtasks.exe

pid	process
1096	SpotifyPatch.exe
1096	SpotifyPatch.exe
1096	SpotifyPatch.exe

description	pid	process
Token: SeDebugPrivilege	1096	SpotifyPatch.exe
Token: SeDebugPrivilege	2824	SpotifyICL.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

SpotifyPatch.execmd.execmd.exe

description	pid	process	target process
PID 1096 wrote to memory of 2396	1096	SpotifyPatch.exe	cmd.exe
PID 1096 wrote to memory of 2396	1096	SpotifyPatch.exe	cmd.exe
PID 1096 wrote to memory of 2396	1096	SpotifyPatch.exe	cmd.exe
PID 1096 wrote to memory of 2292	1096	SpotifyPatch.exe	cmd.exe
PID 1096 wrote to memory of 2292	1096	SpotifyPatch.exe	cmd.exe
PID 1096 wrote to memory of 2292	1096	SpotifyPatch.exe	cmd.exe
PID 2292 wrote to memory of 2200	2292	cmd.exe	timeout.exe
PID 2292 wrote to memory of 2200	2292	cmd.exe	timeout.exe
PID 2292 wrote to memory of 2200	2292	cmd.exe	timeout.exe
PID 2396 wrote to memory of 1580	2396	cmd.exe	schtasks.exe
PID 2396 wrote to memory of 1580	2396	cmd.exe	schtasks.exe
PID 2396 wrote to memory of 1580	2396	cmd.exe	schtasks.exe
PID 2292 wrote to memory of 2824	2292	cmd.exe	SpotifyICL.exe
PID 2292 wrote to memory of 2824	2292	cmd.exe	SpotifyICL.exe
PID 2292 wrote to memory of 2824	2292	cmd.exe	SpotifyICL.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\SpotifyPatch.exe
"C:\Users\Admin\AppData\Local\Temp\SpotifyPatch.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "SpotifyICL" /tr '"C:\Users\Admin\AppData\Roaming\SpotifyICL.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2396

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "SpotifyICL" /tr '"C:\Users\Admin\AppData\Roaming\SpotifyICL.exe"'
3⤵
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpA592.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:2200

C:\Users\Admin\AppData\Roaming\SpotifyICL.exe
"C:\Users\Admin\AppData\Roaming\SpotifyICL.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA592.tmp.bat

Filesize
154B

MD5
3eaf836f313bf3b0905ac6e52b5c418b

SHA1
fc19bde11ae7ab4d9b1cd88133d85a4a6f16aff0

SHA256
06de27f254e81acfe246e4f7203dc40308339182956efba180dee545d3e047f4

SHA512
a58c9377ef8b103e071910c93c1a6482ed2503fa1a858452f831bdb93e2a71e655123ed3fab1c1631eed758baf5d11a0f729fa05662f64a29e5c5aae08009cdc

Download Submit
C:\Users\Admin\AppData\Roaming\SpotifyICL.exe

Filesize
129KB

MD5
4ed5ceebb1fd4b6bbc4eb963676f4ac1

SHA1
b3c2f3900fa231849697c008c3deedbf0d2510f4

SHA256
08f7f44b07fb6e06a731314aaaaa0d4ee2aa1f98b3ce45437e5b150c0ba6575e

SHA512
cbc6a1f5a07dedeee42bc50a731a83f2d8eb6faf918484e16d947f7f0c041e3203ac151b75017d2418b054e6e4f6b09efd75f2bdb4fdcb7efcc10b44c7ad3664

Download Submit
memory/1096-0-0x000007FEF5923000-0x000007FEF5924000-memory.dmp

Filesize
4KB

Download
memory/1096-1-0x0000000000370000-0x0000000000396000-memory.dmp

Filesize
152KB

Download
memory/1096-2-0x000007FEF5920000-0x000007FEF630C000-memory.dmp

Filesize
9.9MB

Download
memory/1096-3-0x000007FEF5920000-0x000007FEF630C000-memory.dmp

Filesize
9.9MB

Download
memory/1096-12-0x000007FEF5920000-0x000007FEF630C000-memory.dmp

Filesize
9.9MB

Download
memory/2824-17-0x00000000000B0000-0x00000000000D6000-memory.dmp

Filesize
152KB

Download