asyncrat | bd5f79381890e67683071c76cd1bd8a13bfd52af104dd3c01824a39dbd85205c

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 10:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bd5f79381890e67683071c76cd1bd8a13bfd52af104dd3c01824a39dbd85205c.exe
Size

63KB
MD5

b5da46ea47f9b458f4e11e08facc0b36
SHA1

945e066d5a6a08c19b3024857b376927ea7c323f
SHA256

bd5f79381890e67683071c76cd1bd8a13bfd52af104dd3c01824a39dbd85205c
SHA512

77e04b67cf417e45631af8b0eec7f3e1969f61608fd41ddce27a4d3e04de77058fd928927acfbe7000259b4334ff8a61e05cef72ab5c9d54dd4caceb3e5141ff
SSDEEP

1536:4hSjnRQ/kVJmV/KUf7v00PGbb2wy722GmdhpqKmY7:4hSjnRQ/kVC/KUjTGbb2h24az

Score

10^/10

asyncrat venom clients rat

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

87.227.227.78:4782

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
true
install_file
coinbase.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x000800000002347e-10.dat	family_asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	bd5f79381890e67683071c76cd1bd8a13bfd52af104dd3c01824a39dbd85205c.exe

Executes dropped EXE 1 IoCs

pid	Process
4336	coinbase.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4424	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1304	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4428	bd5f79381890e67683071c76cd1bd8a13bfd52af104dd3c01824a39dbd85205c.exe
4428	bd5f79381890e67683071c76cd1bd8a13bfd52af104dd3c01824a39dbd85205c.exe
4428	bd5f79381890e67683071c76cd1bd8a13bfd52af104dd3c01824a39dbd85205c.exe
4428	bd5f79381890e67683071c76cd1bd8a13bfd52af104dd3c01824a39dbd85205c.exe
4428	bd5f79381890e67683071c76cd1bd8a13bfd52af104dd3c01824a39dbd85205c.exe
4428	bd5f79381890e67683071c76cd1bd8a13bfd52af104dd3c01824a39dbd85205c.exe
4428	bd5f79381890e67683071c76cd1bd8a13bfd52af104dd3c01824a39dbd85205c.exe
4428	bd5f79381890e67683071c76cd1bd8a13bfd52af104dd3c01824a39dbd85205c.exe
4428	bd5f79381890e67683071c76cd1bd8a13bfd52af104dd3c01824a39dbd85205c.exe
4428	bd5f79381890e67683071c76cd1bd8a13bfd52af104dd3c01824a39dbd85205c.exe
4428	bd5f79381890e67683071c76cd1bd8a13bfd52af104dd3c01824a39dbd85205c.exe
4428	bd5f79381890e67683071c76cd1bd8a13bfd52af104dd3c01824a39dbd85205c.exe
4428	bd5f79381890e67683071c76cd1bd8a13bfd52af104dd3c01824a39dbd85205c.exe
4428	bd5f79381890e67683071c76cd1bd8a13bfd52af104dd3c01824a39dbd85205c.exe
4428	bd5f79381890e67683071c76cd1bd8a13bfd52af104dd3c01824a39dbd85205c.exe
4428	bd5f79381890e67683071c76cd1bd8a13bfd52af104dd3c01824a39dbd85205c.exe
4428	bd5f79381890e67683071c76cd1bd8a13bfd52af104dd3c01824a39dbd85205c.exe
4428	bd5f79381890e67683071c76cd1bd8a13bfd52af104dd3c01824a39dbd85205c.exe
4428	bd5f79381890e67683071c76cd1bd8a13bfd52af104dd3c01824a39dbd85205c.exe
4428	bd5f79381890e67683071c76cd1bd8a13bfd52af104dd3c01824a39dbd85205c.exe
4428	bd5f79381890e67683071c76cd1bd8a13bfd52af104dd3c01824a39dbd85205c.exe
4428	bd5f79381890e67683071c76cd1bd8a13bfd52af104dd3c01824a39dbd85205c.exe
4428	bd5f79381890e67683071c76cd1bd8a13bfd52af104dd3c01824a39dbd85205c.exe
4428	bd5f79381890e67683071c76cd1bd8a13bfd52af104dd3c01824a39dbd85205c.exe
4428	bd5f79381890e67683071c76cd1bd8a13bfd52af104dd3c01824a39dbd85205c.exe
4428	bd5f79381890e67683071c76cd1bd8a13bfd52af104dd3c01824a39dbd85205c.exe
4428	bd5f79381890e67683071c76cd1bd8a13bfd52af104dd3c01824a39dbd85205c.exe
4428	bd5f79381890e67683071c76cd1bd8a13bfd52af104dd3c01824a39dbd85205c.exe
4428	bd5f79381890e67683071c76cd1bd8a13bfd52af104dd3c01824a39dbd85205c.exe
4428	bd5f79381890e67683071c76cd1bd8a13bfd52af104dd3c01824a39dbd85205c.exe
4428	bd5f79381890e67683071c76cd1bd8a13bfd52af104dd3c01824a39dbd85205c.exe
4428	bd5f79381890e67683071c76cd1bd8a13bfd52af104dd3c01824a39dbd85205c.exe
4428	bd5f79381890e67683071c76cd1bd8a13bfd52af104dd3c01824a39dbd85205c.exe
4336	coinbase.exe
4336	coinbase.exe
4336	coinbase.exe
4336	coinbase.exe
4336	coinbase.exe
4336	coinbase.exe
4336	coinbase.exe
4336	coinbase.exe
4336	coinbase.exe
4336	coinbase.exe
4336	coinbase.exe
4336	coinbase.exe
4336	coinbase.exe
4336	coinbase.exe
4336	coinbase.exe
4336	coinbase.exe
4336	coinbase.exe
4336	coinbase.exe
4336	coinbase.exe
4336	coinbase.exe
4336	coinbase.exe
4336	coinbase.exe
4336	coinbase.exe
4336	coinbase.exe
4336	coinbase.exe
4336	coinbase.exe
4336	coinbase.exe
4336	coinbase.exe
4336	coinbase.exe
4336	coinbase.exe
4336	coinbase.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4428	bd5f79381890e67683071c76cd1bd8a13bfd52af104dd3c01824a39dbd85205c.exe
Token: SeDebugPrivilege	4428	bd5f79381890e67683071c76cd1bd8a13bfd52af104dd3c01824a39dbd85205c.exe
Token: SeDebugPrivilege	4336	coinbase.exe
Token: SeDebugPrivilege	4336	coinbase.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4428 wrote to memory of 1340	4428	bd5f79381890e67683071c76cd1bd8a13bfd52af104dd3c01824a39dbd85205c.exe	82
PID 4428 wrote to memory of 1340	4428	bd5f79381890e67683071c76cd1bd8a13bfd52af104dd3c01824a39dbd85205c.exe	82
PID 4428 wrote to memory of 3352	4428	bd5f79381890e67683071c76cd1bd8a13bfd52af104dd3c01824a39dbd85205c.exe	84
PID 4428 wrote to memory of 3352	4428	bd5f79381890e67683071c76cd1bd8a13bfd52af104dd3c01824a39dbd85205c.exe	84
PID 1340 wrote to memory of 1304	1340	cmd.exe	86
PID 1340 wrote to memory of 1304	1340	cmd.exe	86
PID 3352 wrote to memory of 4424	3352	cmd.exe	87
PID 3352 wrote to memory of 4424	3352	cmd.exe	87
PID 3352 wrote to memory of 4336	3352	cmd.exe	90
PID 3352 wrote to memory of 4336	3352	cmd.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bd5f79381890e67683071c76cd1bd8a13bfd52af104dd3c01824a39dbd85205c.exe
"C:\Users\Admin\AppData\Local\Temp\bd5f79381890e67683071c76cd1bd8a13bfd52af104dd3c01824a39dbd85205c.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "coinbase" /tr '"C:\Users\Admin\AppData\Roaming\coinbase.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1340
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "coinbase" /tr '"C:\Users\Admin\AppData\Roaming\coinbase.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFB77.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3352
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:4424
- - C:\Users\Admin\AppData\Roaming\coinbase.exe
    "C:\Users\Admin\AppData\Roaming\coinbase.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpFB77.tmp.bat

Filesize
152B

MD5
6a0c7badbed90b48599b55fdc38fc747

SHA1
a8cdf1e768c16a7bb0becc91e6f5183920c2a507

SHA256
a2b1531b128aa9da36b568c55d34535c2e5e6f4250a2ab977389503c66a2921b

SHA512
5e47dc46109e523904f8c7908d1e17f2d23d3f57ec24f1aeb17b35e27bc1c095904ed31e0ca718c0477fc8d4732af55f7b3ba11409d0f4656fe251838e621077

Download Submit
C:\Users\Admin\AppData\Roaming\coinbase.exe

Filesize
63KB

MD5
b5da46ea47f9b458f4e11e08facc0b36

SHA1
945e066d5a6a08c19b3024857b376927ea7c323f

SHA256
bd5f79381890e67683071c76cd1bd8a13bfd52af104dd3c01824a39dbd85205c

SHA512
77e04b67cf417e45631af8b0eec7f3e1969f61608fd41ddce27a4d3e04de77058fd928927acfbe7000259b4334ff8a61e05cef72ab5c9d54dd4caceb3e5141ff

Download Submit
memory/4428-0-0x00007FF901A03000-0x00007FF901A05000-memory.dmp

Filesize
8KB

Download
memory/4428-1-0x0000000000CD0000-0x0000000000CE6000-memory.dmp

Filesize
88KB

Download
memory/4428-2-0x00007FF901A00000-0x00007FF9024C1000-memory.dmp

Filesize
10.8MB

Download
memory/4428-7-0x00007FF901A00000-0x00007FF9024C1000-memory.dmp

Filesize
10.8MB

Download
memory/4428-8-0x00007FF901A00000-0x00007FF9024C1000-memory.dmp

Filesize
10.8MB

Download