Analysis

  • max time kernel
    59s
  • max time network
    62s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28-10-2024 19:43

General

  • Target

    Rose_1_1_4_2.zip

  • Size

    16.1MB

  • MD5

    6b27604d6f445bce6ad546885c0c0949

  • SHA1

    75967d80043852f69bfc858675298b8fa1da12a9

  • SHA256

    3af2d8280ca274b2d5d06e2494a7e99ba1b26c439e426335bf98c1eb640e38fc

  • SHA512

    e71d31fdefb7b77787f12ea6a5a712240b3d1146c2e7d9212877a83f8a69cb7509b8bc5928674cfb45f125c721f61f6cc9d30ff588e66bbbf77abcf02cc1d97d

  • SSDEEP

    393216:iON95GDgNyOMiyGFty4riUG4/Hv73BwVa6w:iakM4GrjvbBwVa6w

Score
10/10

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

sazan

Mutex

rdzbojdvoiqafvcuqj

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

  • pastebin_config

    https://pastebin.ai/raw/it4zrvblz1

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Asyncrat family
  • Async RAT payload 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Rose_1_1_4_2.zip"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2708
    • C:\Users\Admin\AppData\Local\Temp\7zO49A4BA37\Rose_İnjector.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO49A4BA37\Rose_İnjector.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2180
      • C:\Users\Admin\AppData\Roaming\Client.exe
        "C:\Users\Admin\AppData\Roaming\Client.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2700
      • C:\Users\Admin\AppData\Roaming\Rose_Injector.exe
        "C:\Users\Admin\AppData\Roaming\Rose_Injector.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2560
    • C:\Users\Admin\AppData\Local\Temp\7zO49ADBA57\Rose_İnjector.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO49ADBA57\Rose_İnjector.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2904
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2904 -s 580
        3⤵
          PID:1044
      • C:\Users\Admin\AppData\Local\Temp\7zO49A9D0B7\Rose_İnjector.exe
        "C:\Users\Admin\AppData\Local\Temp\7zO49A9D0B7\Rose_İnjector.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2024
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 2024 -s 576
          3⤵
            PID:1544

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\7zO49A4BA37\Rose_İnjector.exe

        Filesize

        108KB

        MD5

        17f7206a7e2535c2757a2e28af6c13c8

        SHA1

        5cea3e60c35b8da9e1520832071ca52b98991797

        SHA256

        8f1d00324051a90eb2ca14d2d68946b78d89e36ed3ce9082af05da5b38c04457

        SHA512

        15c3ea73fd01290171448f0e0dea4a3b2919448c35116d9bcce99f6e81be063ba6fccef7ec1b71fcce3056c15f0099130d21edd5372fb7f46cfcae5f7c2dec39

      • C:\Users\Admin\AppData\Roaming\Client.exe

        Filesize

        74KB

        MD5

        1e62f2d4b2155fe336bc8f449100554a

        SHA1

        2506734f15d2b69270be7c922f008e7de9d839dd

        SHA256

        16a3ba1c991f0d2c666e7f41528ccf65c477c094a8ff75b924289f564bf11498

        SHA512

        a14d75b76935b73af946f81370aa7c6874240dd907336bfdb09a70e8e088a8c6e1341fb8da7277477fb1328251ea1a52a9e8c1126d3c4b59b8dcf99191266ebf

      • \Users\Admin\AppData\Roaming\Rose_Injector.exe

        Filesize

        27KB

        MD5

        8be0e3590df0a1337f9fb82630852376

        SHA1

        6f0d6bc2ba3ab5cbbff94a944dd24c0eda0771d5

        SHA256

        36a340af2f3f63c9be3546704985accb516135860a575ef6c655819d7998ed39

        SHA512

        48714538160ddeddd9ff1834056daaef50f261401bd19e44b60af628f46ebc741c32dcc73ccbb546b325da79fd336cbfa79f31215008bf3578ea070ff8156d16

      • memory/2024-47-0x00000000008E0000-0x0000000000902000-memory.dmp

        Filesize

        136KB

      • memory/2180-11-0x0000000000C90000-0x0000000000CB2000-memory.dmp

        Filesize

        136KB

      • memory/2700-17-0x0000000000C60000-0x0000000000C78000-memory.dmp

        Filesize

        96KB

      • memory/2904-35-0x0000000000020000-0x0000000000042000-memory.dmp

        Filesize

        136KB