asyncrat | 8620fa4c62bd53e5b70aa10e6205f1ceffcd49bd7ca3b01cbe8f539273dd6695 | Triage

Sharing

General

Target

8620fa4c62bd53e5b70aa10e6205f1ceffcd49bd7ca3b01cbe8f539273dd6695.bat
Size

29KB
Sample

241117-em282s1cle
MD5

af0c16e6a8877ea5a72d5d4a876e8302
SHA1

bc78be8297b41156b56fb22f7a84e7a85a183f7a
SHA256

8620fa4c62bd53e5b70aa10e6205f1ceffcd49bd7ca3b01cbe8f539273dd6695
SHA512

73ec801912075022dba96acb14b0cf6397b09af73b8e2535bb8870783196fd87ccbcb3f1530151c5c384f05d707d0bc593de33e33a85cb25872648db1884f629
SSDEEP

768:gTYcpQyuPmhDGEhtKC7/ZAmvh3MT2iabBp2KHrxWPylMhQYXTtlE:gTYcpQyuPmhDGEhtKC7BAmvtO2ip88Pk

Score

10^/10

asyncrat default venom clients discovery execution rat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

ghanarchydn.duckdns.org:7878

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

pdhasync.duckdns.org:8797

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

C2

ksjvenom.duckdns.org:8890

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  8620fa4c62bd53e5b70aa10e6205f1ceffcd49bd7ca3b01cbe8f539273dd6695.bat
- Size
  
  29KB
- MD5
  
  af0c16e6a8877ea5a72d5d4a876e8302
- SHA1
  
  bc78be8297b41156b56fb22f7a84e7a85a183f7a
- SHA256
  
  8620fa4c62bd53e5b70aa10e6205f1ceffcd49bd7ca3b01cbe8f539273dd6695
- SHA512
  
  73ec801912075022dba96acb14b0cf6397b09af73b8e2535bb8870783196fd87ccbcb3f1530151c5c384f05d707d0bc593de33e33a85cb25872648db1884f629
- SSDEEP
  
  768:gTYcpQyuPmhDGEhtKC7/ZAmvh3MT2iabBp2KHrxWPylMhQYXTtlE:gTYcpQyuPmhDGEhtKC7BAmvtO2ip88Pk
Score

10^/10

discovery execution asyncrat default venom clients rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Async RAT payload
  rat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Enumerates processes with tasklist
  discovery
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Process Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

asyncratdefaultvenom clientsdiscoveryexecutionrat