asyncrat | 9faf470f679f9b6c8aceba42a94aa9196570df2a3988540c8becdbe160885637

General

Target

9faf470f679f9b6c8aceba42a94aa9196570df2a3988540c8becdbe160885637.exe
Size

173KB
MD5

e6317314d7f07e51c82ff542b100a746
SHA1

6375b769b95da80d7603be104a22a5fe2c82d914
SHA256

9faf470f679f9b6c8aceba42a94aa9196570df2a3988540c8becdbe160885637
SHA512

6554cadf2b5d70a1d8a2b397a2ce36a02071298a419384d4b3b65a8c62648a5e1f961d72d57511477342728f32aa7ffc67e9783927eadecbcda7a4f0af68834b
SSDEEP

3072:mTblwufSK/kgvh66vLQqGclZdqBWHBkFRwqNwId6Hrwb1NTvD:mmaMMQUdqBWhkMqNUrwb/

Score

10^/10

asyncrat venom clients rat

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

C2

87.120.127.32:1339

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
true
install_file
vchost.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\kxv2nvgb.ald.exe	family_asyncrat

Executes dropped EXE 2 IoCs

Processes:

kxv2nvgb.ald.exevchost.exe

pid process

1732 kxv2nvgb.ald.exe
2808 vchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2944 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

292 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

kxv2nvgb.ald.exe

pid process

1732 kxv2nvgb.ald.exe
1732 kxv2nvgb.ald.exe
1732 kxv2nvgb.ald.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

kxv2nvgb.ald.exevchost.exe

description pid process

Token: SeDebugPrivilege 1732 kxv2nvgb.ald.exe
Token: SeDebugPrivilege 2808 vchost.exe

pid	process
1732	kxv2nvgb.ald.exe
2808	vchost.exe

pid	process
2944	timeout.exe

pid	process
292	schtasks.exe

pid	process
1732	kxv2nvgb.ald.exe
1732	kxv2nvgb.ald.exe
1732	kxv2nvgb.ald.exe

description	pid	process
Token: SeDebugPrivilege	1732	kxv2nvgb.ald.exe
Token: SeDebugPrivilege	2808	vchost.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

9faf470f679f9b6c8aceba42a94aa9196570df2a3988540c8becdbe160885637.exekxv2nvgb.ald.execmd.execmd.exe

description	pid	process	target process
PID 584 wrote to memory of 1732	584	9faf470f679f9b6c8aceba42a94aa9196570df2a3988540c8becdbe160885637.exe	kxv2nvgb.ald.exe
PID 584 wrote to memory of 1732	584	9faf470f679f9b6c8aceba42a94aa9196570df2a3988540c8becdbe160885637.exe	kxv2nvgb.ald.exe
PID 584 wrote to memory of 1732	584	9faf470f679f9b6c8aceba42a94aa9196570df2a3988540c8becdbe160885637.exe	kxv2nvgb.ald.exe
PID 1732 wrote to memory of 2920	1732	kxv2nvgb.ald.exe	cmd.exe
PID 1732 wrote to memory of 2920	1732	kxv2nvgb.ald.exe	cmd.exe
PID 1732 wrote to memory of 2920	1732	kxv2nvgb.ald.exe	cmd.exe
PID 2920 wrote to memory of 292	2920	cmd.exe	schtasks.exe
PID 2920 wrote to memory of 292	2920	cmd.exe	schtasks.exe
PID 2920 wrote to memory of 292	2920	cmd.exe	schtasks.exe
PID 1732 wrote to memory of 2740	1732	kxv2nvgb.ald.exe	cmd.exe
PID 1732 wrote to memory of 2740	1732	kxv2nvgb.ald.exe	cmd.exe
PID 1732 wrote to memory of 2740	1732	kxv2nvgb.ald.exe	cmd.exe
PID 2740 wrote to memory of 2944	2740	cmd.exe	timeout.exe
PID 2740 wrote to memory of 2944	2740	cmd.exe	timeout.exe
PID 2740 wrote to memory of 2944	2740	cmd.exe	timeout.exe
PID 2740 wrote to memory of 2808	2740	cmd.exe	vchost.exe
PID 2740 wrote to memory of 2808	2740	cmd.exe	vchost.exe
PID 2740 wrote to memory of 2808	2740	cmd.exe	vchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9faf470f679f9b6c8aceba42a94aa9196570df2a3988540c8becdbe160885637.exe
"C:\Users\Admin\AppData\Local\Temp\9faf470f679f9b6c8aceba42a94aa9196570df2a3988540c8becdbe160885637.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:584
- C:\Users\Admin\AppData\Local\Temp\kxv2nvgb.ald.exe
  "C:\Users\Admin\AppData\Local\Temp\kxv2nvgb.ald.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "vchost" /tr '"C:\Users\Admin\AppData\Roaming\vchost.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "vchost" /tr '"C:\Users\Admin\AppData\Roaming\vchost.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:292
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpE82D.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:2944
  - - C:\Users\Admin\AppData\Roaming\vchost.exe
      "C:\Users\Admin\AppData\Roaming\vchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabFA87.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kxv2nvgb.ald.exe

Filesize
63KB

MD5
b5e0e569bc4667a4ebdc38fa1d78d0d7

SHA1
56ee71d628c61eb270251e5ea7bbd942639e66fc

SHA256
a71008f8a6685f0acde10e3ed125e09c59cb43b1d7f5deaee4fa0f2ccd8eaf7a

SHA512
0786c8f5bf3fc619a90276426f264198c4f31bfeb7e8a24fa9a6375a6e299d021110239cb1f9827939d28106c28015f224454a4efa7aa7b657e8c0cf5e09f583

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE82D.tmp.bat

Filesize
150B

MD5
e4ec79c1bd6d00475e2b5d6d7abd14de

SHA1
99fed8fa4cf195953c61469140f0438b0b657b17

SHA256
5c5d8f3f699626a3516d4e5ae81e5ce2c23ed6e9f62df1550f8c147c00c0efb2

SHA512
5ea6203f548130522bb1d9ab1b49b12c289f6ced651952fca4a96a5ff2e5e411e4f55c8e7055bed6a5a0e8d74116e7fc007ba6f3f141bcfcee66f6f2fceafc07

Download Submit
memory/584-0-0x000007FEF59C3000-0x000007FEF59C4000-memory.dmp

Filesize
4KB

Download
memory/584-1-0x000000013F870000-0x000000013F89E000-memory.dmp

Filesize
184KB

Download
memory/584-40-0x000007FEF59C3000-0x000007FEF59C4000-memory.dmp

Filesize
4KB

Download
memory/1732-6-0x0000000001090000-0x00000000010A6000-memory.dmp

Filesize
88KB

Download
memory/1732-7-0x000007FEF59C0000-0x000007FEF63AC000-memory.dmp

Filesize
9.9MB

Download
memory/1732-8-0x000007FEF59C0000-0x000007FEF63AC000-memory.dmp

Filesize
9.9MB

Download
memory/1732-9-0x000007FEF59C0000-0x000007FEF63AC000-memory.dmp

Filesize
9.9MB

Download
memory/1732-19-0x000007FEF59C0000-0x000007FEF63AC000-memory.dmp

Filesize
9.9MB

Download
memory/2808-23-0x00000000013C0000-0x00000000013D6000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads