Overview

overview

10

Static

static

3

9faf470f67...37.exe

windows7-x64

10

9faf470f67...37.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    113s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-11-2024 08:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9faf470f679f9b6c8aceba42a94aa9196570df2a3988540c8becdbe160885637.exe

  • Size

    173KB

  • MD5

    e6317314d7f07e51c82ff542b100a746

  • SHA1

    6375b769b95da80d7603be104a22a5fe2c82d914

  • SHA256

    9faf470f679f9b6c8aceba42a94aa9196570df2a3988540c8becdbe160885637

  • SHA512

    6554cadf2b5d70a1d8a2b397a2ce36a02071298a419384d4b3b65a8c62648a5e1f961d72d57511477342728f32aa7ffc67e9783927eadecbcda7a4f0af68834b

  • SSDEEP

    3072:mTblwufSK/kgvh66vLQqGclZdqBWHBkFRwqNwId6Hrwb1NTvD:mmaMMQUdqBWhkMqNUrwb/

Score
10/10
asyncratvenom clientsrat

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

C2

87.120.127.32:1339

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes
  • delay

    1

  • install

    true

  • install_file

    vchost.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\9faf470f679f9b6c8aceba42a94aa9196570df2a3988540c8becdbe160885637.exe
    "C:\Users\Admin\AppData\Local\Temp\9faf470f679f9b6c8aceba42a94aa9196570df2a3988540c8becdbe160885637.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5024
    • C:\Users\Admin\AppData\Local\Temp\hsijd2qx.1vo.exe
      "C:\Users\Admin\AppData\Local\Temp\hsijd2qx.1vo.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3128
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "vchost" /tr '"C:\Users\Admin\AppData\Roaming\vchost.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3420
        • C:\Windows\system32\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "vchost" /tr '"C:\Users\Admin\AppData\Roaming\vchost.exe"'
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:4044
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB2B6.tmp.bat""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3560
        • C:\Windows\system32\timeout.exe
          timeout 3
          4⤵
          • Delays execution with timeout.exe
          PID:3840
        • C:\Users\Admin\AppData\Roaming\vchost.exe
          "C:\Users\Admin\AppData\Roaming\vchost.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4488

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\hsijd2qx.1vo.exe
    Filesize

    63KB

    MD5

    b5e0e569bc4667a4ebdc38fa1d78d0d7

    SHA1

    56ee71d628c61eb270251e5ea7bbd942639e66fc

    SHA256

    a71008f8a6685f0acde10e3ed125e09c59cb43b1d7f5deaee4fa0f2ccd8eaf7a

    SHA512

    0786c8f5bf3fc619a90276426f264198c4f31bfeb7e8a24fa9a6375a6e299d021110239cb1f9827939d28106c28015f224454a4efa7aa7b657e8c0cf5e09f583

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpB2B6.tmp.bat
    Filesize

    150B

    MD5

    c904b9c135620e93751b44309f0a963e

    SHA1

    6bcbf69eb1d53a70387ab7c9047d83b4794386ea

    SHA256

    b165e0c067c597cac4d15114fe6341deaa5db15155d997b7f16c1fee0f53ab21

    SHA512

    372cf612ebc6dae332867812004c4a826ad5c1101878e4249b32b52b690ee182a3279e825361d48972d8770c2bb52c628a28935f6defab190f092e3f1d486ed6

    Download Submit

  • memory/3128-6-0x0000000000B50000-0x0000000000B66000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3128-7-0x00007FF8E8380000-0x00007FF8E8E41000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3128-8-0x00007FF8E8380000-0x00007FF8E8E41000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3128-13-0x00007FF8E8380000-0x00007FF8E8E41000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5024-0-0x00007FF8E8383000-0x00007FF8E8385000-memory.dmp

    Filesize

    8KB

    Download

  • memory/5024-1-0x0000000000B20000-0x0000000000B4E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/5024-20-0x00007FF8E8383000-0x00007FF8E8385000-memory.dmp

    Filesize

    8KB

    Download