asyncrat | b2268bc734c9d33e218e4edc798d3c04ce44039abe3f158d662a8907ca581987

General

Target

b2268bc734c9d33e218e4edc798d3c04ce44039abe3f158d662a8907ca581987N.exe
Size

173KB
MD5

47145d48bc26baf524555bf5574fb7a0
SHA1

4bb8b205308527a698fa9122d5fb62852ad58e40
SHA256

b2268bc734c9d33e218e4edc798d3c04ce44039abe3f158d662a8907ca581987
SHA512

d3016c246f901154cc9ea5c08b2dc74755b6e807396e0a8b0444780fc5b8d1aff58cf2b3bf2ffd6dd53f45cede6c618259225fe7b3ba970333f89e23120eda87
SSDEEP

3072:mTblwufSK/kgvh66vLQqGclZdqBWHBkFRwqNwId6Hrwb1NTv:mmaMMQUdqBWhkMqNUrwb

Score

10^/10

asyncrat venom clients rat

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

C2

87.120.127.32:1339

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
true
install_file
vchost.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000b000000012029-3.dat	family_asyncrat

Executes dropped EXE 2 IoCs

pid	Process
2564	5klma05j.llj.exe
2464	vchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2596	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2948	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2564	5klma05j.llj.exe
2564	5klma05j.llj.exe
2564	5klma05j.llj.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2564	5klma05j.llj.exe
Token: SeDebugPrivilege	2464	vchost.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2564	2792	b2268bc734c9d33e218e4edc798d3c04ce44039abe3f158d662a8907ca581987N.exe	29
PID 2792 wrote to memory of 2564	2792	b2268bc734c9d33e218e4edc798d3c04ce44039abe3f158d662a8907ca581987N.exe	29
PID 2792 wrote to memory of 2564	2792	b2268bc734c9d33e218e4edc798d3c04ce44039abe3f158d662a8907ca581987N.exe	29
PID 2564 wrote to memory of 2604	2564	5klma05j.llj.exe	30
PID 2564 wrote to memory of 2604	2564	5klma05j.llj.exe	30
PID 2564 wrote to memory of 2604	2564	5klma05j.llj.exe	30
PID 2564 wrote to memory of 2104	2564	5klma05j.llj.exe	32
PID 2564 wrote to memory of 2104	2564	5klma05j.llj.exe	32
PID 2564 wrote to memory of 2104	2564	5klma05j.llj.exe	32
PID 2604 wrote to memory of 2948	2604	cmd.exe	34
PID 2604 wrote to memory of 2948	2604	cmd.exe	34
PID 2604 wrote to memory of 2948	2604	cmd.exe	34
PID 2104 wrote to memory of 2596	2104	cmd.exe	35
PID 2104 wrote to memory of 2596	2104	cmd.exe	35
PID 2104 wrote to memory of 2596	2104	cmd.exe	35
PID 2104 wrote to memory of 2464	2104	cmd.exe	36
PID 2104 wrote to memory of 2464	2104	cmd.exe	36
PID 2104 wrote to memory of 2464	2104	cmd.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b2268bc734c9d33e218e4edc798d3c04ce44039abe3f158d662a8907ca581987N.exe
"C:\Users\Admin\AppData\Local\Temp\b2268bc734c9d33e218e4edc798d3c04ce44039abe3f158d662a8907ca581987N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Users\Admin\AppData\Local\Temp\5klma05j.llj.exe
  "C:\Users\Admin\AppData\Local\Temp\5klma05j.llj.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "vchost" /tr '"C:\Users\Admin\AppData\Roaming\vchost.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "vchost" /tr '"C:\Users\Admin\AppData\Roaming\vchost.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2948
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp5E84.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2104
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:2596
  - - C:\Users\Admin\AppData\Roaming\vchost.exe
      "C:\Users\Admin\AppData\Roaming\vchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5klma05j.llj.exe

Filesize
63KB

MD5
b5e0e569bc4667a4ebdc38fa1d78d0d7

SHA1
56ee71d628c61eb270251e5ea7bbd942639e66fc

SHA256
a71008f8a6685f0acde10e3ed125e09c59cb43b1d7f5deaee4fa0f2ccd8eaf7a

SHA512
0786c8f5bf3fc619a90276426f264198c4f31bfeb7e8a24fa9a6375a6e299d021110239cb1f9827939d28106c28015f224454a4efa7aa7b657e8c0cf5e09f583

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab71B9.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5E84.tmp.bat

Filesize
150B

MD5
b5de541be7ebec92a45db43a385ba2de

SHA1
4e036ea8e4e95ab20f2e6b5c8c06761d500091b9

SHA256
965283f04562f56536be89df8f909e706719606d3d079fee901135fb99a42a85

SHA512
07b0dd5731896bb4623a6e3ff010d3f313da04118efcef5e8ac79fecddf6f01debd0a963a6ea3415236133743c0f3a48682555b8abc4cad213afb63ca2fedcaf

Download Submit
memory/2464-23-0x0000000001340000-0x0000000001356000-memory.dmp

Filesize
88KB

Download
memory/2564-6-0x00000000003E0000-0x00000000003F6000-memory.dmp

Filesize
88KB

Download
memory/2564-7-0x000007FEF6350000-0x000007FEF6D3C000-memory.dmp

Filesize
9.9MB

Download
memory/2564-8-0x000007FEF6350000-0x000007FEF6D3C000-memory.dmp

Filesize
9.9MB

Download
memory/2564-9-0x000007FEF6350000-0x000007FEF6D3C000-memory.dmp

Filesize
9.9MB

Download
memory/2564-19-0x000007FEF6350000-0x000007FEF6D3C000-memory.dmp

Filesize
9.9MB

Download
memory/2792-0-0x000007FEF6353000-0x000007FEF6354000-memory.dmp

Filesize
4KB

Download
memory/2792-1-0x000000013F2B0000-0x000000013F2DE000-memory.dmp

Filesize
184KB

Download
memory/2792-40-0x000007FEF6353000-0x000007FEF6354000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads