asyncrat | b2268bc734c9d33e218e4edc798d3c04ce44039abe3f158d662a8907ca581987

General

Target

b2268bc734c9d33e218e4edc798d3c04ce44039abe3f158d662a8907ca581987N.exe
Size

173KB
MD5

47145d48bc26baf524555bf5574fb7a0
SHA1

4bb8b205308527a698fa9122d5fb62852ad58e40
SHA256

b2268bc734c9d33e218e4edc798d3c04ce44039abe3f158d662a8907ca581987
SHA512

d3016c246f901154cc9ea5c08b2dc74755b6e807396e0a8b0444780fc5b8d1aff58cf2b3bf2ffd6dd53f45cede6c618259225fe7b3ba970333f89e23120eda87
SSDEEP

3072:mTblwufSK/kgvh66vLQqGclZdqBWHBkFRwqNwId6Hrwb1NTv:mmaMMQUdqBWhkMqNUrwb

Score

10^/10

asyncrat venom clients rat

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

C2

87.120.127.32:1339

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
true
install_file
vchost.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x0008000000023c68-4.dat	family_asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	oo14v2kb.dry.exe

Executes dropped EXE 2 IoCs

pid	Process
1172	oo14v2kb.dry.exe
2500	vchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4952	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
244	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1172	oo14v2kb.dry.exe
1172	oo14v2kb.dry.exe
1172	oo14v2kb.dry.exe
1172	oo14v2kb.dry.exe
1172	oo14v2kb.dry.exe
1172	oo14v2kb.dry.exe
1172	oo14v2kb.dry.exe
1172	oo14v2kb.dry.exe
1172	oo14v2kb.dry.exe
1172	oo14v2kb.dry.exe
1172	oo14v2kb.dry.exe
1172	oo14v2kb.dry.exe
1172	oo14v2kb.dry.exe
1172	oo14v2kb.dry.exe
1172	oo14v2kb.dry.exe
1172	oo14v2kb.dry.exe
1172	oo14v2kb.dry.exe
1172	oo14v2kb.dry.exe
1172	oo14v2kb.dry.exe
1172	oo14v2kb.dry.exe
1172	oo14v2kb.dry.exe
1172	oo14v2kb.dry.exe
1172	oo14v2kb.dry.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1172	oo14v2kb.dry.exe
Token: SeDebugPrivilege	2500	vchost.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3924 wrote to memory of 1172	3924	b2268bc734c9d33e218e4edc798d3c04ce44039abe3f158d662a8907ca581987N.exe	84
PID 3924 wrote to memory of 1172	3924	b2268bc734c9d33e218e4edc798d3c04ce44039abe3f158d662a8907ca581987N.exe	84
PID 1172 wrote to memory of 4592	1172	oo14v2kb.dry.exe	88
PID 1172 wrote to memory of 4592	1172	oo14v2kb.dry.exe	88
PID 1172 wrote to memory of 4296	1172	oo14v2kb.dry.exe	90
PID 1172 wrote to memory of 4296	1172	oo14v2kb.dry.exe	90
PID 4592 wrote to memory of 244	4592	cmd.exe	92
PID 4592 wrote to memory of 244	4592	cmd.exe	92
PID 4296 wrote to memory of 4952	4296	cmd.exe	93
PID 4296 wrote to memory of 4952	4296	cmd.exe	93
PID 4296 wrote to memory of 2500	4296	cmd.exe	98
PID 4296 wrote to memory of 2500	4296	cmd.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b2268bc734c9d33e218e4edc798d3c04ce44039abe3f158d662a8907ca581987N.exe
"C:\Users\Admin\AppData\Local\Temp\b2268bc734c9d33e218e4edc798d3c04ce44039abe3f158d662a8907ca581987N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3924
- C:\Users\Admin\AppData\Local\Temp\oo14v2kb.dry.exe
  "C:\Users\Admin\AppData\Local\Temp\oo14v2kb.dry.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "vchost" /tr '"C:\Users\Admin\AppData\Roaming\vchost.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4592
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "vchost" /tr '"C:\Users\Admin\AppData\Roaming\vchost.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBF0A.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4296
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:4952
  - - C:\Users\Admin\AppData\Roaming\vchost.exe
      "C:\Users\Admin\AppData\Roaming\vchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\oo14v2kb.dry.exe

Filesize
63KB

MD5
b5e0e569bc4667a4ebdc38fa1d78d0d7

SHA1
56ee71d628c61eb270251e5ea7bbd942639e66fc

SHA256
a71008f8a6685f0acde10e3ed125e09c59cb43b1d7f5deaee4fa0f2ccd8eaf7a

SHA512
0786c8f5bf3fc619a90276426f264198c4f31bfeb7e8a24fa9a6375a6e299d021110239cb1f9827939d28106c28015f224454a4efa7aa7b657e8c0cf5e09f583

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBF0A.tmp.bat

Filesize
150B

MD5
35556279ac67e5e81741e0ba23aa69db

SHA1
2c66d813c49c8e24763b78b260de2ef8ca597984

SHA256
0f705abd32572bf45cfae39160234db083494c618e2db205158e0bb7f9193987

SHA512
112b50e5efd47824753c4e41e070d548b8fdd9ab8fbf0518e60352a170faf715c909bc88d3f404560553504f06f962e54b9ee7589774e4bde7bdd8be0e6bb581

Download Submit
memory/1172-6-0x00000000008A0000-0x00000000008B6000-memory.dmp

Filesize
88KB

Download
memory/1172-7-0x00007FFFE0C60000-0x00007FFFE1721000-memory.dmp

Filesize
10.8MB

Download
memory/1172-8-0x00007FFFE0C60000-0x00007FFFE1721000-memory.dmp

Filesize
10.8MB

Download
memory/1172-13-0x00007FFFE0C60000-0x00007FFFE1721000-memory.dmp

Filesize
10.8MB

Download
memory/1172-14-0x00007FFFE0C60000-0x00007FFFE1721000-memory.dmp

Filesize
10.8MB

Download
memory/3924-0-0x00007FFFE0C63000-0x00007FFFE0C65000-memory.dmp

Filesize
8KB

Download
memory/3924-1-0x0000000000A10000-0x0000000000A3E000-memory.dmp

Filesize
184KB

Download
memory/3924-21-0x00007FFFE0C63000-0x00007FFFE0C65000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads