asyncrat | a83d5e622b2e0b13048c7f67e06b029e95aba1344a16e5d0912eec5fb70a9a10

General

Target

a83d5e622b2e0b13048c7f67e06b029e95aba1344a16e5d0912eec5fb70a9a10N.exe
Size

136KB
MD5

ba8e1047d16828e515b4c8b24ea0a660
SHA1

a72be9e504bffd192016f70a542fe96873b11c7f
SHA256

a83d5e622b2e0b13048c7f67e06b029e95aba1344a16e5d0912eec5fb70a9a10
SHA512

35f48bfd66d4575d061785f0d127f18dd0ee0e45fe0a572d48060833e1a36e533ee8b73a8066985399e2f1108bcdee95290b8391026f4d430e94f81ac6e385c5
SSDEEP

3072:seRxy2E/7oh9/Gzyx7XaI/7fI81Z34zikDMSb1BYLWQf:BkO9/GKX17FZIukD9O

Score

10^/10

asyncrat venomrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

Mutex

qdjtygkpttzwe

Attributes

delay
1
install
false
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/w9ciyBd2

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

VenomRAT 2 IoCs

Detects VenomRAT.

rat

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Client.exe	VenomRAT
behavioral1/memory/2672-14-0x00000000012C0000-0x00000000012DE000-memory.dmp	VenomRAT

Venomrat family
venomrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Client.exe	family_asyncrat

Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid process

2672 Client.exe
Loads dropped DLL 1 IoCs

Processes:

a83d5e622b2e0b13048c7f67e06b029e95aba1344a16e5d0912eec5fb70a9a10N.exe

pid process

2244 a83d5e622b2e0b13048c7f67e06b029e95aba1344a16e5d0912eec5fb70a9a10N.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

4 pastebin.com
5 pastebin.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2244	a83d5e622b2e0b13048c7f67e06b029e95aba1344a16e5d0912eec5fb70a9a10N.exe

flow	ioc
4	pastebin.com
5	pastebin.com

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

a83d5e622b2e0b13048c7f67e06b029e95aba1344a16e5d0912eec5fb70a9a10N.exeDllHost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a83d5e622b2e0b13048c7f67e06b029e95aba1344a16e5d0912eec5fb70a9a10N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

Client.exe

pid	process
2672	Client.exe
2672	Client.exe
2672	Client.exe
2672	Client.exe
2672	Client.exe
2672	Client.exe
2672	Client.exe
2672	Client.exe
2672	Client.exe
2672	Client.exe
2672	Client.exe
2672	Client.exe
2672	Client.exe
2672	Client.exe
2672	Client.exe
2672	Client.exe
2672	Client.exe
2672	Client.exe
2672	Client.exe
2672	Client.exe
2672	Client.exe
2672	Client.exe
2672	Client.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Client.exe

description pid process

Token: SeDebugPrivilege 2672 Client.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

2756 DllHost.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Client.exeDllHost.exe

pid process

2672 Client.exe
2756 DllHost.exe
2756 DllHost.exe

description	pid	process
Token: SeDebugPrivilege	2672	Client.exe

pid	process
2756	DllHost.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

a83d5e622b2e0b13048c7f67e06b029e95aba1344a16e5d0912eec5fb70a9a10N.exe

description	pid	process	target process
PID 2244 wrote to memory of 2672	2244	a83d5e622b2e0b13048c7f67e06b029e95aba1344a16e5d0912eec5fb70a9a10N.exe	Client.exe
PID 2244 wrote to memory of 2672	2244	a83d5e622b2e0b13048c7f67e06b029e95aba1344a16e5d0912eec5fb70a9a10N.exe	Client.exe
PID 2244 wrote to memory of 2672	2244	a83d5e622b2e0b13048c7f67e06b029e95aba1344a16e5d0912eec5fb70a9a10N.exe	Client.exe
PID 2244 wrote to memory of 2672	2244	a83d5e622b2e0b13048c7f67e06b029e95aba1344a16e5d0912eec5fb70a9a10N.exe	Client.exe

C:\Users\Admin\AppData\Local\Temp\a83d5e622b2e0b13048c7f67e06b029e95aba1344a16e5d0912eec5fb70a9a10N.exe
"C:\Users\Admin\AppData\Local\Temp\a83d5e622b2e0b13048c7f67e06b029e95aba1344a16e5d0912eec5fb70a9a10N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Users\Admin\AppData\Roaming\Client.exe
  "C:\Users\Admin\AppData\Roaming\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2672

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\istockphoto-1212369987-612x612.jpg

Filesize
34KB

MD5
9e2447961613086a0bfbd34dececd929

SHA1
7ef96a9b48f63f94fc91ab0f17b18d4c81c77901

SHA256
ee30977c24b9607c07513670e524bdb95fdd89c1c1c4d551666a4b9a64a4a5f8

SHA512
379117b6a5b3ce178069ec7e51aca3026168a827685235a6d372e9d5f9b14470e7755bd1b9179c46019273b00dc25fcca807189d62a2414ff0e355457a65a675

Download Submit
\Users\Admin\AppData\Roaming\Client.exe

Filesize
96KB

MD5
8f0807d1ba521c06b793a6717744c4f3

SHA1
f5a414ddcbf4a7bcc420912d4a8eb5f414f2ea35

SHA256
c40b7d6c8145eb7b3d40d868c72701f21b1390259585e0bfaf0ac4b66b438572

SHA512
cacae5105f21d0d5d6b930f8e86c6fd0ed2adcf289e18ad9e34d584bcd757b7beb17ed31cd64ee0514b2b6ed21b68ec0361a7b37c9d063981320c698769ae134

Download Submit
memory/2244-0-0x0000000073E71000-0x0000000073E72000-memory.dmp

Filesize
4KB

Download
memory/2244-2-0x0000000073E70000-0x000000007441B000-memory.dmp

Filesize
5.7MB

Download
memory/2244-3-0x0000000073E70000-0x000000007441B000-memory.dmp

Filesize
5.7MB

Download
memory/2244-4-0x00000000006B0000-0x00000000006B2000-memory.dmp

Filesize
8KB

Download
memory/2244-13-0x0000000073E70000-0x000000007441B000-memory.dmp

Filesize
5.7MB

Download
memory/2672-14-0x00000000012C0000-0x00000000012DE000-memory.dmp

Filesize
120KB

Download
memory/2756-5-0x0000000000130000-0x0000000000132000-memory.dmp

Filesize
8KB

Download
memory/2756-11-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2756-17-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads