Malware Analysis Report

2024-12-08 02:25

Sample ID 241117-s6y8dstbmr
Target a83d5e622b2e0b13048c7f67e06b029e95aba1344a16e5d0912eec5fb70a9a10N.exe
SHA256 a83d5e622b2e0b13048c7f67e06b029e95aba1344a16e5d0912eec5fb70a9a10
Tags
asyncrat venomrat default discovery rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a83d5e622b2e0b13048c7f67e06b029e95aba1344a16e5d0912eec5fb70a9a10

Threat Level: Known bad

The file a83d5e622b2e0b13048c7f67e06b029e95aba1344a16e5d0912eec5fb70a9a10N.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat venomrat default discovery rat

AsyncRat

VenomRAT

Asyncrat family

Venomrat family

Async RAT payload

Loads dropped DLL

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-17 15:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-17 15:44

Reported

2024-11-17 15:47

Platform

win7-20240903-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a83d5e622b2e0b13048c7f67e06b029e95aba1344a16e5d0912eec5fb70a9a10N.exe"

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

VenomRAT

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Venomrat family

venomrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Client.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a83d5e622b2e0b13048c7f67e06b029e95aba1344a16e5d0912eec5fb70a9a10N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Client.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Client.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a83d5e622b2e0b13048c7f67e06b029e95aba1344a16e5d0912eec5fb70a9a10N.exe

"C:\Users\Admin\AppData\Local\Temp\a83d5e622b2e0b13048c7f67e06b029e95aba1344a16e5d0912eec5fb70a9a10N.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}

C:\Users\Admin\AppData\Roaming\Client.exe

"C:\Users\Admin\AppData\Roaming\Client.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 tr3.localto.net udp
TR 185.141.35.22:2944 tr3.localto.net tcp
TR 185.141.35.22:2944 tr3.localto.net tcp
TR 185.141.35.22:2944 tr3.localto.net tcp
TR 185.141.35.22:2944 tr3.localto.net tcp
TR 185.141.35.22:2944 tr3.localto.net tcp
TR 185.141.35.22:2944 tr3.localto.net tcp
TR 185.141.35.22:2944 tr3.localto.net tcp
TR 185.141.35.22:2944 tr3.localto.net tcp
TR 185.141.35.22:2944 tr3.localto.net tcp
TR 185.141.35.22:2944 tr3.localto.net tcp
TR 185.141.35.22:2944 tr3.localto.net tcp
TR 185.141.35.22:2944 tr3.localto.net tcp
TR 185.141.35.22:2944 tr3.localto.net tcp
TR 185.141.35.22:2944 tr3.localto.net tcp
TR 185.141.35.22:2944 tr3.localto.net tcp
TR 185.141.35.22:2944 tr3.localto.net tcp
TR 185.141.35.22:2944 tr3.localto.net tcp
TR 185.141.35.22:2944 tr3.localto.net tcp
TR 185.141.35.22:2944 tr3.localto.net tcp
TR 185.141.35.22:2944 tr3.localto.net tcp
TR 185.141.35.22:2944 tr3.localto.net tcp
TR 185.141.35.22:2944 tr3.localto.net tcp

Files

memory/2244-0-0x0000000073E71000-0x0000000073E72000-memory.dmp

memory/2244-2-0x0000000073E70000-0x000000007441B000-memory.dmp

memory/2244-3-0x0000000073E70000-0x000000007441B000-memory.dmp

memory/2244-4-0x00000000006B0000-0x00000000006B2000-memory.dmp

memory/2756-5-0x0000000000130000-0x0000000000132000-memory.dmp

\Users\Admin\AppData\Roaming\Client.exe

MD5 8f0807d1ba521c06b793a6717744c4f3
SHA1 f5a414ddcbf4a7bcc420912d4a8eb5f414f2ea35
SHA256 c40b7d6c8145eb7b3d40d868c72701f21b1390259585e0bfaf0ac4b66b438572
SHA512 cacae5105f21d0d5d6b930f8e86c6fd0ed2adcf289e18ad9e34d584bcd757b7beb17ed31cd64ee0514b2b6ed21b68ec0361a7b37c9d063981320c698769ae134

memory/2756-11-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/2244-13-0x0000000073E70000-0x000000007441B000-memory.dmp

memory/2672-14-0x00000000012C0000-0x00000000012DE000-memory.dmp

C:\Users\Admin\AppData\Roaming\istockphoto-1212369987-612x612.jpg

MD5 9e2447961613086a0bfbd34dececd929
SHA1 7ef96a9b48f63f94fc91ab0f17b18d4c81c77901
SHA256 ee30977c24b9607c07513670e524bdb95fdd89c1c1c4d551666a4b9a64a4a5f8
SHA512 379117b6a5b3ce178069ec7e51aca3026168a827685235a6d372e9d5f9b14470e7755bd1b9179c46019273b00dc25fcca807189d62a2414ff0e355457a65a675

memory/2756-17-0x00000000002E0000-0x00000000002E1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-17 15:44

Reported

2024-11-17 15:47

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a83d5e622b2e0b13048c7f67e06b029e95aba1344a16e5d0912eec5fb70a9a10N.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a83d5e622b2e0b13048c7f67e06b029e95aba1344a16e5d0912eec5fb70a9a10N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a83d5e622b2e0b13048c7f67e06b029e95aba1344a16e5d0912eec5fb70a9a10N.exe

"C:\Users\Admin\AppData\Local\Temp\a83d5e622b2e0b13048c7f67e06b029e95aba1344a16e5d0912eec5fb70a9a10N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 1152

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/3952-0-0x0000000075322000-0x0000000075323000-memory.dmp

memory/3952-1-0x0000000075320000-0x00000000758D1000-memory.dmp

memory/3952-2-0x0000000075320000-0x00000000758D1000-memory.dmp

memory/3952-10-0x0000000075320000-0x00000000758D1000-memory.dmp