asyncrat | 017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1 | Triage

Sharing

General

Target

017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1.exe
Size

89KB
Sample

241128-1wjnysxqfp
MD5

834924ac31fd6b5978bad287da3f99f9
SHA1

3289c8848c485ededbc7600171d74e9570553376
SHA256

017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1
SHA512

feaaf94fd41de5e86fc90f4cc49a57326deb2f1edce1b96384e36924b81727ecabab9a88723348f8962f370564fd1565c1bea6f2230e6c28f710a55a50eb6639
SSDEEP

1536:z7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfAw3OL:v7DhdC6kzWypvaQ0FxyNTBfAd

Score

10^/10

asyncrat venomrat default discovery execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://bitbucket.org/superappsss/khem-praksa/downloads/TikTokDesktop18.exe

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

212.15.49.155:4449

Mutex

zuvtbmtrjnwecuy

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Targets

- Target
  
  017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1.exe
- Size
  
  89KB
- MD5
  
  834924ac31fd6b5978bad287da3f99f9
- SHA1
  
  3289c8848c485ededbc7600171d74e9570553376
- SHA256
  
  017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1
- SHA512
  
  feaaf94fd41de5e86fc90f4cc49a57326deb2f1edce1b96384e36924b81727ecabab9a88723348f8962f370564fd1565c1bea6f2230e6c28f710a55a50eb6639
- SSDEEP
  
  1536:z7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfAw3OL:v7DhdC6kzWypvaQ0FxyNTBfAd
Score

10^/10

discovery execution asyncrat venomrat default rat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- VenomRAT
  Detects VenomRAT.
  rat
- Venomrat family
  venomrat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

asyncratvenomratdefaultdiscoveryexecutionrat