asyncrat | 8f950c173036b9d1f792e69215ad6f109f3dfa5bc89cdcf018c2c4eae996bd45

Analysis

max time kernel
119s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-11-2024 00:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f950c173036b9d1f792e69215ad6f109f3dfa5bc89cdcf018c2c4eae996bd45.exe
Size

93KB
MD5

db0a7102ae4d0ba5e2c12787f0eb301d
SHA1

b660f679ddaef9935e14e111077429d8ea3a4def
SHA256

8f950c173036b9d1f792e69215ad6f109f3dfa5bc89cdcf018c2c4eae996bd45
SHA512

e0cdd2fc53736dc98ccedaec42b1b5e2d7b49cd65ea65f3a88fc9075fd6167f386f3805a03fad5d329c73051734f18fb1f12055f6e9a4baac9a6c478c1678fa6
SSDEEP

1536:aaewCXifh+t5dfmrsT7ezGFeSnBad8pKJHFr7mkgiBgi08FilaebKT10IfLJFDYf:aamyZSdfmrsT7aoM8UHmvied8U4e+6EQ

Score

10^/10

asyncrat redline sectoprat venomrat default kek discovery execution infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

kek

212.87.215.19:37552

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

212.87.215.19:1602

Mutex

xtqapdqeqwwlkdcvcat

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00120000000054a9-14.dat	family_redline
behavioral1/memory/2720-16-0x0000000000960000-0x000000000097E000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00120000000054a9-14.dat	family_sectoprat
behavioral1/memory/2720-16-0x0000000000960000-0x000000000097E000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

VenomRAT 2 IoCs

Detects VenomRAT.

rat

resource	yara_rule
behavioral1/memory/2536-29-0x0000000000C30000-0x0000000000C48000-memory.dmp	VenomRAT
behavioral1/files/0x000c00000001227f-28.dat	VenomRAT

Venomrat family
venomrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000c00000001227f-28.dat	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2972	powershell.exe
2640	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2720	system32.exe
2536	svchost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system32.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2116	8f950c173036b9d1f792e69215ad6f109f3dfa5bc89cdcf018c2c4eae996bd45.exe
2116	8f950c173036b9d1f792e69215ad6f109f3dfa5bc89cdcf018c2c4eae996bd45.exe
2116	8f950c173036b9d1f792e69215ad6f109f3dfa5bc89cdcf018c2c4eae996bd45.exe
2972	powershell.exe
2640	powershell.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2720	system32.exe
2720	system32.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2116	8f950c173036b9d1f792e69215ad6f109f3dfa5bc89cdcf018c2c4eae996bd45.exe
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	2536	svchost.exe
Token: SeDebugPrivilege	2720	system32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2536	svchost.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2972	2116	8f950c173036b9d1f792e69215ad6f109f3dfa5bc89cdcf018c2c4eae996bd45.exe	32
PID 2116 wrote to memory of 2972	2116	8f950c173036b9d1f792e69215ad6f109f3dfa5bc89cdcf018c2c4eae996bd45.exe	32
PID 2116 wrote to memory of 2972	2116	8f950c173036b9d1f792e69215ad6f109f3dfa5bc89cdcf018c2c4eae996bd45.exe	32
PID 2116 wrote to memory of 2720	2116	8f950c173036b9d1f792e69215ad6f109f3dfa5bc89cdcf018c2c4eae996bd45.exe	34
PID 2116 wrote to memory of 2720	2116	8f950c173036b9d1f792e69215ad6f109f3dfa5bc89cdcf018c2c4eae996bd45.exe	34
PID 2116 wrote to memory of 2720	2116	8f950c173036b9d1f792e69215ad6f109f3dfa5bc89cdcf018c2c4eae996bd45.exe	34
PID 2116 wrote to memory of 2720	2116	8f950c173036b9d1f792e69215ad6f109f3dfa5bc89cdcf018c2c4eae996bd45.exe	34
PID 2116 wrote to memory of 2640	2116	8f950c173036b9d1f792e69215ad6f109f3dfa5bc89cdcf018c2c4eae996bd45.exe	35
PID 2116 wrote to memory of 2640	2116	8f950c173036b9d1f792e69215ad6f109f3dfa5bc89cdcf018c2c4eae996bd45.exe	35
PID 2116 wrote to memory of 2640	2116	8f950c173036b9d1f792e69215ad6f109f3dfa5bc89cdcf018c2c4eae996bd45.exe	35
PID 2116 wrote to memory of 2536	2116	8f950c173036b9d1f792e69215ad6f109f3dfa5bc89cdcf018c2c4eae996bd45.exe	38
PID 2116 wrote to memory of 2536	2116	8f950c173036b9d1f792e69215ad6f109f3dfa5bc89cdcf018c2c4eae996bd45.exe	38
PID 2116 wrote to memory of 2536	2116	8f950c173036b9d1f792e69215ad6f109f3dfa5bc89cdcf018c2c4eae996bd45.exe	38

C:\Users\Admin\AppData\Local\Temp\8f950c173036b9d1f792e69215ad6f109f3dfa5bc89cdcf018c2c4eae996bd45.exe
"C:\Users\Admin\AppData\Local\Temp\8f950c173036b9d1f792e69215ad6f109f3dfa5bc89cdcf018c2c4eae996bd45.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\system32.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2972
- C:\Users\Admin\AppData\Roaming\system32.exe
  "C:\Users\Admin\AppData\Roaming\system32.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2640
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabF124.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1E9.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBF6.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC0C.tmp

Filesize
92KB

MD5
102841a614a648b375e94e751611b38f

SHA1
1368e0d6d73fa3cee946bdbf474f577afffe2a43

SHA256
c82ee2a0dc2518cb1771e07ce4b91f5ef763dd3dd006819aece867e82a139264

SHA512
ca18a888dca452c6b08ad9f14b4936eb9223346c45c96629c3ee4dd6742e947b6825662b42e793135e205af77ad35e6765ac6a2b42cefed94781b3463a811f0a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0db9e9f54c7ed1c229df8eb3111b8ab5

SHA1
f75616c9b03d9ba4db2a116621238f6f38d287e2

SHA256
e77a61a9a90165306b4a867e1a0633394a6f66718865d21f99f9293f50cd1f11

SHA512
6db9818e865eac4e100415c7f0efdefded13a5272c20b156e41ab19afcf34313b2d47ec6e8a20c4cfe1adf683563d57718e6791fe20862ce3ad580d7f7f15a8e

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
74KB

MD5
50d960b16ffe409fd2d7f3ee2d4fd603

SHA1
d713791aec632e0cfb66f86e625f9be433afcd54

SHA256
d4cf111fce836b6d3b8f018dda51712bce24d0b16b0648e72430eabaa60d8b0e

SHA512
b089725264f28c7f2c86f36cad1814a94c04776222b75d0c4834a84d725978ebe7a4cc1b292612b24fa6e5b433514b4a61579cbf29abcbd39d617e206f9612f8

Download Submit
C:\Users\Admin\AppData\Roaming\system32.exe

Filesize
95KB

MD5
4f872c2ac85fb6a67de72bd0a6d2724f

SHA1
76f1d4d04ef1eca4935a87c96a46558284082aa5

SHA256
54566e338d77d624aec2d81f1fa9ada324e93b388325ad11c10fceacc4c82ffc

SHA512
d4a394c809e613670b206b3f896eff0f8fd1503252d6153a5392783fa65702f38886318e560e3dd103a1f08f374a91e290cd73a1b944b7066907dd8cc35e4f63

Download Submit
memory/2116-0-0x000007FEF5BD3000-0x000007FEF5BD4000-memory.dmp

Filesize
4KB

Download
memory/2116-31-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

Filesize
9.9MB

Download
memory/2116-2-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

Filesize
9.9MB

Download
memory/2116-1-0x0000000000C60000-0x0000000000C7E000-memory.dmp

Filesize
120KB

Download
memory/2536-29-0x0000000000C30000-0x0000000000C48000-memory.dmp

Filesize
96KB

Download
memory/2640-22-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2640-23-0x00000000022D0000-0x00000000022D8000-memory.dmp

Filesize
32KB

Download
memory/2720-16-0x0000000000960000-0x000000000097E000-memory.dmp

Filesize
120KB

Download
memory/2972-9-0x0000000002620000-0x0000000002628000-memory.dmp

Filesize
32KB

Download
memory/2972-8-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/2972-7-0x0000000002BB0000-0x0000000002C30000-memory.dmp

Filesize
512KB

Download