asyncrat | ac0f626978d7af3d1b2c5a720ff8ef2631c520bd9cc1eb9ef7eaa6ccf8d9f1b8

Analysis

max time kernel
123s
max time network
98s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
29/11/2024, 02:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Client(UPDATED).rar
Size

32KB
MD5

150320d58d28cf3699260e50aeecfca0
SHA1

a619a728f19688f5c2641cc6b3121576d7abd697
SHA256

ac0f626978d7af3d1b2c5a720ff8ef2631c520bd9cc1eb9ef7eaa6ccf8d9f1b8
SHA512

7bdf66f3c04e8b64f4c5d52b4eb5af490362d475ae1caa5bb76ece7517bf2f343f204e5f3debeef87afbcf0aed2a86504b2f8a29db3d1d62c632321b0f5f4fc0
SSDEEP

768:aPIOj4dOLH222y5bGbazH6KwE0gfC81BJriDS6l4SUf36GrgJU9kGg:NOjNK22L+z4E0gqOrie6l4SU/Prl9A

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

147.185.221.24:6902

Mutex

wfwdfws

Attributes

delay
1
install
true
install_file
asdfwqdfwed.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x001b00000002aae2-4.dat	family_asyncrat

Executes dropped EXE 26 IoCs

pid	Process
3588	Client(UPDATED).exe
3948	Client(UPDATED).exe
1548	Client(UPDATED).exe
2072	Client(UPDATED).exe
3220	Client(UPDATED).exe
1544	Client(UPDATED).exe
3580	Client(UPDATED).exe
1440	Client(UPDATED).exe
1196	Client(UPDATED).exe
1876	Client(UPDATED).exe
1408	Client(UPDATED).exe
4052	Client(UPDATED).exe
2116	Client(UPDATED).exe
3828	Client(UPDATED).exe
3716	Client(UPDATED).exe
3584	Client(UPDATED).exe
1052	Client(UPDATED).exe
2592	Client(UPDATED).exe
4700	Client(UPDATED).exe
3260	Client(UPDATED).exe
4900	Client(UPDATED).exe
4676	Client(UPDATED).exe
1020	Client(UPDATED).exe
1188	Client(UPDATED).exe
5004	Client(UPDATED).exe
4672	Client(UPDATED).exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1900	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1900	7zFM.exe
Token: 35	1900	7zFM.exe
Token: SeSecurityPrivilege	1900	7zFM.exe
Token: SeDebugPrivilege	3588	Client(UPDATED).exe
Token: SeIncreaseQuotaPrivilege	3588	Client(UPDATED).exe
Token: SeSecurityPrivilege	3588	Client(UPDATED).exe
Token: SeTakeOwnershipPrivilege	3588	Client(UPDATED).exe
Token: SeLoadDriverPrivilege	3588	Client(UPDATED).exe
Token: SeSystemProfilePrivilege	3588	Client(UPDATED).exe
Token: SeSystemtimePrivilege	3588	Client(UPDATED).exe
Token: SeProfSingleProcessPrivilege	3588	Client(UPDATED).exe
Token: SeIncBasePriorityPrivilege	3588	Client(UPDATED).exe
Token: SeCreatePagefilePrivilege	3588	Client(UPDATED).exe
Token: SeBackupPrivilege	3588	Client(UPDATED).exe
Token: SeRestorePrivilege	3588	Client(UPDATED).exe
Token: SeShutdownPrivilege	3588	Client(UPDATED).exe
Token: SeDebugPrivilege	3588	Client(UPDATED).exe
Token: SeSystemEnvironmentPrivilege	3588	Client(UPDATED).exe
Token: SeRemoteShutdownPrivilege	3588	Client(UPDATED).exe
Token: SeUndockPrivilege	3588	Client(UPDATED).exe
Token: SeManageVolumePrivilege	3588	Client(UPDATED).exe
Token: 33	3588	Client(UPDATED).exe
Token: 34	3588	Client(UPDATED).exe
Token: 35	3588	Client(UPDATED).exe
Token: 36	3588	Client(UPDATED).exe
Token: SeIncreaseQuotaPrivilege	3588	Client(UPDATED).exe
Token: SeSecurityPrivilege	3588	Client(UPDATED).exe
Token: SeTakeOwnershipPrivilege	3588	Client(UPDATED).exe
Token: SeLoadDriverPrivilege	3588	Client(UPDATED).exe
Token: SeSystemProfilePrivilege	3588	Client(UPDATED).exe
Token: SeSystemtimePrivilege	3588	Client(UPDATED).exe
Token: SeProfSingleProcessPrivilege	3588	Client(UPDATED).exe
Token: SeIncBasePriorityPrivilege	3588	Client(UPDATED).exe
Token: SeCreatePagefilePrivilege	3588	Client(UPDATED).exe
Token: SeBackupPrivilege	3588	Client(UPDATED).exe
Token: SeRestorePrivilege	3588	Client(UPDATED).exe
Token: SeShutdownPrivilege	3588	Client(UPDATED).exe
Token: SeDebugPrivilege	3588	Client(UPDATED).exe
Token: SeSystemEnvironmentPrivilege	3588	Client(UPDATED).exe
Token: SeRemoteShutdownPrivilege	3588	Client(UPDATED).exe
Token: SeUndockPrivilege	3588	Client(UPDATED).exe
Token: SeManageVolumePrivilege	3588	Client(UPDATED).exe
Token: 33	3588	Client(UPDATED).exe
Token: 34	3588	Client(UPDATED).exe
Token: 35	3588	Client(UPDATED).exe
Token: 36	3588	Client(UPDATED).exe
Token: SeSecurityPrivilege	1900	7zFM.exe
Token: SeDebugPrivilege	3948	Client(UPDATED).exe
Token: SeIncreaseQuotaPrivilege	3948	Client(UPDATED).exe
Token: SeSecurityPrivilege	3948	Client(UPDATED).exe
Token: SeTakeOwnershipPrivilege	3948	Client(UPDATED).exe
Token: SeLoadDriverPrivilege	3948	Client(UPDATED).exe
Token: SeSystemProfilePrivilege	3948	Client(UPDATED).exe
Token: SeSystemtimePrivilege	3948	Client(UPDATED).exe
Token: SeProfSingleProcessPrivilege	3948	Client(UPDATED).exe
Token: SeIncBasePriorityPrivilege	3948	Client(UPDATED).exe
Token: SeCreatePagefilePrivilege	3948	Client(UPDATED).exe
Token: SeBackupPrivilege	3948	Client(UPDATED).exe
Token: SeRestorePrivilege	3948	Client(UPDATED).exe
Token: SeShutdownPrivilege	3948	Client(UPDATED).exe
Token: SeDebugPrivilege	3948	Client(UPDATED).exe
Token: SeSystemEnvironmentPrivilege	3948	Client(UPDATED).exe
Token: SeRemoteShutdownPrivilege	3948	Client(UPDATED).exe
Token: SeUndockPrivilege	3948	Client(UPDATED).exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe
1900	7zFM.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 3588	1900	7zFM.exe	77
PID 1900 wrote to memory of 3588	1900	7zFM.exe	77
PID 1900 wrote to memory of 3948	1900	7zFM.exe	84
PID 1900 wrote to memory of 3948	1900	7zFM.exe	84
PID 1900 wrote to memory of 1548	1900	7zFM.exe	87
PID 1900 wrote to memory of 1548	1900	7zFM.exe	87
PID 1900 wrote to memory of 2072	1900	7zFM.exe	88
PID 1900 wrote to memory of 2072	1900	7zFM.exe	88
PID 1900 wrote to memory of 3220	1900	7zFM.exe	93
PID 1900 wrote to memory of 3220	1900	7zFM.exe	93
PID 1900 wrote to memory of 1544	1900	7zFM.exe	96
PID 1900 wrote to memory of 1544	1900	7zFM.exe	96
PID 1900 wrote to memory of 3580	1900	7zFM.exe	97
PID 1900 wrote to memory of 3580	1900	7zFM.exe	97
PID 1900 wrote to memory of 1440	1900	7zFM.exe	98
PID 1900 wrote to memory of 1440	1900	7zFM.exe	98
PID 1900 wrote to memory of 1196	1900	7zFM.exe	99
PID 1900 wrote to memory of 1196	1900	7zFM.exe	99
PID 1900 wrote to memory of 1876	1900	7zFM.exe	102
PID 1900 wrote to memory of 1876	1900	7zFM.exe	102
PID 1900 wrote to memory of 1408	1900	7zFM.exe	103
PID 1900 wrote to memory of 1408	1900	7zFM.exe	103
PID 1900 wrote to memory of 4052	1900	7zFM.exe	104
PID 1900 wrote to memory of 4052	1900	7zFM.exe	104
PID 1900 wrote to memory of 2116	1900	7zFM.exe	105
PID 1900 wrote to memory of 2116	1900	7zFM.exe	105
PID 1900 wrote to memory of 3828	1900	7zFM.exe	125
PID 1900 wrote to memory of 3828	1900	7zFM.exe	125
PID 1900 wrote to memory of 3716	1900	7zFM.exe	126
PID 1900 wrote to memory of 3716	1900	7zFM.exe	126
PID 1900 wrote to memory of 3584	1900	7zFM.exe	127
PID 1900 wrote to memory of 3584	1900	7zFM.exe	127
PID 1900 wrote to memory of 1052	1900	7zFM.exe	128
PID 1900 wrote to memory of 1052	1900	7zFM.exe	128
PID 1900 wrote to memory of 2592	1900	7zFM.exe	129
PID 1900 wrote to memory of 2592	1900	7zFM.exe	129
PID 1900 wrote to memory of 4700	1900	7zFM.exe	130
PID 1900 wrote to memory of 4700	1900	7zFM.exe	130
PID 1900 wrote to memory of 3260	1900	7zFM.exe	131
PID 1900 wrote to memory of 3260	1900	7zFM.exe	131
PID 1900 wrote to memory of 4900	1900	7zFM.exe	132
PID 1900 wrote to memory of 4900	1900	7zFM.exe	132
PID 1900 wrote to memory of 4676	1900	7zFM.exe	133
PID 1900 wrote to memory of 4676	1900	7zFM.exe	133
PID 1900 wrote to memory of 1020	1900	7zFM.exe	134
PID 1900 wrote to memory of 1020	1900	7zFM.exe	134
PID 1900 wrote to memory of 1188	1900	7zFM.exe	137
PID 1900 wrote to memory of 1188	1900	7zFM.exe	137
PID 1900 wrote to memory of 5004	1900	7zFM.exe	138
PID 1900 wrote to memory of 5004	1900	7zFM.exe	138
PID 1900 wrote to memory of 4672	1900	7zFM.exe	143
PID 1900 wrote to memory of 4672	1900	7zFM.exe	143

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Client(UPDATED).rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Users\Admin\AppData\Local\Temp\7zOC67FD5D7\Client(UPDATED).exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC67FD5D7\Client(UPDATED).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3588
- C:\Users\Admin\AppData\Local\Temp\7zOC673DD68\Client(UPDATED).exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC673DD68\Client(UPDATED).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3948
- C:\Users\Admin\AppData\Local\Temp\7zOC6749348\Client(UPDATED).exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC6749348\Client(UPDATED).exe"
  2⤵
  - Executes dropped EXE
  PID:1548
- C:\Users\Admin\AppData\Local\Temp\7zOC67DA248\Client(UPDATED).exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC67DA248\Client(UPDATED).exe"
  2⤵
  - Executes dropped EXE
  PID:2072
- C:\Users\Admin\AppData\Local\Temp\7zOC67234A8\Client(UPDATED).exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC67234A8\Client(UPDATED).exe"
  2⤵
  - Executes dropped EXE
  PID:3220
- C:\Users\Admin\AppData\Local\Temp\7zOC67C4A98\Client(UPDATED).exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC67C4A98\Client(UPDATED).exe"
  2⤵
  - Executes dropped EXE
  PID:1544
- C:\Users\Admin\AppData\Local\Temp\7zOC67A77E8\Client(UPDATED).exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC67A77E8\Client(UPDATED).exe"
  2⤵
  - Executes dropped EXE
  PID:3580
- C:\Users\Admin\AppData\Local\Temp\7zOC67385E8\Client(UPDATED).exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC67385E8\Client(UPDATED).exe"
  2⤵
  - Executes dropped EXE
  PID:1440
- C:\Users\Admin\AppData\Local\Temp\7zOC67793E8\Client(UPDATED).exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC67793E8\Client(UPDATED).exe"
  2⤵
  - Executes dropped EXE
  PID:1196
- C:\Users\Admin\AppData\Local\Temp\7zOC67FA2E8\Client(UPDATED).exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC67FA2E8\Client(UPDATED).exe"
  2⤵
  - Executes dropped EXE
  PID:1876
- C:\Users\Admin\AppData\Local\Temp\7zOC678C1E8\Client(UPDATED).exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC678C1E8\Client(UPDATED).exe"
  2⤵
  - Executes dropped EXE
  PID:1408
- C:\Users\Admin\AppData\Local\Temp\7zOC672E0E8\Client(UPDATED).exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC672E0E8\Client(UPDATED).exe"
  2⤵
  - Executes dropped EXE
  PID:4052
- C:\Users\Admin\AppData\Local\Temp\7zOC67BEFE8\Client(UPDATED).exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC67BEFE8\Client(UPDATED).exe"
  2⤵
  - Executes dropped EXE
  PID:2116
- C:\Users\Admin\AppData\Local\Temp\7zOC6788309\Client(UPDATED).exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC6788309\Client(UPDATED).exe"
  2⤵
  - Executes dropped EXE
  PID:3828
- C:\Users\Admin\AppData\Local\Temp\7zOC67F1209\Client(UPDATED).exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC67F1209\Client(UPDATED).exe"
  2⤵
  - Executes dropped EXE
  PID:3716
- C:\Users\Admin\AppData\Local\Temp\7zOC6782109\Client(UPDATED).exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC6782109\Client(UPDATED).exe"
  2⤵
  - Executes dropped EXE
  PID:3584
- C:\Users\Admin\AppData\Local\Temp\7zOC6716009\Client(UPDATED).exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC6716009\Client(UPDATED).exe"
  2⤵
  - Executes dropped EXE
  PID:1052
- C:\Users\Admin\AppData\Local\Temp\7zOC67A9E09\Client(UPDATED).exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC67A9E09\Client(UPDATED).exe"
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Users\Admin\AppData\Local\Temp\7zOC673BD09\Client(UPDATED).exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC673BD09\Client(UPDATED).exe"
  2⤵
  - Executes dropped EXE
  PID:4700
- C:\Users\Admin\AppData\Local\Temp\7zOC6795C09\Client(UPDATED).exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC6795C09\Client(UPDATED).exe"
  2⤵
  - Executes dropped EXE
  PID:3260
- C:\Users\Admin\AppData\Local\Temp\7zOC6743B09\Client(UPDATED).exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC6743B09\Client(UPDATED).exe"
  2⤵
  - Executes dropped EXE
  PID:4900
- C:\Users\Admin\AppData\Local\Temp\7zOC67D5A09\Client(UPDATED).exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC67D5A09\Client(UPDATED).exe"
  2⤵
  - Executes dropped EXE
  PID:4676
- C:\Users\Admin\AppData\Local\Temp\7zOC6759809\Client(UPDATED).exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC6759809\Client(UPDATED).exe"
  2⤵
  - Executes dropped EXE
  PID:1020
- C:\Users\Admin\AppData\Local\Temp\7zOC67DD719\Client(UPDATED).exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC67DD719\Client(UPDATED).exe"
  2⤵
  - Executes dropped EXE
  PID:1188
- C:\Users\Admin\AppData\Local\Temp\7zOC6761619\Client(UPDATED).exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC6761619\Client(UPDATED).exe"
  2⤵
  - Executes dropped EXE
  PID:5004
- C:\Users\Admin\AppData\Local\Temp\7zOC67F3519\Client(UPDATED).exe
  "C:\Users\Admin\AppData\Local\Temp\7zOC67F3519\Client(UPDATED).exe"
  2⤵
  - Executes dropped EXE
  PID:4672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3164

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4508

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zOC67FD5D7\Client(UPDATED).exe

Filesize
74KB

MD5
c0dddcbf45260fb4166725ec0978a3f5

SHA1
353a8e89bd3f3a3783b20e254aa2e54b4f5237ed

SHA256
be0a20799270f6cdf299ffeb63f06f7cf6ccb5de55ea3e37d45717ec3137db23

SHA512
f7cc16691267e2360e671f025411be3ccb104ab589457d6b21e67ec0ed2fe21daafd19b9aab83ced8e6185e90ab88f944d507460876c31f2382b4287d5fc926f

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
memory/3588-13-0x0000000000820000-0x0000000000838000-memory.dmp

Filesize
96KB

Download
memory/3588-12-0x00007FFF1FA13000-0x00007FFF1FA15000-memory.dmp

Filesize
8KB

Download
memory/3588-15-0x00007FFF1FA10000-0x00007FFF204D2000-memory.dmp

Filesize
10.8MB

Download
memory/3588-16-0x00007FFF1FA10000-0x00007FFF204D2000-memory.dmp

Filesize
10.8MB

Download