asyncrat | 45d177fa58f5866863009793a9266d1778a99a4162a40dd9f7579af8de2f691e

General

Target

45d177fa58f5866863009793a9266d1778a99a4162a40dd9f7579af8de2f691eN.exe
Size

7KB
MD5

efb300728cc6abad6005e98417031110
SHA1

0f7143fdb0ea3d9a52ed2cb738d7abcbf5790f2c
SHA256

45d177fa58f5866863009793a9266d1778a99a4162a40dd9f7579af8de2f691e
SHA512

02f61ac6b5e583993ae239554b5cdecbb6ea2d75abc19f7c8fe13bcb7821113ca72565ed4da4549b6148f7bc4a2493e209c7b318a6a669aa79b21d71cab52dba
SSDEEP

96:+t1b9mNmHx9+ia+H7493kOmcG5nOR7nnh2V2pprl0bzNt:+9m+xTvbxOmXO9n8V2ppJ09

Score

10^/10

asyncrat venomrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

127.0.0.1:2231

Mutex

ialdhmkvqyisemxnzmc

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

VenomRAT 2 IoCs

Detects VenomRAT.

rat

resource	yara_rule
behavioral2/files/0x000b000000023b5e-7.dat	VenomRAT
behavioral2/memory/3524-15-0x00000000001F0000-0x0000000000208000-memory.dmp	VenomRAT

Venomrat family
venomrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x000b000000023b5e-7.dat	family_asyncrat

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	45d177fa58f5866863009793a9266d1778a99a4162a40dd9f7579af8de2f691eN.exe

Executes dropped EXE 1 IoCs

pid	Process
3524	mamammiaa.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	raw.githubusercontent.com
7	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	45d177fa58f5866863009793a9266d1778a99a4162a40dd9f7579af8de2f691eN.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
3524	mamammiaa.exe
3524	mamammiaa.exe
3524	mamammiaa.exe
3524	mamammiaa.exe
3524	mamammiaa.exe
3524	mamammiaa.exe
3524	mamammiaa.exe
3524	mamammiaa.exe
3524	mamammiaa.exe
3524	mamammiaa.exe
3524	mamammiaa.exe
3524	mamammiaa.exe
3524	mamammiaa.exe
3524	mamammiaa.exe
3524	mamammiaa.exe
3524	mamammiaa.exe
3524	mamammiaa.exe
3524	mamammiaa.exe
3524	mamammiaa.exe
3524	mamammiaa.exe
3524	mamammiaa.exe
3524	mamammiaa.exe
3524	mamammiaa.exe
3524	mamammiaa.exe
3524	mamammiaa.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3396	45d177fa58f5866863009793a9266d1778a99a4162a40dd9f7579af8de2f691eN.exe
Token: SeDebugPrivilege	3524	mamammiaa.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3524	mamammiaa.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3396 wrote to memory of 3524	3396	45d177fa58f5866863009793a9266d1778a99a4162a40dd9f7579af8de2f691eN.exe	84
PID 3396 wrote to memory of 3524	3396	45d177fa58f5866863009793a9266d1778a99a4162a40dd9f7579af8de2f691eN.exe	84

C:\Users\Admin\AppData\Local\Temp\45d177fa58f5866863009793a9266d1778a99a4162a40dd9f7579af8de2f691eN.exe
"C:\Users\Admin\AppData\Local\Temp\45d177fa58f5866863009793a9266d1778a99a4162a40dd9f7579af8de2f691eN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Users\Admin\AppData\Local\mamammiaa.exe
  "C:\Users\Admin\AppData\Local\mamammiaa.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\mamammiaa.exe

Filesize
74KB

MD5
d418c00d1fe56a2c3f0361c9cb213d7d

SHA1
a3a1f66520d60ab574ce2334338ea9c6ebffdeed

SHA256
53c9261aeb39d5841a71322eb3e5bc37196f15ba1f36f8896935b339afaf590b

SHA512
688cb54f7d551f322c4c222d0612fd02a9c3d868a364baab8a12549dbb94dde7d47103f8cd5755b56c825c9f5373c1eb3cda5a3e9c2017846d379912b6dd0068

Download Submit
memory/3396-0-0x0000000074D6E000-0x0000000074D6F000-memory.dmp

Filesize
4KB

Download
memory/3396-1-0x0000000000C40000-0x0000000000C48000-memory.dmp

Filesize
32KB

Download
memory/3396-2-0x0000000074D60000-0x0000000075510000-memory.dmp

Filesize
7.7MB

Download
memory/3396-18-0x0000000074D6E000-0x0000000074D6F000-memory.dmp

Filesize
4KB

Download
memory/3396-19-0x0000000074D60000-0x0000000075510000-memory.dmp

Filesize
7.7MB

Download
memory/3524-14-0x00007FFD6EA03000-0x00007FFD6EA05000-memory.dmp

Filesize
8KB

Download
memory/3524-15-0x00000000001F0000-0x0000000000208000-memory.dmp

Filesize
96KB

Download
memory/3524-17-0x00007FFD6EA00000-0x00007FFD6F4C1000-memory.dmp

Filesize
10.8MB

Download
memory/3524-20-0x00007FFD6EA03000-0x00007FFD6EA05000-memory.dmp

Filesize
8KB

Download
memory/3524-21-0x00007FFD6EA00000-0x00007FFD6F4C1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing