asyncrat | b89c8fb7d60e1ad1593a0f8f71f0ff8627f4cd7cdca0ad816cf88f17e36fa159

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2024 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

listenlittlenigger.exe
Size

6.7MB
MD5

42bd70076cbd6bf784ab995852146824
SHA1

e0f1e831775736e856f5325f546c3638f6112775
SHA256

b89c8fb7d60e1ad1593a0f8f71f0ff8627f4cd7cdca0ad816cf88f17e36fa159
SHA512

61b4a3e526e84280df3a26b2d8e7cef969dd45f32f6e857f62e9e2b01b355d22da9430807ab1515b2a4be6c7ef2d4b5520d2c3cc8a5c0152595b9a91c3c38f54
SSDEEP

196608:QsjpAN/kWDGXtGzICteEroxzlxZV3Gu5D4S26/CS3HxTM9:Jj6buGzInErot14S26nxY9

Score

10^/10

asyncrat venomrat default persistence rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

127.0.0.1:11162

Mutex

kqfpdrtqyhcytvu

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

VenomRAT 2 IoCs

Detects VenomRAT.

rat

resource	yara_rule
behavioral2/files/0x000a000000023b67-37.dat	VenomRAT
behavioral2/memory/3228-50-0x0000000000620000-0x0000000000638000-memory.dmp	VenomRAT

Venomrat family
venomrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x000a000000023b67-37.dat	family_asyncrat

Executes dropped EXE 2 IoCs

pid	Process
3228	file2.exe
1612	file1.exe

Loads dropped DLL 5 IoCs

pid	Process
3316	listenlittlenigger.exe
3316	listenlittlenigger.exe
3316	listenlittlenigger.exe
3316	listenlittlenigger.exe
1612	file1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyApp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\_MEI34802\\file1.exe"	listenlittlenigger.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyApp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\_MEI34802\\file2.exe"	listenlittlenigger.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\file2.exe	listenlittlenigger.exe
File created	C:\Windows\System32\file1.exe	listenlittlenigger.exe
File opened for modification	C:\Windows\System32\file1.exe	listenlittlenigger.exe
File created	C:\Windows\System32\file2.exe	listenlittlenigger.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
3228	file2.exe
3228	file2.exe
3228	file2.exe
3228	file2.exe
3228	file2.exe
3228	file2.exe
3228	file2.exe
3228	file2.exe
3228	file2.exe
3228	file2.exe
3228	file2.exe
3228	file2.exe
3228	file2.exe
3228	file2.exe
3228	file2.exe
3228	file2.exe
3228	file2.exe
3228	file2.exe
3228	file2.exe
3228	file2.exe
3228	file2.exe
3228	file2.exe
3228	file2.exe
3228	file2.exe
3228	file2.exe
3228	file2.exe
3228	file2.exe
3228	file2.exe
3228	file2.exe
3228	file2.exe
3228	file2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3228	file2.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1612	file1.exe
3228	file2.exe
1612	file1.exe
1612	file1.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3480 wrote to memory of 3316	3480	listenlittlenigger.exe	82
PID 3480 wrote to memory of 3316	3480	listenlittlenigger.exe	82
PID 3316 wrote to memory of 2392	3316	listenlittlenigger.exe	83
PID 3316 wrote to memory of 2392	3316	listenlittlenigger.exe	83
PID 3316 wrote to memory of 836	3316	listenlittlenigger.exe	84
PID 3316 wrote to memory of 836	3316	listenlittlenigger.exe	84
PID 836 wrote to memory of 3228	836	cmd.exe	87
PID 836 wrote to memory of 3228	836	cmd.exe	87
PID 2392 wrote to memory of 1612	2392	cmd.exe	88
PID 2392 wrote to memory of 1612	2392	cmd.exe	88
PID 1612 wrote to memory of 3596	1612	file1.exe	89
PID 1612 wrote to memory of 3596	1612	file1.exe	89
PID 1612 wrote to memory of 1540	1612	file1.exe	91
PID 1612 wrote to memory of 1540	1612	file1.exe	91
PID 1612 wrote to memory of 8	1612	file1.exe	96
PID 1612 wrote to memory of 8	1612	file1.exe	96

C:\Users\Admin\AppData\Local\Temp\listenlittlenigger.exe
"C:\Users\Admin\AppData\Local\Temp\listenlittlenigger.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3480
- C:\Users\Admin\AppData\Local\Temp\listenlittlenigger.exe
  "C:\Users\Admin\AppData\Local\Temp\listenlittlenigger.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI34802\file1.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\Users\Admin\AppData\Local\Temp\_MEI34802\file1.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI34802\file1.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1612
    - - \??\c:\PROGRA~1\java\jre-1.8\bin\java.exe
        
        "c:\PROGRA~1\java\jre-1.8\bin\java.exe" -version
        5⤵
        
        PID:3596
    - - \??\c:\PROGRA~1\java\jdk-1.8\jre\bin\java.exe
        
        "c:\PROGRA~1\java\jdk-1.8\jre\bin\java.exe" -version
        5⤵
        
        PID:1540
    - - C:\Windows\SYSTEM32\reg.exe
        
        reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v AppsUseLightTheme
        5⤵
        
        PID:8
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI34802\file2.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:836
  - - C:\Users\Admin\AppData\Local\Temp\_MEI34802\file2.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI34802\file2.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
41dd05a5d8621c1552eaf00c8fc949c4

SHA1
f2601672e27000fc460724fadcade8c78b6dc663

SHA256
a057be46718d51cdd9cac435968aff3d718fb61ef0b14152ae2ee0025172ac99

SHA512
3caa757c467b36222969ecd38ac2cf53b1beb4d22ca2f9f30047530e1ec11d6d0177adee7f6167bd26d3297af0e4cfa6343abb39dfcb3979f0c591685106e6aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\+JXF3145731845840364052.tmp

Filesize
405KB

MD5
8f2869a84ad71f156a17bb66611ebe22

SHA1
0325b9b3992fa2fdc9c715730a33135696c68a39

SHA256
0cb1bc1335372d9e3a0cf6f5311c7cce87af90d2a777fdeec18be605a2a70bc1

SHA512
3d4315d591dcf7609c15b3e32bcc234659fcdbe4be24aef5dba4ad248ad42fd9ab082250244f99dc801ec21575b7400aace50a1e8834d5c33404e76a0caac834

Download Submit
C:\Users\Admin\AppData\Local\Temp\+JXF538613840190352300.tmp

Filesize
397KB

MD5
fdb50e0d48cdcf775fa1ac0dc3c33bd4

SHA1
5c95e5d66572aeca303512ba41a8dde0cea92c80

SHA256
64f8be6e55c37e32ef03da99714bf3aa58b8f2099bfe4f759a7578e3b8291123

SHA512
20ce8100c96058d4e64a12d0817b7ce638cec9f5d03651320eb6b9c3f47ee289ccc695bd3b5b6bf8e0867cdab0ebb6e8cae77df054e185828a6a13f3733ede53

Download Submit
C:\Users\Admin\AppData\Local\Temp\+JXF8426737665876658062.tmp

Filesize
398KB

MD5
ff5fdc6f42c720a3ebd7b60f6d605888

SHA1
460c18ddf24846e3d8792d440fd9a750503aef1b

SHA256
1936d24cb0f4ce7006e08c6ef4243d2e42a7b45f2249f8fe54d92f76a317dfd1

SHA512
d3d333b1627d597c83a321a3daca38df63ea0f7cab716006935905b8170379ec2aab26cb7ffc7b539ca272cf7fb7937198aee6db3411077bedf3d2b920d078a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34802\VCRUNTIME140.dll

Filesize
94KB

MD5
11d9ac94e8cb17bd23dea89f8e757f18

SHA1
d4fb80a512486821ad320c4fd67abcae63005158

SHA256
e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

SHA512
aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34802\_bz2.pyd

Filesize
78KB

MD5
b45e82a398713163216984f2feba88f6

SHA1
eaaf4b91db6f67d7c57c2711f4e968ce0fe5d839

SHA256
4c2649dc69a8874b91646723aacb84c565efeaa4277c46392055bca9a10497a8

SHA512
b9c4f22dc4b52815c407ab94d18a7f2e1e4f2250aecdb2e75119150e69b006ed69f3000622ec63eabcf0886b7f56ffdb154e0bf57d8f7f45c3b1dd5c18b84ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34802\_decimal.pyd

Filesize
241KB

MD5
1cdd7239fc63b7c8a2e2bc0a08d9ea76

SHA1
85ef6f43ba1343b30a223c48442a8b4f5254d5b0

SHA256
384993b2b8cfcbf155e63f0ee2383a9f9483de92ab73736ff84590a0c4ca2690

SHA512
ba4e19e122f83d477cc4be5e0dea184dafba2f438a587dd4f0ef038abd40cb9cdc1986ee69c34bac3af9cf2347bea137feea3b82e02cca1a7720d735cea7acda

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34802\_hashlib.pyd

Filesize
57KB

MD5
cfb9e0a73a6c9d6d35c2594e52e15234

SHA1
b86042c96f2ce6d8a239b7d426f298a23df8b3b9

SHA256
50daeb3985302a8d85ce8167b0bf08b9da43e7d51ceae50e8e1cdfb0edf218c6

SHA512
22a5fd139d88c0eee7241c5597d8dbbf2b78841565d0ed0df62383ab50fde04b13a203bddef03530f8609f5117869ed06894a572f7655224285823385d7492d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34802\_lzma.pyd

Filesize
149KB

MD5
5a77a1e70e054431236adb9e46f40582

SHA1
be4a8d1618d3ad11cfdb6a366625b37c27f4611a

SHA256
f125a885c10e1be4b12d988d6c19128890e7add75baa935fe1354721aa2dea3e

SHA512
3c14297a1400a93d1a01c7f8b4463bfd6be062ec08daaf5eb7fcbcde7f4fa40ae06e016ff0de16cb03b987c263876f2f437705adc66244d3ee58f23d6bf7f635

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34802\_socket.pyd

Filesize
72KB

MD5
5dd51579fa9b6a06336854889562bec0

SHA1
99c0ed0a15ed450279b01d95b75c162628c9be1d

SHA256
3669e56e99ae3a944fbe7845f0be05aea96a603717e883d56a27dc356f8c2f2c

SHA512
7aa6c6587890ae8c3f9a5e97ebde689243ac5b9abb9b1e887f29c53eef99a53e4b4ec100c03e1c043e2f0d330e7af444c3ca886c9a5e338c2ea42aaacae09f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34802\base_library.zip

Filesize
858KB

MD5
98619f4a9ef4debe1f8e20361c3e5280

SHA1
d6fd1b33527b0a8db0070bfd8c0a75d59ecd8daa

SHA256
ac11659983d0cd24f8cae58fb12ad017a4d4523c9486247d477fbea5bd49f951

SHA512
a39bc78bb4b37f64b2046fe5b9dfc1dfb0b2f5b8733f3bde4a6fa38ed8abaed5992574ea89634294472f2d82f0f0314cd3de093f288076e74213ced58c205434

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34802\file1.exe

Filesize
1.6MB

MD5
ebb40145a6bfbed88859e41689315d82

SHA1
7bb2c82ef24ef919d04592930bceae039f78aebf

SHA256
e4baeaa3c58628acfd7058b9d434ab2e6a7400445f55685169a79f045810298c

SHA512
67c6601bed14363e6850d93cf2b90c1e4f69c7cd5098d548aa0f378fb42dc6e32fe52cb81aeb232a365a3edb24fdc6ef46f6400cf1709e1d5ee22fa4ac4e07ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34802\file2.exe

Filesize
74KB

MD5
e16eebd243b2f89c9d9c1d81dc44a09d

SHA1
268c938415c863c330a00747ee9ddd5a7d890ffc

SHA256
fc0118ea892af96231a2f6314fe1f8d19ce5393a04be525e6c977b300d28d3d3

SHA512
dacef3fef80ec8cff1f2ec25ab78fb2e27f430f87512d21e3009fdc4cccddff2ef7c29fa78fe80aca7c32db51bd42d03842f50774690c3d39e25ce6469d25831

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34802\libcrypto-1_1.dll

Filesize
3.3MB

MD5
63c4f445b6998e63a1414f5765c18217

SHA1
8c1ac1b4290b122e62f706f7434517077974f40e

SHA256
664c3e52f914e351bb8a66ce2465ee0d40acab1d2a6b3167ae6acf6f1d1724d2

SHA512
aa7bdb3c5bc8aeefbad70d785f2468acbb88ef6e6cac175da765647030734453a2836f9658dc7ce33f6fff0de85cb701c825ef5c04018d79fa1953c8ef946afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34802\python310.dll

Filesize
4.2MB

MD5
384349987b60775d6fc3a6d202c3e1bd

SHA1
701cb80c55f859ad4a31c53aa744a00d61e467e5

SHA256
f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8

SHA512
6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34802\select.pyd

Filesize
25KB

MD5
78d421a4e6b06b5561c45b9a5c6f86b1

SHA1
c70747d3f2d26a92a0fe0b353f1d1d01693929ac

SHA256
f1694ce82da997faa89a9d22d469bfc94abb0f2063a69ec9b953bc085c2cb823

SHA512
83e02963c9726a40cd4608b69b4cdf697e41c9eedfb2d48f3c02c91500e212e7e0ab03e6b3f70f42e16e734e572593f27b016b901c8aa75f674b6e0fbb735012

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34802\unicodedata.pyd

Filesize
1.1MB

MD5
a40ff441b1b612b3b9f30f28fa3c680d

SHA1
42a309992bdbb68004e2b6b60b450e964276a8fc

SHA256
9b22d93f4db077a70a1d85ffc503980903f1a88e262068dd79c6190ec7a31b08

SHA512
5f9142b16ed7ffc0e5b17d6a4257d7249a21061fe5e928d3cde75265c2b87b723b2e7bd3109c30d2c8f83913134445e8672c98c187073368c244a476ac46c3ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4j82CC.tmp_dir1732913727\SKlauncher-3.2.10.jar

Filesize
1.1MB

MD5
1495e81aa573744050268cb330af8281

SHA1
b67d9bda787a526c79128179e5000924bca11dd4

SHA256
3ce7e5aff85320e1d393eb34e918a6b71a667bccf08252fbdd512443e5d62f9a

SHA512
e321e4b9243815b4d0b3ab34c380c2b8da0e8e264b791018a4385967946e8cf320fb5bcb695b7aa75e5a9420ae6ced6ea3c05ecfaedb7a1a6e02a1438a2c9d4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\flatlaf.temp\flatlaf-windows-x86_64-4726327958800.dll

Filesize
23KB

MD5
8b9f16320499ece60d7ff0c1249c6df7

SHA1
cd8fc57c064533df66f0ceaaf5d76f8c4f8cb3a0

SHA256
f8a3af19341ac0f12f55ad28169d22b75aa66ed818692541307393c22f986727

SHA512
97384ee1faa1be807388f4077fde5db94010f06420b1ff3a05edf77fb91c9a8163b0a91cb1b7e648c0cd8c4d599e552050f64b8f7c5c81c1be60cd35f062e9d3

Download Submit
C:\Users\Admin\AppData\Roaming\.minecraft\sklauncher-fx.jar

Filesize
14.4MB

MD5
9def4a689f22d8ec2fbbbc08de5224d2

SHA1
e3a437eb4d63a6afc2541ca8e9472c73ba9cea06

SHA256
d9d099a694960d4b4c27ee91b1bf72c2772b66925f49cc19a77fea3e6f69e282

SHA512
56f0e93f45cc76f4feddf9138e278b0cb15b04031b084abf0fa44760dd8c79594112b2ace02149e7480efd6515fe28c9b8cc0cb626c563d9e9c35ac52165a5e7

Download Submit
memory/1540-76-0x000002AA0DFB0000-0x000002AA0DFB1000-memory.dmp

Filesize
4KB

Download
memory/1612-149-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/1612-292-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/1612-190-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/1612-205-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/1612-93-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/1612-223-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/1612-224-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/1612-225-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/1612-231-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/1612-277-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/1612-281-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/1612-286-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/1612-290-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/1612-127-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/1612-299-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/1612-301-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/1612-307-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/1612-306-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/1612-315-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/3228-389-0x00007FFF6B503000-0x00007FFF6B505000-memory.dmp

Filesize
8KB

Download
memory/3228-524-0x00007FFF6B500000-0x00007FFF6BFC1000-memory.dmp

Filesize
10.8MB

Download
memory/3228-54-0x00007FFF6B500000-0x00007FFF6BFC1000-memory.dmp

Filesize
10.8MB

Download
memory/3228-50-0x0000000000620000-0x0000000000638000-memory.dmp

Filesize
96KB

Download
memory/3228-46-0x00007FFF6B503000-0x00007FFF6B505000-memory.dmp

Filesize
8KB

Download
memory/3596-64-0x0000026BCA0F0000-0x0000026BCA0F1000-memory.dmp

Filesize
4KB

Download