Overview

overview

10

Static

static

10

Client.exe

windows7-x64

10

Client.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-11-2024 17:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client.exe

  • Size

    63KB

  • MD5

    7aabeebd130a48ceb6d29db6338d46d5

  • SHA1

    c72371a7cf6c472252b1d3f7c6e12d3de77e145c

  • SHA256

    c6cb794e8febc4b598d491fe2c94e59cf45dfbc4ca97b03aded9277c918e3a9b

  • SHA512

    d9bb873fa1768453d3fb3a1f9bbaf2b76a0b21717f86da24ed028876a4d470d014e443aaab24072487413a362d46e78ff52fac6dd8a923d2ec1efcb84016cfc7

  • SSDEEP

    1536:4ZuttUdjLAQJaeeiIVrGbbXwUhktGiDpqKmY7:4ZuttUdjvJjeXGbbX7+9gz

Score
10/10
asyncratvenom clientsrat

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

C2

following-geometry.gl.at.ply.gg:11493

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes
  • delay

    1

  • install

    true

  • install_file

    setup.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client.exe
    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1248
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "setup" /tr '"C:\Users\Admin\AppData\Roaming\setup.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4564
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "setup" /tr '"C:\Users\Admin\AppData\Roaming\setup.exe"'
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2508
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB3A0.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:348
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:1132
      • C:\Users\Admin\AppData\Roaming\setup.exe
        "C:\Users\Admin\AppData\Roaming\setup.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4908

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpB3A0.tmp.bat
    Filesize

    149B

    MD5

    b97b7591988d9b9d0c6ebb9725a033bd

    SHA1

    852fab0c1f5b80655f944cd5c98b5131066c7eb5

    SHA256

    a4b03d4e67fb51c61154a0e1f73ea6ef2f41a857394cbd03862db63b29913dfc

    SHA512

    c0c5b4e71a0b76b84a0f534859d2aa41ca55027cdc635ca4d3fcf5f326ddf665a5e64a1fb4d9e8a3f54136b6db6639c6d0bf4a66fa0c9d6d43a3d865604023c7

    Download Submit

  • C:\Users\Admin\AppData\Roaming\setup.exe
    Filesize

    63KB

    MD5

    7aabeebd130a48ceb6d29db6338d46d5

    SHA1

    c72371a7cf6c472252b1d3f7c6e12d3de77e145c

    SHA256

    c6cb794e8febc4b598d491fe2c94e59cf45dfbc4ca97b03aded9277c918e3a9b

    SHA512

    d9bb873fa1768453d3fb3a1f9bbaf2b76a0b21717f86da24ed028876a4d470d014e443aaab24072487413a362d46e78ff52fac6dd8a923d2ec1efcb84016cfc7

    Download Submit

  • memory/1248-1-0x00007FFF75D53000-0x00007FFF75D55000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1248-0-0x0000000000970000-0x0000000000986000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1248-2-0x00007FFF75D50000-0x00007FFF76811000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1248-7-0x00007FFF75D50000-0x00007FFF76811000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1248-8-0x00007FFF75D50000-0x00007FFF76811000-memory.dmp

    Filesize

    10.8MB

    Download