asyncrat | b63bf28780e02bf0bb1bb59dec135e6263f4c582724c95eee0519b279022f31c

Analysis

max time kernel
137s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18/12/2024, 10:34 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PkContent.exe
Size

810KB
MD5

87c051a77edc0cc77a4d791ef72367d1
SHA1

5d5bab642235f0af7d9afe3cacec5ae2a4cfc8e5
SHA256

b63bf28780e02bf0bb1bb59dec135e6263f4c582724c95eee0519b279022f31c
SHA512

259a3f823d5051fcc9e87ceacf25557ab17f5d26ff4f0c17801d9ef83a23d2a51261a73e5ba9c3caf1ca2feb18a569458f17a2a5d56b542b86d6a124a42d4c2c
SSDEEP

12288:FCxMe2dk7YgL+OsQdFGHjaRYf9bquEZ68ufU3wqB2ydPsW/w0bvf:FsMe2KYIDpSO5vZ68FwqB2aPsW3

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.2

Botnet

Default

47.238.55.14:4449

Mutex

rqwcncaesrdtlckoweu

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

1
CGibtzJbYEm3dDuC6T6BzMkinzwEZaex

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2692 created 1196	2692	Thermal.pif	21

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HermesKey.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HermesKey.url	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2692	Thermal.pif
1868	RegAsm.exe

Loads dropped DLL 3 IoCs

pid	Process
2288	cmd.exe
2692	Thermal.pif
1868	RegAsm.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2816	tasklist.exe
3040	tasklist.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\MonsterRaymond	PkContent.exe
File opened for modification	C:\Windows\FirewireBros	PkContent.exe
File opened for modification	C:\Windows\PortugalCharges	PkContent.exe
File opened for modification	C:\Windows\PgJune	PkContent.exe
File opened for modification	C:\Windows\ReceptorsTeeth	PkContent.exe
File opened for modification	C:\Windows\PorcelainExhaust	PkContent.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PkContent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Thermal.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2692	Thermal.pif
2692	Thermal.pif
2692	Thermal.pif
2692	Thermal.pif
2692	Thermal.pif
2692	Thermal.pif
2692	Thermal.pif
2692	Thermal.pif
2692	Thermal.pif
2692	Thermal.pif
2692	Thermal.pif
2692	Thermal.pif
2692	Thermal.pif
2692	Thermal.pif
2692	Thermal.pif
2692	Thermal.pif
1868	RegAsm.exe
1868	RegAsm.exe
1868	RegAsm.exe
1868	RegAsm.exe
1868	RegAsm.exe
1868	RegAsm.exe
1868	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3040	tasklist.exe
Token: SeDebugPrivilege	2816	tasklist.exe
Token: SeDebugPrivilege	1868	RegAsm.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2692	Thermal.pif
2692	Thermal.pif
2692	Thermal.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2692	Thermal.pif
2692	Thermal.pif
2692	Thermal.pif

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1868	RegAsm.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 2288	1652	PkContent.exe	30
PID 1652 wrote to memory of 2288	1652	PkContent.exe	30
PID 1652 wrote to memory of 2288	1652	PkContent.exe	30
PID 1652 wrote to memory of 2288	1652	PkContent.exe	30
PID 2288 wrote to memory of 3040	2288	cmd.exe	32
PID 2288 wrote to memory of 3040	2288	cmd.exe	32
PID 2288 wrote to memory of 3040	2288	cmd.exe	32
PID 2288 wrote to memory of 3040	2288	cmd.exe	32
PID 2288 wrote to memory of 3052	2288	cmd.exe	33
PID 2288 wrote to memory of 3052	2288	cmd.exe	33
PID 2288 wrote to memory of 3052	2288	cmd.exe	33
PID 2288 wrote to memory of 3052	2288	cmd.exe	33
PID 2288 wrote to memory of 2816	2288	cmd.exe	35
PID 2288 wrote to memory of 2816	2288	cmd.exe	35
PID 2288 wrote to memory of 2816	2288	cmd.exe	35
PID 2288 wrote to memory of 2816	2288	cmd.exe	35
PID 2288 wrote to memory of 2812	2288	cmd.exe	36
PID 2288 wrote to memory of 2812	2288	cmd.exe	36
PID 2288 wrote to memory of 2812	2288	cmd.exe	36
PID 2288 wrote to memory of 2812	2288	cmd.exe	36
PID 2288 wrote to memory of 2088	2288	cmd.exe	37
PID 2288 wrote to memory of 2088	2288	cmd.exe	37
PID 2288 wrote to memory of 2088	2288	cmd.exe	37
PID 2288 wrote to memory of 2088	2288	cmd.exe	37
PID 2288 wrote to memory of 2640	2288	cmd.exe	38
PID 2288 wrote to memory of 2640	2288	cmd.exe	38
PID 2288 wrote to memory of 2640	2288	cmd.exe	38
PID 2288 wrote to memory of 2640	2288	cmd.exe	38
PID 2288 wrote to memory of 2664	2288	cmd.exe	39
PID 2288 wrote to memory of 2664	2288	cmd.exe	39
PID 2288 wrote to memory of 2664	2288	cmd.exe	39
PID 2288 wrote to memory of 2664	2288	cmd.exe	39
PID 2288 wrote to memory of 2692	2288	cmd.exe	40
PID 2288 wrote to memory of 2692	2288	cmd.exe	40
PID 2288 wrote to memory of 2692	2288	cmd.exe	40
PID 2288 wrote to memory of 2692	2288	cmd.exe	40
PID 2288 wrote to memory of 2932	2288	cmd.exe	41
PID 2288 wrote to memory of 2932	2288	cmd.exe	41
PID 2288 wrote to memory of 2932	2288	cmd.exe	41
PID 2288 wrote to memory of 2932	2288	cmd.exe	41
PID 2692 wrote to memory of 2280	2692	Thermal.pif	42
PID 2692 wrote to memory of 2280	2692	Thermal.pif	42
PID 2692 wrote to memory of 2280	2692	Thermal.pif	42
PID 2692 wrote to memory of 2280	2692	Thermal.pif	42
PID 2692 wrote to memory of 1868	2692	Thermal.pif	45
PID 2692 wrote to memory of 1868	2692	Thermal.pif	45
PID 2692 wrote to memory of 1868	2692	Thermal.pif	45
PID 2692 wrote to memory of 1868	2692	Thermal.pif	45
PID 2692 wrote to memory of 1868	2692	Thermal.pif	45
PID 2692 wrote to memory of 1868	2692	Thermal.pif	45
PID 2692 wrote to memory of 1868	2692	Thermal.pif	45
PID 2692 wrote to memory of 1868	2692	Thermal.pif	45
PID 2692 wrote to memory of 1868	2692	Thermal.pif	45

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\PkContent.exe
  "C:\Users\Admin\AppData\Local\Temp\PkContent.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c move Hammer Hammer.bat & Hammer.bat
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2288
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3040
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa opssvc"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3052
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2816
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2812
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 724598
      4⤵
      System Location Discovery: System Language Discovery
      PID:2088
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "WowLiberalCalOfficer" Weight
      4⤵
      System Location Discovery: System Language Discovery
      PID:2640
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\Explorer + ..\West + ..\Agencies + ..\Situated y
      4⤵
      System Location Discovery: System Language Discovery
      PID:2664
  - - C:\Users\Admin\AppData\Local\Temp\724598\Thermal.pif
      Thermal.pif y
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Users\Admin\AppData\Local\Temp\724598\RegAsm.exe
        
        C:\Users\Admin\AppData\Local\Temp\724598\RegAsm.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1868
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:2932
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HermesKey.url" & echo URL="C:\Users\Admin\AppData\Local\GuardKey Solutions\HermesKey.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HermesKey.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:2280

Network

DNS

ctIHfwPuGQOYqdJrz.ctIHfwPuGQOYqdJrz

Thermal.pif

Remote address:

8.8.8.8:53

Request

ctIHfwPuGQOYqdJrz.ctIHfwPuGQOYqdJrz

IN A

Response

47.238.55.14:4449

RegAsm.exe

152 B
3
47.238.55.14:4449

RegAsm.exe

152 B
3
47.238.55.14:4449

RegAsm.exe

152 B
3
47.238.55.14:4449

RegAsm.exe

152 B
3
47.238.55.14:4449

RegAsm.exe

152 B
3
47.238.55.14:4449

RegAsm.exe

152 B
3

8.8.8.8:53

ctIHfwPuGQOYqdJrz.ctIHfwPuGQOYqdJrz

dns

Thermal.pif

81 B
156 B
1
1

DNS Request

ctIHfwPuGQOYqdJrz.ctIHfwPuGQOYqdJrz

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\724598\y

Filesize
254KB

MD5
a65498ab3a69a64ead790db5bb2f48aa

SHA1
eb8cd723dab355ff507b356b9286f09b9ffcd968

SHA256
9ad27753646f1eec5009be7ed43bcdfc4e9ab8dffc6fe3ff4adc558a1f32f5cd

SHA512
9cfcb7873c3bad12109a85516eaf62393aa905b5a7fa93e8bc808ef0911070ea89f0e41953e67b45b74409bf0ac046fd7f4a12ab612edf7bf01a46c459ba1cef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Agencies

Filesize
90KB

MD5
975bfc19287c2c5b74a1b228f30f14b0

SHA1
8f5feec00b337529a7e193f452c45f6063ad37a1

SHA256
91e28eface5e10865887b9a13420b1bfd3a8673255785e3bfc65745da63d1322

SHA512
18d8c41ebcba5667cb3ac3fa1270d78cad2fd9e8fc69dd32969b693fedc6354e3de12f74830e68b55c6aa7c5a0fbb388599f827cb94d71732231f4ebbf580f85

Download Submit
C:\Users\Admin\AppData\Local\Temp\Explorer

Filesize
58KB

MD5
01d7374bf51507454392d1081d9b309e

SHA1
034378159b5f4b6089a95064aec9ff210da7c3df

SHA256
eecdd8dfd2dd6d9d1c55077ee6515a9c59d3046112d014b7a5e87fdabb8157a2

SHA512
de64b35bfd2c279a77d552f7c518421bffcf2f5d14e78fa3f80e21b97aeb5dc287340452d61ca19c9aa5ce426c61ec6605786727d844282aa5457a1d8c4f94f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hammer

Filesize
17KB

MD5
f15a876fe95af76d09e4f26593b4502e

SHA1
53d14a9f7b44de6fd9aba018e0f4738175a4e3a0

SHA256
4ddf695422db24b6917750a923db6d55e9973a4463cf3b60f0c732d34f7728d1

SHA512
cbc944366518fea910cc685c6ac99caafa20ffd91ba8572b5e33feeb9529cea6684e83365c5851d6798bcd3dc265e9157ae80e60f56f061c2b78e6c935e48741

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ought

Filesize
865KB

MD5
260377b64080b872ffd57234ff7d097e

SHA1
f9ea953f328a1ec1cac31ac05a6353ae27519238

SHA256
29826de3343c0a6f753f3cdcc551e755e12059e79b0658be1048e5f893e1c0d3

SHA512
a01a781d352ac7cb98fd17f91db6114147188519819106d27a183f8bc114713de8d0e78524dcab8833187e365f2207da5e4cd77fc8d787f63b48a04bf17b6de5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Situated

Filesize
10KB

MD5
b5a2ce2534752d3a6033f59c8436d7b6

SHA1
8e184055af6e0f7dcd83d832bd565e784a7b8e80

SHA256
c142ebc3005012c982b366c6e4b03db5b477c721eed245592a6f2c585ec314c3

SHA512
c2f5480e23fcd32ac7111fc9e507b7660ee551477a1dc18f188bd5796bf29bc93cc10926908f9f6483e906bfc07dde07be7223bc0b4b4c5dbc0fa1c0f2d43f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Weight

Filesize
7KB

MD5
4192ba712a2fdc09914b07d144f06e20

SHA1
0a3320eea12b490fd589b9f2cb878579108be555

SHA256
265661fdddd79aefcfba0fc456cf864c05439b8281da8345d200283f5664a229

SHA512
543248b976f061c835329adbccbb249922ebeb671bb158d7a0e70284e0fe9d723c18e8a2e4f198202cfa20dc3d0f341efd4e78c64f4d5e56e8d2a08745417948

Download Submit
C:\Users\Admin\AppData\Local\Temp\West

Filesize
96KB

MD5
b7c64d91870c30f6d27b86c9294ca361

SHA1
41ea994169f7bea9752f6bd40d9833d6577ede49

SHA256
91a57858547382fa34e5aad2a6c8546c4eaeaa32b515693e42e84ad190149a6a

SHA512
d6d3625a28a8ab2aad5e5e80cb10798d3602e0e189d521e4fecbee4f4015f07e7d2c6f9cdbec4c9efcc5c903c3ebaaf9b6abbf30d615748316992a5c398bc1b6

Download Submit
\Users\Admin\AppData\Local\Temp\724598\RegAsm.exe

Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Local\Temp\724598\Thermal.pif

Filesize
872KB

MD5
18ce19b57f43ce0a5af149c96aecc685

SHA1
1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

SHA256
d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

SHA512
a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

Download Submit
memory/1868-33-0x0000000000090000-0x00000000000A8000-memory.dmp

Filesize
96KB

Download
memory/1868-36-0x0000000000090000-0x00000000000A8000-memory.dmp

Filesize
96KB

Download
memory/1868-35-0x0000000000090000-0x00000000000A8000-memory.dmp

Filesize
96KB

Download