Overview

overview

10

Static

static

3

58f0420c1b...c1.exe

windows7-x64

1

58f0420c1b...c1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    116s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2024 03:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    58f0420c1b0b04f11ca26a87616bb032360d9a12475712f700be3e1d248c28c1.exe

  • Size

    369KB

  • MD5

    2fd0b895bf8132884dd68465a1d516f6

  • SHA1

    83c48ee12b44ebb14f0c75c0d7f2f46d53c93cef

  • SHA256

    58f0420c1b0b04f11ca26a87616bb032360d9a12475712f700be3e1d248c28c1

  • SHA512

    de4d8e599b52da46df6c9ef024d6fc471ed736148c285c409fb039e487efb28c95abe2b29e79cdb9a3d87c92578569c2fb3a7f231833d5304cba0eac55ccb9d1

  • SSDEEP

    3072:Nv588HEAmjc+U1B4/gjybW0z4j0+uidj2A3v1Z4voth3jLD+uFaZ:1EAmg++41G2gD4sPSZ

Score
10/10
asyncratvenomratdefaultdiscoveryexecutionrat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

51.161.12.215:4449

Mutex

olzlzaglbcqbb

Attributes
  • delay

    9

  • install

    true

  • install_file

    svchost.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • VenomRAT 2 IoCs

    Detects VenomRAT.

    rat
  • Venomrat family
    venomrat
  • Async RAT payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\58f0420c1b0b04f11ca26a87616bb032360d9a12475712f700be3e1d248c28c1.exe
    "C:\Users\Admin\AppData\Local\Temp\58f0420c1b0b04f11ca26a87616bb032360d9a12475712f700be3e1d248c28c1.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2516
    • C:\Windows\SYSTEM32\cscript.exe
      cscript //nologo "C:\Users\Admin\AppData\Local\Temp\\aSGGWUzDrA6.jse"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1600
      • C:\Users\Admin\AppData\Local\Temp\TaSSIDSS.exe
        "C:\Users\Admin\AppData\Local\Temp\TaSSIDSS.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4588
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4184
          • C:\Windows\system32\schtasks.exe
            schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
            5⤵
            • Scheduled Task/Job: Scheduled Task
            PID:3972
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC97A.tmp.bat""
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1820
          • C:\Windows\system32\timeout.exe
            timeout 3
            5⤵
            • Delays execution with timeout.exe
            PID:4520
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            "C:\Users\Admin\AppData\Roaming\svchost.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:2964

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\TaSSIDSS.exe
    Filesize

    74KB

    MD5

    f23c5236c2569784c604586b7785cb34

    SHA1

    2df47f5f2f691467e855673a7be3434fb1f5d248

    SHA256

    8ce03b1a750fcab81bda029dab94f8e3cbd9d80296d0842e2594a0afa1d89423

    SHA512

    2903a69c4301623c691d969e441c47c075db758c0a985695c26bd959ca860f56fd1f4624654b4566d6ceb5eb57bbf5226f0d98d426419cbda396f59c45a2b9fb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\aSGGWUzDrA6.jse
    Filesize

    99KB

    MD5

    95b416f68b850d050cf2569fb6147298

    SHA1

    0d9524eac49239770b3e3df5872f2474da9f33f0

    SHA256

    af2eabc91027718f03ee41d304dcc4cfdaf2533bd1121c8e0e5e25f559e997de

    SHA512

    e3fc4a5785a4850d9e186815981eadaf731b02b4b5c5060aca0e09ba77c71028dbc8e57c819013e1ce14667aa5b080e94686abcccd1d3159449de05843bf6411

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpC97A.tmp.bat
    Filesize

    151B

    MD5

    619c86f66bce95a0a1462b062e8b6026

    SHA1

    0403b27cda87150e534217f4828ce70d3f13a97a

    SHA256

    e7e5c378ee5b21760b5c9674f7dd216223af0b2452d0580f61ecce6c01e51885

    SHA512

    fbf87a46f34f57d5fe4538a759b1a4f5e22448c5daa79833e12ea490925d4b4be0ffdbf7d0cb0be6508b4c6b9f45c303b6dcff07d11891d034a7c3427050e43f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
    Filesize

    8B

    MD5

    cf759e4c5f14fe3eec41b87ed756cea8

    SHA1

    c27c796bb3c2fac929359563676f4ba1ffada1f5

    SHA256

    c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

    SHA512

    c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

    Download Submit

  • memory/2516-0-0x000002041AAB0000-0x000002041AAEA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2516-1-0x000002041AAB0000-0x000002041AAEA000-memory.dmp

    Filesize

    232KB

    Download

  • memory/2516-25-0x00007FF7B3B60000-0x00007FF7B3BC0000-memory.dmp

    Filesize

    384KB

    Download

  • memory/2516-33-0x00007FF7B3B60000-0x00007FF7B3BC0000-memory.dmp

    Filesize

    384KB

    Download

  • memory/4588-21-0x00007FFCE9D23000-0x00007FFCE9D25000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4588-22-0x0000000000C10000-0x0000000000C28000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4588-24-0x00007FFCE9D20000-0x00007FFCEA7E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4588-30-0x00007FFCE9D20000-0x00007FFCEA7E1000-memory.dmp

    Filesize

    10.8MB

    Download