asyncrat | 966ddc6a758daca9f38b84847cc89843158315af24d659e4bc3f8b84603cc81d

Resubmissions

02-01-2025 11:14

250102-ncejnsyrdy 4

02-01-2025 10:23

250102-mexbtsxnd1 10

Analysis

max time kernel
900s
max time network
440s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
02-01-2025 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Pictures (1).rar
Size

40KB
MD5

925b435f22cfd50be40be5b7532a1689
SHA1

a128cbed022405d5cc146229f102ce142fabd17a
SHA256

966ddc6a758daca9f38b84847cc89843158315af24d659e4bc3f8b84603cc81d
SHA512

6d6c279db247b42185b38887f4cca94a7b930655999d311181fbe61270337fabb3dbdfb3ecfaa8397205a1f042e28d38fdf0819e39756606bdf138112fd755d5
SSDEEP

768:yglM/6eKEtD/+K8JgIiMw4Ekt+uKoUKX5Q3cSojiDttGRoCGAYwlGb:yaeL/FMw5NoUKX5QM94ERI

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

127.0.0.1:4449

127.0.0.1:0

Mutex

nlrwwlvabqvx

Attributes

delay
1
install
false
install_folder
%Temp%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x001e00000002aa84-3.dat	family_asyncrat

Executes dropped EXE 2 IoCs

pid	Process
672	The Kids.exe
3948	The Kids.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	7zFM.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe
672	The Kids.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4852	7zFM.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	4852	7zFM.exe
Token: 35	4852	7zFM.exe
Token: SeSecurityPrivilege	4852	7zFM.exe
Token: SeDebugPrivilege	672	The Kids.exe
Token: SeDebugPrivilege	3948	The Kids.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4852	7zFM.exe
4852	7zFM.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
672	The Kids.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Pictures (1).rar"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4852

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3940

C:\Users\Admin\Desktop\Pictures (1)\The Kids.exe
"C:\Users\Admin\Desktop\Pictures (1)\The Kids.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:672

C:\Users\Admin\Desktop\Pictures (1)\The Kids.exe
"C:\Users\Admin\Desktop\Pictures (1)\The Kids.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3948

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Users\Admin\Desktop\Pictures (1)\The Kids.exe

Filesize
82KB

MD5
31300efe3208bfb67a72bdfdf37eead7

SHA1
e30193d2aa57411c7e26697177de59c0f8b66b33

SHA256
af053b9107669f49242369eeb397b935c45f867bce98c631bf2247cc5b0f400b

SHA512
80eb5827a1ae337374b1a5ec0af14b93eeabf3c3d99397de64e2e821c2467eeaecba92598e47c90187a4cd1544c4096c07dbb6ad7e3e8b430900327bd14bcae0

Download Submit
memory/672-4-0x00007FFBB1873000-0x00007FFBB1875000-memory.dmp

Filesize
8KB

Download
memory/672-5-0x0000000000090000-0x00000000000AA000-memory.dmp

Filesize
104KB

Download
memory/672-7-0x00007FFBB1870000-0x00007FFBB2332000-memory.dmp

Filesize
10.8MB

Download
memory/672-8-0x00007FFBB1873000-0x00007FFBB1875000-memory.dmp

Filesize
8KB

Download
memory/672-9-0x00007FFBB1870000-0x00007FFBB2332000-memory.dmp

Filesize
10.8MB

Download