Analysis

  • max time kernel
    6s
  • max time network
    14s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    08-01-2025 09:54

General

  • Target

    Monotone.exe

  • Size

    246KB

  • MD5

    cbb85438bd2ca32cd7ad4c7a4656f791

  • SHA1

    3c67296747df6812205c3d447de8c841ffc84551

  • SHA256

    6df84349f4d67f3d0f90ef741cb2626321e429eecdf630aca67a000dc8bca71f

  • SHA512

    3678bb96f7ef649fb7129e30334667ef7162e54e516b7a3ba6a97b7603ffb7bc65ab0dd43467c2fd17edbd02b97dba545aa152eefe2585b96f32fab62a51ad7d

  • SSDEEP

    6144:+5oaqJhJMHW69B9VjMdxPedN9ug0/9TB0dHlx7PMVeaesVbsDji:+5oaqjp/9TudHlxhds6Dji

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

46.197.123.202:1604

Mutex

bfztpmtzls

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain
1
sfSQq9hBVqjflWiPtUTEiTOB5CH8qv3W

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Asyncrat family
  • Async RAT payload 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Monotone.exe
    "C:\Users\Admin\AppData\Local\Temp\Monotone.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:816
    • C:\Users\Admin\AppData\Roaming\Monotone.exe
      "C:\Users\Admin\AppData\Roaming\Monotone.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2156
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\BCBA.tmp\BCBB.tmp\BCBC.bat C:\Users\Admin\AppData\Roaming\Monotone.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2280
        • C:\Windows\system32\mode.com
          mode 80,20
          4⤵
            PID:2904
          • C:\Windows\system32\PING.EXE
            ping localhost
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2976
      • C:\Users\Admin\AppData\Roaming\Client.exe
        "C:\Users\Admin\AppData\Roaming\Client.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2644

    Network

      No results found
    • 46.197.123.202:1604
      Client.exe
      104 B
      2
    No results found

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\BCBA.tmp\BCBB.tmp\BCBC.bat

      Filesize

      17KB

      MD5

      c5b9f5f77bee19857e4331300d080e3b

      SHA1

      50f5d39311cf12636d9ebe58aa4464578995f112

      SHA256

      a689ce9bdcdbc32ad39cbab6349453847a71a386cb4c4be4ffe2daff57fce52d

      SHA512

      ecb86677eb5bb0c0dc8b7c1d351cd7409772699393ebce902fcaa05442d46da112cfe8ca2215794ae2308c573d56fd51fd8920c488ff20c7b1c96cd7fced1dd1

    • \Users\Admin\AppData\Roaming\Client.exe

      Filesize

      74KB

      MD5

      4b16a452ee0c842e3c32bf359a9cade3

      SHA1

      b30626f1369c0409161d23cfc36c499a2cbd54a7

      SHA256

      806a3c8ee4abc3a8bf4d9693ffb322c6364e43ae8f7ad759149ba55c3f6a8851

      SHA512

      6c4e9d51be47606966adcbbd558cfdcd43554b47c5267ffcf0cc4220a6a85d653881bcf1dc53ee7e5f14b5735aa5e974d383243defca02a2baefd375c6813d46

    • \Users\Admin\AppData\Roaming\Monotone.exe

      Filesize

      160KB

      MD5

      cd6cddac2686df01814705f21e6da343

      SHA1

      f29ad4efdc160ffba5cb63e01349ec9b84123e30

      SHA256

      0f7f86530b7fa2e693a2a3a5bf69957e61c2f45d39418d077285a1ea6f4bb992

      SHA512

      a673d521f316d3e0fa87a99effa33c5dc4fde315e72b7f6cbb828a94ffe8ebeed4bf9ca6fe858b3c69327aa4ce05ae02b37e2a392abb7cc728c4bbe2ab9a6de4

    • memory/816-0-0x0000000074621000-0x0000000074622000-memory.dmp

      Filesize

      4KB

    • memory/816-1-0x0000000074620000-0x0000000074BCB000-memory.dmp

      Filesize

      5.7MB

    • memory/816-2-0x0000000074620000-0x0000000074BCB000-memory.dmp

      Filesize

      5.7MB

    • memory/816-15-0x0000000074620000-0x0000000074BCB000-memory.dmp

      Filesize

      5.7MB

    • memory/2644-17-0x0000000000040000-0x0000000000058000-memory.dmp

      Filesize

      96KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.