asyncrat | b3ce538a77c86b1f9840d53e42999b9535ad74d83e4b00e527193c963ddd0035

Analysis

max time kernel
112s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2025 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3ce538a77c86b1f9840d53e42999b9535ad74d83e4b00e527193c963ddd0035N.exe
Size

1.3MB
MD5

3a9f8ec832df29647e58993ca0e7c160
SHA1

2ad6a8340261823adb53b066007d4a39eba35ed1
SHA256

b3ce538a77c86b1f9840d53e42999b9535ad74d83e4b00e527193c963ddd0035
SHA512

c4062c4ee074f53eef3123a5e3d922f87cb87657bef62338339eaec6d6ae57e0322627db0f83751b0b3678a4d230f23a3ee2776897231b9fa9f912c8078de123
SSDEEP

24576:VMjhqBd3X3R+wTqM6FWEn72mHvKgcLJj3gSPWbLK3AtIT2Awyfc7MEYbO:MEBdH3dt6gmHdclj3IK3zT27yEbYa

Score

10^/10

asyncrat venomrat default discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

v1.2.2

Botnet

Default

192.238.134.73:56003

192.238.134.73:56004

192.238.134.73:56005

Mutex

vjggiafzsllukefmlx

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

VenomRAT 1 IoCs

Detects VenomRAT.

rat

resource	yara_rule
behavioral2/memory/3124-72-0x0000000001F10000-0x0000000001F22000-memory.dmp	VenomRAT

Venomrat family
venomrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/3124-72-0x0000000001F10000-0x0000000001F22000-memory.dmp	family_asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	b3ce538a77c86b1f9840d53e42999b9535ad74d83e4b00e527193c963ddd0035N.tmp

Executes dropped EXE 2 IoCs

pid	Process
4932	b3ce538a77c86b1f9840d53e42999b9535ad74d83e4b00e527193c963ddd0035N.tmp
2464	b3ce538a77c86b1f9840d53e42999b9535ad74d83e4b00e527193c963ddd0035N.tmp

Loads dropped DLL 4 IoCs

pid	Process
4144	regsvr32.exe
3124	regsvr32.exe
2812	regsvr32.exe
1864	regsvr32.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2604	powershell.exe
3160	powershell.exe
2604	powershell.exe
3160	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3ce538a77c86b1f9840d53e42999b9535ad74d83e4b00e527193c963ddd0035N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3ce538a77c86b1f9840d53e42999b9535ad74d83e4b00e527193c963ddd0035N.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3ce538a77c86b1f9840d53e42999b9535ad74d83e4b00e527193c963ddd0035N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3ce538a77c86b1f9840d53e42999b9535ad74d83e4b00e527193c963ddd0035N.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2464	b3ce538a77c86b1f9840d53e42999b9535ad74d83e4b00e527193c963ddd0035N.tmp
2464	b3ce538a77c86b1f9840d53e42999b9535ad74d83e4b00e527193c963ddd0035N.tmp
2604	powershell.exe
2604	powershell.exe
3160	powershell.exe
3160	powershell.exe
3124	regsvr32.exe
3124	regsvr32.exe
3124	regsvr32.exe
3124	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeIncreaseQuotaPrivilege	2604	powershell.exe
Token: SeSecurityPrivilege	2604	powershell.exe
Token: SeTakeOwnershipPrivilege	2604	powershell.exe
Token: SeLoadDriverPrivilege	2604	powershell.exe
Token: SeSystemProfilePrivilege	2604	powershell.exe
Token: SeSystemtimePrivilege	2604	powershell.exe
Token: SeProfSingleProcessPrivilege	2604	powershell.exe
Token: SeIncBasePriorityPrivilege	2604	powershell.exe
Token: SeCreatePagefilePrivilege	2604	powershell.exe
Token: SeBackupPrivilege	2604	powershell.exe
Token: SeRestorePrivilege	2604	powershell.exe
Token: SeShutdownPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeSystemEnvironmentPrivilege	2604	powershell.exe
Token: SeRemoteShutdownPrivilege	2604	powershell.exe
Token: SeUndockPrivilege	2604	powershell.exe
Token: SeManageVolumePrivilege	2604	powershell.exe
Token: 33	2604	powershell.exe
Token: 34	2604	powershell.exe
Token: 35	2604	powershell.exe
Token: 36	2604	powershell.exe
Token: SeDebugPrivilege	3160	powershell.exe
Token: SeIncreaseQuotaPrivilege	3160	powershell.exe
Token: SeSecurityPrivilege	3160	powershell.exe
Token: SeTakeOwnershipPrivilege	3160	powershell.exe
Token: SeLoadDriverPrivilege	3160	powershell.exe
Token: SeSystemProfilePrivilege	3160	powershell.exe
Token: SeSystemtimePrivilege	3160	powershell.exe
Token: SeProfSingleProcessPrivilege	3160	powershell.exe
Token: SeIncBasePriorityPrivilege	3160	powershell.exe
Token: SeCreatePagefilePrivilege	3160	powershell.exe
Token: SeBackupPrivilege	3160	powershell.exe
Token: SeRestorePrivilege	3160	powershell.exe
Token: SeShutdownPrivilege	3160	powershell.exe
Token: SeDebugPrivilege	3160	powershell.exe
Token: SeSystemEnvironmentPrivilege	3160	powershell.exe
Token: SeRemoteShutdownPrivilege	3160	powershell.exe
Token: SeUndockPrivilege	3160	powershell.exe
Token: SeManageVolumePrivilege	3160	powershell.exe
Token: 33	3160	powershell.exe
Token: 34	3160	powershell.exe
Token: 35	3160	powershell.exe
Token: 36	3160	powershell.exe
Token: SeIncreaseQuotaPrivilege	3160	powershell.exe
Token: SeSecurityPrivilege	3160	powershell.exe
Token: SeTakeOwnershipPrivilege	3160	powershell.exe
Token: SeLoadDriverPrivilege	3160	powershell.exe
Token: SeSystemProfilePrivilege	3160	powershell.exe
Token: SeSystemtimePrivilege	3160	powershell.exe
Token: SeProfSingleProcessPrivilege	3160	powershell.exe
Token: SeIncBasePriorityPrivilege	3160	powershell.exe
Token: SeCreatePagefilePrivilege	3160	powershell.exe
Token: SeBackupPrivilege	3160	powershell.exe
Token: SeRestorePrivilege	3160	powershell.exe
Token: SeShutdownPrivilege	3160	powershell.exe
Token: SeDebugPrivilege	3160	powershell.exe
Token: SeSystemEnvironmentPrivilege	3160	powershell.exe
Token: SeRemoteShutdownPrivilege	3160	powershell.exe
Token: SeUndockPrivilege	3160	powershell.exe
Token: SeManageVolumePrivilege	3160	powershell.exe
Token: 33	3160	powershell.exe
Token: 34	3160	powershell.exe
Token: 35	3160	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2464	b3ce538a77c86b1f9840d53e42999b9535ad74d83e4b00e527193c963ddd0035N.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3124	regsvr32.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 868 wrote to memory of 4932	868	b3ce538a77c86b1f9840d53e42999b9535ad74d83e4b00e527193c963ddd0035N.exe	83
PID 868 wrote to memory of 4932	868	b3ce538a77c86b1f9840d53e42999b9535ad74d83e4b00e527193c963ddd0035N.exe	83
PID 868 wrote to memory of 4932	868	b3ce538a77c86b1f9840d53e42999b9535ad74d83e4b00e527193c963ddd0035N.exe	83
PID 4932 wrote to memory of 2524	4932	b3ce538a77c86b1f9840d53e42999b9535ad74d83e4b00e527193c963ddd0035N.tmp	84
PID 4932 wrote to memory of 2524	4932	b3ce538a77c86b1f9840d53e42999b9535ad74d83e4b00e527193c963ddd0035N.tmp	84
PID 4932 wrote to memory of 2524	4932	b3ce538a77c86b1f9840d53e42999b9535ad74d83e4b00e527193c963ddd0035N.tmp	84
PID 2524 wrote to memory of 2464	2524	b3ce538a77c86b1f9840d53e42999b9535ad74d83e4b00e527193c963ddd0035N.exe	85
PID 2524 wrote to memory of 2464	2524	b3ce538a77c86b1f9840d53e42999b9535ad74d83e4b00e527193c963ddd0035N.exe	85
PID 2524 wrote to memory of 2464	2524	b3ce538a77c86b1f9840d53e42999b9535ad74d83e4b00e527193c963ddd0035N.exe	85
PID 2464 wrote to memory of 4144	2464	b3ce538a77c86b1f9840d53e42999b9535ad74d83e4b00e527193c963ddd0035N.tmp	86
PID 2464 wrote to memory of 4144	2464	b3ce538a77c86b1f9840d53e42999b9535ad74d83e4b00e527193c963ddd0035N.tmp	86
PID 2464 wrote to memory of 4144	2464	b3ce538a77c86b1f9840d53e42999b9535ad74d83e4b00e527193c963ddd0035N.tmp	86
PID 4144 wrote to memory of 3124	4144	regsvr32.exe	87
PID 4144 wrote to memory of 3124	4144	regsvr32.exe	87
PID 3124 wrote to memory of 2604	3124	regsvr32.exe	89
PID 3124 wrote to memory of 2604	3124	regsvr32.exe	89
PID 3124 wrote to memory of 3160	3124	regsvr32.exe	93
PID 3124 wrote to memory of 3160	3124	regsvr32.exe	93
PID 3124 wrote to memory of 2812	3124	regsvr32.exe	95
PID 3124 wrote to memory of 2812	3124	regsvr32.exe	95

C:\Users\Admin\AppData\Local\Temp\b3ce538a77c86b1f9840d53e42999b9535ad74d83e4b00e527193c963ddd0035N.exe
"C:\Users\Admin\AppData\Local\Temp\b3ce538a77c86b1f9840d53e42999b9535ad74d83e4b00e527193c963ddd0035N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:868
- C:\Users\Admin\AppData\Local\Temp\is-9JBKQ.tmp\b3ce538a77c86b1f9840d53e42999b9535ad74d83e4b00e527193c963ddd0035N.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-9JBKQ.tmp\b3ce538a77c86b1f9840d53e42999b9535ad74d83e4b00e527193c963ddd0035N.tmp" /SL5="$50250,948933,235520,C:\Users\Admin\AppData\Local\Temp\b3ce538a77c86b1f9840d53e42999b9535ad74d83e4b00e527193c963ddd0035N.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Users\Admin\AppData\Local\Temp\b3ce538a77c86b1f9840d53e42999b9535ad74d83e4b00e527193c963ddd0035N.exe
    "C:\Users\Admin\AppData\Local\Temp\b3ce538a77c86b1f9840d53e42999b9535ad74d83e4b00e527193c963ddd0035N.exe" /VERYSILENT
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Users\Admin\AppData\Local\Temp\is-PT7A1.tmp\b3ce538a77c86b1f9840d53e42999b9535ad74d83e4b00e527193c963ddd0035N.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-PT7A1.tmp\b3ce538a77c86b1f9840d53e42999b9535ad74d83e4b00e527193c963ddd0035N.tmp" /SL5="$50114,948933,235520,C:\Users\Admin\AppData\Local\Temp\b3ce538a77c86b1f9840d53e42999b9535ad74d83e4b00e527193c963ddd0035N.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2464
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32.exe" /s /i:360 C:\Users\Admin\AppData\Roaming\Setup_Stork.dll
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4144
      - C:\Windows\system32\regsvr32.exe
        
        /s /i:360 C:\Users\Admin\AppData\Roaming\Setup_Stork.dll
        6⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:360 C:\Users\Admin\AppData\Roaming\Setup_Stork.dll' }) { exit 0 } else { exit 1 }"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:360 C:\Users\Admin\AppData\Roaming\Setup_Stork.dll\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{19B1CC52-B4F6-4F8C-8BE1-516C0E83A0CB}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3160
        
        C:\Windows\system32\regsvr32.exe
        
        "regsvr32" /i:360 /s C:\Users\Admin\AppData\Roaming\Setup_Stork.dll
        7⤵
        Loads dropped DLL
        
        PID:2812

C:\Windows\system32\regsvr32.EXE
C:\Windows\system32\regsvr32.EXE /S /i:360 C:\Users\Admin\AppData\Roaming\Setup_Stork.dll
1⤵
- Loads dropped DLL
PID:1864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3ffce848af907464c20a20e1b430f78a

SHA1
fbcd91a5c226d474235be920cf49e3344893fc1f

SHA256
25213a6685a6fd21a2aa43c417891703333579ad784f3896976b44bcfcdb009e

SHA512
1adaf6d68441a32b459b6071dcfdae404ab1e37bb0c6511e08d49717f9043679bdd7ca3324be184ece522e6516eedc04203ffccb5f9ea790bd35a84db9b944bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3ddbdfa0308b3b5f9020e05a04a05ae2

SHA1
68c77e310e1fc3a2bebba1d0cae80109a256d826

SHA256
9d8a7594053d532d45cfe62183c1d1b1c5a2356df54752b7f57f836d60d72be3

SHA512
077a0f4b683c88f283b79598309a92a94e2da7173f25484483ff201a586fee7f30c5878974c3bf2195443bff2b5266db8ed055b400a93fd33084355802b4930b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w0r5wbem.25w.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9JBKQ.tmp\b3ce538a77c86b1f9840d53e42999b9535ad74d83e4b00e527193c963ddd0035N.tmp

Filesize
1.2MB

MD5
bef5bad133138ce27f0c6e73d5a2e5f9

SHA1
1cfc9e170e100fc23073cdfcf590594e18598314

SHA256
55adc6677700e166913c9f26a213d93244242b17331b4f9a606760117b698b65

SHA512
f8d3d971a58fdc2d7585c61c70c41d0625b2cbda9698f7a26ed009374d9f4986effc9d69dd1579f38f22bd7e7700d714702df663dfcc195c11b6fc2d0b315f2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IIN6F.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Roaming\Setup_Stork.dll

Filesize
2.6MB

MD5
be749ce6cea9df27363dd3a47682344b

SHA1
db9680d1fbaa852212a4693d37d64f412c30a1bc

SHA256
8ae29824b1554e170133fe7fae8b9208526f1ab1b70a6299f5befcc0482db095

SHA512
8f423ea8db31aaa723145ba94e00c2c2891ad361ee6e0dc5f8f2fd11f2e7cd72c387157e6d7c759eb9f8b9f227e317775ef71c283687fa8a58779ef70abbbf42

Download Submit
memory/868-2-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/868-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/868-20-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2464-38-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2464-24-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2524-14-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2524-40-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2524-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2604-51-0x000002196E3B0000-0x000002196E3D2000-memory.dmp

Filesize
136KB

Download
memory/3124-71-0x00007FFE71BA0000-0x00007FFE71E2A000-memory.dmp

Filesize
2.5MB

Download
memory/3124-72-0x0000000001F10000-0x0000000001F22000-memory.dmp

Filesize
72KB

Download
memory/4932-19-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/4932-7-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download