asyncrat | 51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a

Resubmissions

13-01-2025 00:06

250113-ad4cjaylhr 10

12-01-2025 12:30

250112-ppfsyaskhx 10

12-01-2025 09:47

250112-lr9bgszler 10

Analysis

max time kernel
141s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-01-2025 09:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.exe
Size

1.3MB
MD5

4c71ccf76dccb2c58a85f67cf2fc6206
SHA1

42436168ecfa82313617b91cebf489a11e28f29a
SHA256

51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a
SHA512

24be3ac224544c2a38466604fb285155b1fddc811ee304ac5bfa46abadb925eba44d156c84f94a95b7e95cf28491405f748278ba287b531e24241a07a1cdc752
SSDEEP

24576:VMjhqBd3X3R+wTqM6FWEn72mHvKgcLJj3gSPWbLK3AtIT2Awyfc7MEYb6:MEBdH3dt6gmHdclj3IK3zT27yEbYe

Score

10^/10

asyncrat venomrat default discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

v1.2.2

Botnet

Default

192.238.134.73:56003

192.238.134.73:56004

192.238.134.73:56005

Mutex

vjggiafzsllukefmlx

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

VenomRAT 1 IoCs

Detects VenomRAT.

rat

resource	yara_rule
behavioral1/memory/3036-67-0x0000000000220000-0x0000000000232000-memory.dmp	VenomRAT

Venomrat family
venomrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/3036-67-0x0000000000220000-0x0000000000232000-memory.dmp	family_asyncrat

Executes dropped EXE 2 IoCs

pid	Process
2920	51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.tmp
3048	51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.tmp

Loads dropped DLL 8 IoCs

pid	Process
2416	51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.exe
2920	51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.tmp
2920	51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.tmp
2052	51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.exe
3048	51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.tmp
3048	51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.tmp
2744	regsvr32.exe
3036	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to execute payload.

execution

PowerShell

T1059.001

pid	Process
2820	powershell.exe
2664	powershell.exe
2820	powershell.exe
2664	powershell.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
3048	51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.tmp
3048	51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.tmp
2820	powershell.exe
2664	powershell.exe
3036	regsvr32.exe
3036	regsvr32.exe
3036	regsvr32.exe
3036	regsvr32.exe
3036	regsvr32.exe
3036	regsvr32.exe
3036	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	3036	regsvr32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3048	51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3036	regsvr32.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2920	2416	51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.exe	28
PID 2416 wrote to memory of 2920	2416	51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.exe	28
PID 2416 wrote to memory of 2920	2416	51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.exe	28
PID 2416 wrote to memory of 2920	2416	51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.exe	28
PID 2416 wrote to memory of 2920	2416	51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.exe	28
PID 2416 wrote to memory of 2920	2416	51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.exe	28
PID 2416 wrote to memory of 2920	2416	51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.exe	28
PID 2920 wrote to memory of 2052	2920	51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.tmp	29
PID 2920 wrote to memory of 2052	2920	51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.tmp	29
PID 2920 wrote to memory of 2052	2920	51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.tmp	29
PID 2920 wrote to memory of 2052	2920	51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.tmp	29
PID 2920 wrote to memory of 2052	2920	51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.tmp	29
PID 2920 wrote to memory of 2052	2920	51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.tmp	29
PID 2920 wrote to memory of 2052	2920	51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.tmp	29
PID 2052 wrote to memory of 3048	2052	51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.exe	30
PID 2052 wrote to memory of 3048	2052	51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.exe	30
PID 2052 wrote to memory of 3048	2052	51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.exe	30
PID 2052 wrote to memory of 3048	2052	51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.exe	30
PID 2052 wrote to memory of 3048	2052	51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.exe	30
PID 2052 wrote to memory of 3048	2052	51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.exe	30
PID 2052 wrote to memory of 3048	2052	51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.exe	30
PID 3048 wrote to memory of 2744	3048	51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.tmp	31
PID 3048 wrote to memory of 2744	3048	51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.tmp	31
PID 3048 wrote to memory of 2744	3048	51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.tmp	31
PID 3048 wrote to memory of 2744	3048	51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.tmp	31
PID 3048 wrote to memory of 2744	3048	51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.tmp	31
PID 3048 wrote to memory of 2744	3048	51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.tmp	31
PID 3048 wrote to memory of 2744	3048	51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.tmp	31
PID 2744 wrote to memory of 3036	2744	regsvr32.exe	32
PID 2744 wrote to memory of 3036	2744	regsvr32.exe	32
PID 2744 wrote to memory of 3036	2744	regsvr32.exe	32
PID 2744 wrote to memory of 3036	2744	regsvr32.exe	32
PID 2744 wrote to memory of 3036	2744	regsvr32.exe	32
PID 2744 wrote to memory of 3036	2744	regsvr32.exe	32
PID 2744 wrote to memory of 3036	2744	regsvr32.exe	32
PID 3036 wrote to memory of 2820	3036	regsvr32.exe	33
PID 3036 wrote to memory of 2820	3036	regsvr32.exe	33
PID 3036 wrote to memory of 2820	3036	regsvr32.exe	33
PID 3036 wrote to memory of 2664	3036	regsvr32.exe	35
PID 3036 wrote to memory of 2664	3036	regsvr32.exe	35
PID 3036 wrote to memory of 2664	3036	regsvr32.exe	35

C:\Users\Admin\AppData\Local\Temp\51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.exe
"C:\Users\Admin\AppData\Local\Temp\51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Local\Temp\is-EOA3L.tmp\51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-EOA3L.tmp\51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.tmp" /SL5="$400EE,948933,235520,C:\Users\Admin\AppData\Local\Temp\51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Users\Admin\AppData\Local\Temp\51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.exe
    "C:\Users\Admin\AppData\Local\Temp\51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.exe" /VERYSILENT
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Users\Admin\AppData\Local\Temp\is-HMDOR.tmp\51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-HMDOR.tmp\51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.tmp" /SL5="$500EE,948933,235520,C:\Users\Admin\AppData\Local\Temp\51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:3048
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32.exe" /s /i:360 C:\Users\Admin\AppData\Roaming\Setup_Stork.dll
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2744
      - C:\Windows\system32\regsvr32.exe
        
        /s /i:360 C:\Users\Admin\AppData\Roaming\Setup_Stork.dll
        6⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:360 C:\Users\Admin\AppData\Roaming\Setup_Stork.dll' }) { exit 0 } else { exit 1 }"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:360 C:\Users\Admin\AppData\Roaming\Setup_Stork.dll\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{C668328E-49D6-476D-EDF3-5C5E48C389F4}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d01ba1bedf87191368c479f4d066e615

SHA1
991caf957955ec6e3d7a8ce827da8a635ddfbe5a

SHA256
2e54bbb01c19fbf9f7329f04da6be6074cdbf04a5c901bf0ceabbe3b4bceae38

SHA512
d7e244ff67f809f3f44c8f26d0fb50dc8813b606e03e03561238c0019bbcfb0e4c606767b2df0cf40db83069a21d63fcd6456dc24b5dd3ce7f16ebebe7bbee97

Download Submit
C:\Users\Admin\AppData\Roaming\Setup_Stork.dll

Filesize
2.6MB

MD5
be749ce6cea9df27363dd3a47682344b

SHA1
db9680d1fbaa852212a4693d37d64f412c30a1bc

SHA256
8ae29824b1554e170133fe7fae8b9208526f1ab1b70a6299f5befcc0482db095

SHA512
8f423ea8db31aaa723145ba94e00c2c2891ad361ee6e0dc5f8f2fd11f2e7cd72c387157e6d7c759eb9f8b9f227e317775ef71c283687fa8a58779ef70abbbf42

Download Submit
\Users\Admin\AppData\Local\Temp\is-EOA3L.tmp\51c0cfc7539dc3bb883969d384a7389373a144f65ce6d1b5ec39bff2f616510a.tmp

Filesize
1.2MB

MD5
bef5bad133138ce27f0c6e73d5a2e5f9

SHA1
1cfc9e170e100fc23073cdfcf590594e18598314

SHA256
55adc6677700e166913c9f26a213d93244242b17331b4f9a606760117b698b65

SHA512
f8d3d971a58fdc2d7585c61c70c41d0625b2cbda9698f7a26ed009374d9f4986effc9d69dd1579f38f22bd7e7700d714702df663dfcc195c11b6fc2d0b315f2d

Download Submit
\Users\Admin\AppData\Local\Temp\is-TNSG2.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/2052-23-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2052-21-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2052-45-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2416-2-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/2416-20-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2416-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2664-62-0x00000000005F0000-0x00000000005F8000-memory.dmp

Filesize
32KB

Download
memory/2664-61-0x000000001B7B0000-0x000000001BA92000-memory.dmp

Filesize
2.9MB

Download
memory/2820-53-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download
memory/2820-54-0x0000000002000000-0x0000000002008000-memory.dmp

Filesize
32KB

Download
memory/2920-14-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/2920-18-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/3036-66-0x000007FEF6270000-0x000007FEF64FA000-memory.dmp

Filesize
2.5MB

Download
memory/3036-67-0x0000000000220000-0x0000000000232000-memory.dmp

Filesize
72KB

Download
memory/3048-43-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download