Analysis
-
max time kernel
18s -
max time network
16s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
-
submitted
02/03/2025, 15:39
General
-
Target
Client.exe
-
Size
74KB
-
MD5
6005716c654f94bad2172db0d65efa3d
-
SHA1
051a71ece9e4ec3b81297b6450f05097718a140b
-
SHA256
2c3cb37cd289f526e9cdfd9b651a35a7226116cc2f0c40dc8e5da1f27b7e1d19
-
SHA512
95e6d49aa2ef48fd6fc6c1dfba32f3d1965d3f95aa35d1a4315d9a5ea8653ba44e59eb01054f25acbcbb8d3fdc19ab6617bb8154b70ccf6ebda0b808d9b5b7b5
-
SSDEEP
1536:KUngcxe1eHCZWPMVKe9VdQuDI6H1bf/LTxI/NQzcGLVclN:KUgcxe1ayWPMVKe9VdQsH1bfDTxYQfBY
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
10.9.100.158:50342
Adcf74scdf29aSsD7cf
-
delay
1
-
install
true
-
install_file
svchost.exe
-
install_folder
%Temp%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Async RAT payload 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF02C.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74KB
MD56005716c654f94bad2172db0d65efa3d
SHA1051a71ece9e4ec3b81297b6450f05097718a140b
SHA2562c3cb37cd289f526e9cdfd9b651a35a7226116cc2f0c40dc8e5da1f27b7e1d19
SHA51295e6d49aa2ef48fd6fc6c1dfba32f3d1965d3f95aa35d1a4315d9a5ea8653ba44e59eb01054f25acbcbb8d3fdc19ab6617bb8154b70ccf6ebda0b808d9b5b7b5
-
Filesize
154B
MD5a808942db384867b28edba5b2fd47c34
SHA1d06b3b3f6276bc268e73f28e78269a1a31a130ee
SHA2569290120e4a9a43c3c79f71a39f1df1e1e6c4419101b38351913c9844a7a0b1c4
SHA512817047cadec095b9da52e5122a7a558cd3983b2cbaae7b71044f2f50bed29c6f3d87a8d861b4304dd88cfb952997af292ddb675a75730aeb08c2dd234e6a2bf0
-
Filesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b
-
Filesize
8KB
-
Filesize
96KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB