asyncrat | 50a1656f6cca2b5a9810f6a70352cf56d5ab156e80752a68f49e968460a634b1

Analysis

max time kernel
91s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
08/03/2025, 17:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1337.exe
Size

24.3MB
MD5

124d9ebd081fe16de958304349b59316
SHA1

e2770e0cd44041e9ce91e77da2c7f56d04654ef3
SHA256

50a1656f6cca2b5a9810f6a70352cf56d5ab156e80752a68f49e968460a634b1
SHA512

49fcf668108b7b472bdec5261125c14e3e24251eb6b906b3bca4bf87a6333e7c1e6aec62c40a11ab975c5e4d3c750ca55cf5ef093a8f5ce7aaa70b477ab9ea9e
SSDEEP

393216:QvKOA+h/KlqTs0jCaQBdzqLx0HQkGN3zFlfje6f4gXBNobFF6V44uS4SbO:Qi5+h/Kl3MVy9GxGGNjbP4g3oMV4E41

Score

10^/10

asyncrat venomrat inc defense_evasion rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

INC

Mutex

lwosqqqkziedfsbxxgh

Attributes

c2_url_file
https://paste.ee/r/SvRLFmbW/0
delay
1
install
true
install_file
System.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

VenomRAT 2 IoCs

Detects VenomRAT.

rat

resource	yara_rule
behavioral2/files/0x000b000000023c4f-25.dat	VenomRAT
behavioral2/memory/3192-35-0x0000000000CE0000-0x0000000000CF8000-memory.dmp	VenomRAT

Venomrat family
venomrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x000b000000023c4f-25.dat	family_asyncrat

Downloads MZ/PE file 1 IoCs

flow	pid	Process
28	1528	MinuteRise.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	1337.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	bodrumblock.exe

Executes dropped EXE 4 IoCs

pid	Process
1528	MinuteRise.exe
3192	bodrumblock.exe
5020	System.exe
3168	VanCat.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
27	raw.githubusercontent.com
28	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
61	api.ipify.org

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1528	MinuteRise.exe
1528	MinuteRise.exe
3168	VanCat.exe
3168	VanCat.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\VanCat.exe	MinuteRise.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2484	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4768	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4784	powershell.exe
4784	powershell.exe
3192	bodrumblock.exe
3192	bodrumblock.exe
3192	bodrumblock.exe
3192	bodrumblock.exe
3192	bodrumblock.exe
3192	bodrumblock.exe
3192	bodrumblock.exe
3192	bodrumblock.exe
3192	bodrumblock.exe
3192	bodrumblock.exe
3192	bodrumblock.exe
3192	bodrumblock.exe
3192	bodrumblock.exe
3192	bodrumblock.exe
3192	bodrumblock.exe
3192	bodrumblock.exe
3192	bodrumblock.exe
3192	bodrumblock.exe
3192	bodrumblock.exe
3192	bodrumblock.exe
3192	bodrumblock.exe
3192	bodrumblock.exe
3192	bodrumblock.exe
1528	MinuteRise.exe
1528	MinuteRise.exe
5020	System.exe
5020	System.exe
1528	MinuteRise.exe
1528	MinuteRise.exe
1528	MinuteRise.exe
1528	MinuteRise.exe
1528	MinuteRise.exe
1528	MinuteRise.exe
3168	VanCat.exe
3168	VanCat.exe
1528	MinuteRise.exe
1528	MinuteRise.exe
1528	MinuteRise.exe
1528	MinuteRise.exe
3168	VanCat.exe
3168	VanCat.exe
1528	MinuteRise.exe
1528	MinuteRise.exe
1528	MinuteRise.exe
1528	MinuteRise.exe
1528	MinuteRise.exe
1528	MinuteRise.exe
1528	MinuteRise.exe
1528	MinuteRise.exe
1528	MinuteRise.exe
1528	MinuteRise.exe
1528	MinuteRise.exe
1528	MinuteRise.exe
1528	MinuteRise.exe
1528	MinuteRise.exe
1528	MinuteRise.exe
1528	MinuteRise.exe
1528	MinuteRise.exe
1528	MinuteRise.exe
1528	MinuteRise.exe
1528	MinuteRise.exe
1528	MinuteRise.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeDebugPrivilege	3192	bodrumblock.exe
Token: SeDebugPrivilege	5020	System.exe
Token: SeIncreaseQuotaPrivilege	2336	WMIC.exe
Token: SeSecurityPrivilege	2336	WMIC.exe
Token: SeTakeOwnershipPrivilege	2336	WMIC.exe
Token: SeLoadDriverPrivilege	2336	WMIC.exe
Token: SeSystemProfilePrivilege	2336	WMIC.exe
Token: SeSystemtimePrivilege	2336	WMIC.exe
Token: SeProfSingleProcessPrivilege	2336	WMIC.exe
Token: SeIncBasePriorityPrivilege	2336	WMIC.exe
Token: SeCreatePagefilePrivilege	2336	WMIC.exe
Token: SeBackupPrivilege	2336	WMIC.exe
Token: SeRestorePrivilege	2336	WMIC.exe
Token: SeShutdownPrivilege	2336	WMIC.exe
Token: SeDebugPrivilege	2336	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2336	WMIC.exe
Token: SeRemoteShutdownPrivilege	2336	WMIC.exe
Token: SeUndockPrivilege	2336	WMIC.exe
Token: SeManageVolumePrivilege	2336	WMIC.exe
Token: 33	2336	WMIC.exe
Token: 34	2336	WMIC.exe
Token: 35	2336	WMIC.exe
Token: 36	2336	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2336	WMIC.exe
Token: SeSecurityPrivilege	2336	WMIC.exe
Token: SeTakeOwnershipPrivilege	2336	WMIC.exe
Token: SeLoadDriverPrivilege	2336	WMIC.exe
Token: SeSystemProfilePrivilege	2336	WMIC.exe
Token: SeSystemtimePrivilege	2336	WMIC.exe
Token: SeProfSingleProcessPrivilege	2336	WMIC.exe
Token: SeIncBasePriorityPrivilege	2336	WMIC.exe
Token: SeCreatePagefilePrivilege	2336	WMIC.exe
Token: SeBackupPrivilege	2336	WMIC.exe
Token: SeRestorePrivilege	2336	WMIC.exe
Token: SeShutdownPrivilege	2336	WMIC.exe
Token: SeDebugPrivilege	2336	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2336	WMIC.exe
Token: SeRemoteShutdownPrivilege	2336	WMIC.exe
Token: SeUndockPrivilege	2336	WMIC.exe
Token: SeManageVolumePrivilege	2336	WMIC.exe
Token: 33	2336	WMIC.exe
Token: 34	2336	WMIC.exe
Token: 35	2336	WMIC.exe
Token: 36	2336	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5020	System.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 4784	1736	1337.exe	86
PID 1736 wrote to memory of 4784	1736	1337.exe	86
PID 1736 wrote to memory of 1528	1736	1337.exe	88
PID 1736 wrote to memory of 1528	1736	1337.exe	88
PID 1736 wrote to memory of 3192	1736	1337.exe	90
PID 1736 wrote to memory of 3192	1736	1337.exe	90
PID 3192 wrote to memory of 1984	3192	bodrumblock.exe	91
PID 3192 wrote to memory of 1984	3192	bodrumblock.exe	91
PID 3192 wrote to memory of 1596	3192	bodrumblock.exe	92
PID 3192 wrote to memory of 1596	3192	bodrumblock.exe	92
PID 1596 wrote to memory of 2484	1596	cmd.exe	96
PID 1596 wrote to memory of 2484	1596	cmd.exe	96
PID 1984 wrote to memory of 4768	1984	cmd.exe	95
PID 1984 wrote to memory of 4768	1984	cmd.exe	95
PID 1596 wrote to memory of 5020	1596	cmd.exe	102
PID 1596 wrote to memory of 5020	1596	cmd.exe	102
PID 1528 wrote to memory of 3168	1528	MinuteRise.exe	104
PID 1528 wrote to memory of 3168	1528	MinuteRise.exe	104
PID 1528 wrote to memory of 3140	1528	MinuteRise.exe	107
PID 1528 wrote to memory of 3140	1528	MinuteRise.exe	107
PID 1528 wrote to memory of 4400	1528	MinuteRise.exe	108
PID 1528 wrote to memory of 4400	1528	MinuteRise.exe	108
PID 1528 wrote to memory of 1056	1528	MinuteRise.exe	110
PID 1528 wrote to memory of 1056	1528	MinuteRise.exe	110
PID 1056 wrote to memory of 4212	1056	cmd.exe	111
PID 1056 wrote to memory of 4212	1056	cmd.exe	111
PID 1056 wrote to memory of 232	1056	cmd.exe	112
PID 1056 wrote to memory of 232	1056	cmd.exe	112
PID 1056 wrote to memory of 4084	1056	cmd.exe	113
PID 1056 wrote to memory of 4084	1056	cmd.exe	113
PID 3168 wrote to memory of 2512	3168	VanCat.exe	114
PID 3168 wrote to memory of 2512	3168	VanCat.exe	114
PID 2512 wrote to memory of 2336	2512	cmd.exe	115
PID 2512 wrote to memory of 2336	2512	cmd.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1337.exe
"C:\Users\Admin\AppData\Local\Temp\1337.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AbAB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAawB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAZABjACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAdgBhACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4784
- C:\Users\Admin\AppData\Roaming\MinuteRise.exe
  "C:\Users\Admin\AppData\Roaming\MinuteRise.exe"
  2⤵
  - Downloads MZ/PE file
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Program Files\VanCat.exe
    "C:\Program Files\VanCat.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3168
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wmic CPU get ProcessorId
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2512
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic CPU get ProcessorId
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c color 0F
    3⤵
    PID:3140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:4400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Roaming\MinuteRise.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1056
  - - C:\Windows\system32\certutil.exe
      certutil -hashfile "C:\Users\Admin\AppData\Roaming\MinuteRise.exe" MD5
      4⤵
      PID:4212
  - - C:\Windows\system32\find.exe
      find /i /v "md5"
      4⤵
      PID:232
  - - C:\Windows\system32\find.exe
      find /i /v "certutil"
      4⤵
      PID:4084
- C:\Users\Admin\AppData\Roaming\bodrumblock.exe
  "C:\Users\Admin\AppData\Roaming\bodrumblock.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3192
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "System" /tr '"C:\Users\Admin\AppData\Roaming\System.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1984
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "System" /tr '"C:\Users\Admin\AppData\Roaming\System.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCCA6.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1596
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:2484
  - - C:\Users\Admin\AppData\Roaming\System.exe
      "C:\Users\Admin\AppData\Roaming\System.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:5020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\VanCat.exe

Filesize
23.8MB

MD5
a0b04a462f047852099c2fd10aa1032e

SHA1
2521136f9f4090f7bf5502a1a1e09019f5f18687

SHA256
efa95e1479ced3a397afee667954fa2018bff56b12f5f5115cad04c542247bb4

SHA512
1d745b77db3be428be53410a85a5a127588ad0c55164080def0cb27b3c38da348bbd6c21acb3482820e452524306cf2e3d00cfb9d10929c00bf7e9fb1fb7dd60

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lgvcnqrn.qzk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCCA6.tmp.bat

Filesize
150B

MD5
3a0c9b7bdcafafd1f8440a7a7bda4f17

SHA1
98818f3e5a98eb8779da0892a22ef99c36f5ad79

SHA256
3875c3a7be4bd9378093233b9d58adccadd0cae24515cc637371b940c9c81d7f

SHA512
2b0506ed5b6ccab3331c8ba0bbec7fac86700039fd3229dd8cf2da7c88e6ae2ceef032cb357efbd62fd331391295f7090800a9b0732e07500e3db99b972de9a5

Download Submit
C:\Users\Admin\AppData\Roaming\MinuteRise.exe

Filesize
24.2MB

MD5
ecae486dc6bd0a98d2ddcafb1f31234b

SHA1
9946585e084aa83595224ffdbb6309652688e83c

SHA256
b374f8110f763d82d7c9c810fb56143b368cdc653015fa8476371dafff5f5cc5

SHA512
4b5cd0f97d087dc4c28633ba02fa2d70d003773de98bbe9a58a2b4e62a14b99231f31ab51a59e7030d7f39857538303fafa6fc8953810c3837ffe02c51c8e407

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Users\Admin\AppData\Roaming\bodrumblock.exe

Filesize
74KB

MD5
e830512d5396d46e4096ee5e77000346

SHA1
5166598d44af9a175df751f8b05fa03ac75eb564

SHA256
3a801e25820e80e07bc406d3e2a4758c27e8914fff70163923b802531d59a894

SHA512
c145ed988a0eae611f848cb546fce5a10d8e75afb020c58c0381142b9a76c7d54f1d38652a4838886567397a8d60e35789cef707a86d6c1d19da0c6337150e9e

Download Submit
C:\Windows\Temp\77bb3990xd8cf.txt

Filesize
25B

MD5
0df8a94468f33ea8384ca17dac9ea3bd

SHA1
40d1c1e280cba51d7391b0a1d8e453c340fef739

SHA256
7488c3a61581b0d47c426005ce0f390e26b8367afd46deb8fe9be4b7c3781a83

SHA512
2bef715c372206273f492e8df5f076f8088f75182dadb1118616f8c60e0474af6205a786fdac16297fd7ec716a87203ff5f38377bd094b05721536364d64fbdd

Download Submit
memory/1528-47-0x0000000140000000-0x00000001427BB000-memory.dmp

Filesize
39.7MB

Download
memory/1528-46-0x00007FFD17140000-0x00007FFD17142000-memory.dmp

Filesize
8KB

Download
memory/1528-45-0x00007FFD17130000-0x00007FFD17132000-memory.dmp

Filesize
8KB

Download
memory/1736-34-0x00007FFCF8A60000-0x00007FFCF9521000-memory.dmp

Filesize
10.8MB

Download
memory/1736-1-0x0000000000CE0000-0x0000000002538000-memory.dmp

Filesize
24.3MB

Download
memory/1736-0-0x00007FFCF8A63000-0x00007FFCF8A65000-memory.dmp

Filesize
8KB

Download
memory/1736-2-0x00007FFCF8A60000-0x00007FFCF9521000-memory.dmp

Filesize
10.8MB

Download
memory/3168-75-0x00007FFD17130000-0x00007FFD17132000-memory.dmp

Filesize
8KB

Download
memory/3168-76-0x00007FFD17140000-0x00007FFD17142000-memory.dmp

Filesize
8KB

Download
memory/3168-77-0x0000000140000000-0x0000000142634000-memory.dmp

Filesize
38.2MB

Download
memory/3192-35-0x0000000000CE0000-0x0000000000CF8000-memory.dmp

Filesize
96KB

Download
memory/4784-39-0x00007FFCF8A60000-0x00007FFCF9521000-memory.dmp

Filesize
10.8MB

Download
memory/4784-9-0x0000021EF8040000-0x0000021EF8062000-memory.dmp

Filesize
136KB

Download
memory/4784-3-0x00007FFCF8A60000-0x00007FFCF9521000-memory.dmp

Filesize
10.8MB

Download