asyncrat | eb4dde3a53673d0bb16c5d4c80cd8a17128976badd6ff2aa5010364c42e1091f

Analysis

max time kernel
70s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.exe
Size

706KB
MD5

cea36ea3da046afb6dec951b751bee61
SHA1

a27bcfa338e14b3d57b8756a1c46a9ff6db3981d
SHA256

eb4dde3a53673d0bb16c5d4c80cd8a17128976badd6ff2aa5010364c42e1091f
SHA512

a4b31771f96f1452d3876ec42296a248897c7b0bc641e392ab4a3fd89c1c0549bebeeb13bf07238ff74665ef27fb5afab69b51bc95c8e3904c8d855a2fcf7946
SSDEEP

12288:Le0Lq+QD96jt6dFlCQcxBc1Jp7psZ1TN3Br8OQpE3G5WkFJsUP8H7m:q0LhQPQvoKZa

Score

10^/10

asyncrat venomrat test1 discovery persistence rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Test1

147.185.221.18:62592

Mutex

testing1

Attributes

delay
3
install
true
install_file
1.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

VenomRAT 1 IoCs

Detects VenomRAT.

rat

resource	yara_rule
behavioral2/memory/1884-6-0x0000000000400000-0x0000000000418000-memory.dmp	VenomRAT

Venomrat family
venomrat

Executes dropped EXE 2 IoCs

pid	Process
4720	1.exe
4608	1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\666999666 = "C:\\Users\\Public\\Documents\\1.exe"	1.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4092 set thread context of 1884	4092	1.exe	99
PID 4720 set thread context of 4608	4720	1.exe	104

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4968	1884	WerFault.exe	99
3232	4608	WerFault.exe	104

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe
4092	1.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4092	1.exe
Token: SeDebugPrivilege	4720	1.exe
Token: SeDebugPrivilege	1884	1.exe
Token: SeIncreaseQuotaPrivilege	1884	1.exe
Token: SeSecurityPrivilege	1884	1.exe
Token: SeTakeOwnershipPrivilege	1884	1.exe
Token: SeLoadDriverPrivilege	1884	1.exe
Token: SeSystemProfilePrivilege	1884	1.exe
Token: SeSystemtimePrivilege	1884	1.exe
Token: SeProfSingleProcessPrivilege	1884	1.exe
Token: SeIncBasePriorityPrivilege	1884	1.exe
Token: SeCreatePagefilePrivilege	1884	1.exe
Token: SeBackupPrivilege	1884	1.exe
Token: SeRestorePrivilege	1884	1.exe
Token: SeShutdownPrivilege	1884	1.exe
Token: SeDebugPrivilege	1884	1.exe
Token: SeSystemEnvironmentPrivilege	1884	1.exe
Token: SeRemoteShutdownPrivilege	1884	1.exe
Token: SeUndockPrivilege	1884	1.exe
Token: SeManageVolumePrivilege	1884	1.exe
Token: 33	1884	1.exe
Token: 34	1884	1.exe
Token: 35	1884	1.exe
Token: 36	1884	1.exe
Token: SeIncreaseQuotaPrivilege	1884	1.exe
Token: SeSecurityPrivilege	1884	1.exe
Token: SeTakeOwnershipPrivilege	1884	1.exe
Token: SeLoadDriverPrivilege	1884	1.exe
Token: SeSystemProfilePrivilege	1884	1.exe
Token: SeSystemtimePrivilege	1884	1.exe
Token: SeProfSingleProcessPrivilege	1884	1.exe
Token: SeIncBasePriorityPrivilege	1884	1.exe
Token: SeCreatePagefilePrivilege	1884	1.exe
Token: SeBackupPrivilege	1884	1.exe
Token: SeRestorePrivilege	1884	1.exe
Token: SeShutdownPrivilege	1884	1.exe
Token: SeDebugPrivilege	1884	1.exe
Token: SeSystemEnvironmentPrivilege	1884	1.exe
Token: SeRemoteShutdownPrivilege	1884	1.exe
Token: SeUndockPrivilege	1884	1.exe
Token: SeManageVolumePrivilege	1884	1.exe
Token: 33	1884	1.exe
Token: 34	1884	1.exe
Token: 35	1884	1.exe
Token: 36	1884	1.exe
Token: SeDebugPrivilege	4608	1.exe
Token: SeIncreaseQuotaPrivilege	4608	1.exe
Token: SeSecurityPrivilege	4608	1.exe
Token: SeTakeOwnershipPrivilege	4608	1.exe
Token: SeLoadDriverPrivilege	4608	1.exe
Token: SeSystemProfilePrivilege	4608	1.exe
Token: SeSystemtimePrivilege	4608	1.exe
Token: SeProfSingleProcessPrivilege	4608	1.exe
Token: SeIncBasePriorityPrivilege	4608	1.exe
Token: SeCreatePagefilePrivilege	4608	1.exe
Token: SeBackupPrivilege	4608	1.exe
Token: SeRestorePrivilege	4608	1.exe
Token: SeShutdownPrivilege	4608	1.exe
Token: SeDebugPrivilege	4608	1.exe
Token: SeSystemEnvironmentPrivilege	4608	1.exe
Token: SeRemoteShutdownPrivilege	4608	1.exe
Token: SeUndockPrivilege	4608	1.exe
Token: SeManageVolumePrivilege	4608	1.exe
Token: 33	4608	1.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4092 wrote to memory of 1884	4092	1.exe	99
PID 4092 wrote to memory of 1884	4092	1.exe	99
PID 4092 wrote to memory of 1884	4092	1.exe	99
PID 4092 wrote to memory of 1884	4092	1.exe	99
PID 4092 wrote to memory of 1884	4092	1.exe	99
PID 4092 wrote to memory of 1884	4092	1.exe	99
PID 4092 wrote to memory of 1884	4092	1.exe	99
PID 4092 wrote to memory of 1884	4092	1.exe	99
PID 1496 wrote to memory of 4720	1496	cmd.exe	100
PID 1496 wrote to memory of 4720	1496	cmd.exe	100
PID 1496 wrote to memory of 4720	1496	cmd.exe	100
PID 4720 wrote to memory of 4608	4720	1.exe	104
PID 4720 wrote to memory of 4608	4720	1.exe	104
PID 4720 wrote to memory of 4608	4720	1.exe	104
PID 4720 wrote to memory of 4608	4720	1.exe	104
PID 4720 wrote to memory of 4608	4720	1.exe	104
PID 4720 wrote to memory of 4608	4720	1.exe	104
PID 4720 wrote to memory of 4608	4720	1.exe	104
PID 4720 wrote to memory of 4608	4720	1.exe	104

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4092
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1884
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 1312
    3⤵
    - Program crash
    PID:4968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Public\Documents\1.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Users\Public\Documents\1.exe
  C:\Users\Public\Documents\1.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4720
- - C:\Users\Public\Documents\1.exe
    "C:\Users\Public\Documents\1.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4608
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 1324
      4⤵
      Program crash
      PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1884 -ip 1884
1⤵
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4608 -ip 4608
1⤵
PID:3500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1.exe.log

Filesize
517B

MD5
4d737622dcf53d4cf89810ec284fdf89

SHA1
a71b0c3ac6b940047ca7730465c1f97342c8ca08

SHA256
7d5529c9d51a138cea4ae46faa32497ccf1e55d6bd5aa43f746d413ce80fa1cb

SHA512
acf53d9d2ffe5e3dd34760e3c8e138229ee9805387ddf0765266ee882268cf64f84fb4a1b79aee3f90b88b50f1a1bbf10c9ba7a1013496059b46f3abe9c859c6

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Users\Public\Documents\1.exe

Filesize
706KB

MD5
cea36ea3da046afb6dec951b751bee61

SHA1
a27bcfa338e14b3d57b8756a1c46a9ff6db3981d

SHA256
eb4dde3a53673d0bb16c5d4c80cd8a17128976badd6ff2aa5010364c42e1091f

SHA512
a4b31771f96f1452d3876ec42296a248897c7b0bc641e392ab4a3fd89c1c0549bebeeb13bf07238ff74665ef27fb5afab69b51bc95c8e3904c8d855a2fcf7946

Download Submit
memory/1884-17-0x0000000074CE0000-0x0000000075490000-memory.dmp

Filesize
7.7MB

Download
memory/1884-18-0x0000000074CE0000-0x0000000075490000-memory.dmp

Filesize
7.7MB

Download
memory/1884-6-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1884-14-0x00000000054E0000-0x0000000005A84000-memory.dmp

Filesize
5.6MB

Download
memory/1884-9-0x0000000074CE0000-0x0000000075490000-memory.dmp

Filesize
7.7MB

Download
memory/4092-10-0x0000000074CE0000-0x0000000075490000-memory.dmp

Filesize
7.7MB

Download
memory/4092-2-0x0000000005AC0000-0x0000000005B26000-memory.dmp

Filesize
408KB

Download
memory/4092-3-0x0000000074CE0000-0x0000000075490000-memory.dmp

Filesize
7.7MB

Download
memory/4092-0-0x0000000074CEE000-0x0000000074CEF000-memory.dmp

Filesize
4KB

Download
memory/4092-4-0x0000000074CEE000-0x0000000074CEF000-memory.dmp

Filesize
4KB

Download
memory/4092-1-0x0000000000ED0000-0x0000000000F86000-memory.dmp

Filesize
728KB

Download
memory/4720-16-0x0000000074CE0000-0x0000000075490000-memory.dmp

Filesize
7.7MB

Download
memory/4720-19-0x0000000074CE0000-0x0000000075490000-memory.dmp

Filesize
7.7MB

Download
memory/4720-20-0x0000000074CE0000-0x0000000075490000-memory.dmp

Filesize
7.7MB

Download
memory/4720-23-0x0000000074CE0000-0x0000000075490000-memory.dmp

Filesize
7.7MB

Download