asyncrat | 6bf8ec1cf3a7bb15d7f0cc5408dc9ba25226ca0456edde5c5ff3e0e785e1a7cd

Analysis

max time kernel
2s
max time network
18s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29/03/2025, 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bf8ec1cf3a7bb15d7f0cc5408dc9ba25226ca0456edde5c5ff3e0e785e1a7cd.exe
Size

63KB
MD5

9dd10f9335e7979d2a90b3ab9106d261
SHA1

2633da3549195050d665d0fd3eefd96dcb15470d
SHA256

6bf8ec1cf3a7bb15d7f0cc5408dc9ba25226ca0456edde5c5ff3e0e785e1a7cd
SHA512

acc081e163e92f5c06d7185053b85e288639462486c85c718fd619cdce8fd84943735f597165b20045160c078144de88ef6178012f17bf2ebc7c47d5aada6ba8
SSDEEP

1536:OBVb3plA0aTdeKX7QNaoxvGbbnwKbn2BGtkpqKmY7:OBVb3plA0aTRX7QDtGbbnfj22vz

Score

10^/10

asyncrat venom clients rat

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

127.0.0.1:4449

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
true
install_file
scs2.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0007000000012119-15.dat	family_asyncrat

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
1908	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2548	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2668	6bf8ec1cf3a7bb15d7f0cc5408dc9ba25226ca0456edde5c5ff3e0e785e1a7cd.exe
2668	6bf8ec1cf3a7bb15d7f0cc5408dc9ba25226ca0456edde5c5ff3e0e785e1a7cd.exe
2668	6bf8ec1cf3a7bb15d7f0cc5408dc9ba25226ca0456edde5c5ff3e0e785e1a7cd.exe
2668	6bf8ec1cf3a7bb15d7f0cc5408dc9ba25226ca0456edde5c5ff3e0e785e1a7cd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2668	6bf8ec1cf3a7bb15d7f0cc5408dc9ba25226ca0456edde5c5ff3e0e785e1a7cd.exe

C:\Users\Admin\AppData\Local\Temp\6bf8ec1cf3a7bb15d7f0cc5408dc9ba25226ca0456edde5c5ff3e0e785e1a7cd.exe
"C:\Users\Admin\AppData\Local\Temp\6bf8ec1cf3a7bb15d7f0cc5408dc9ba25226ca0456edde5c5ff3e0e785e1a7cd.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "scs2" /tr '"C:\Users\Admin\AppData\Roaming\scs2.exe"' & exit
  2⤵
  PID:2652
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "scs2" /tr '"C:\Users\Admin\AppData\Roaming\scs2.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2548
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp52C2.tmp.bat""
  2⤵
  PID:2864
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1908
- - C:\Users\Admin\AppData\Roaming\scs2.exe
    "C:\Users\Admin\AppData\Roaming\scs2.exe"
    3⤵
    PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp52C2.tmp.bat

Filesize
148B

MD5
8c8a27823f0f29e67c3a535552650e3f

SHA1
aad1f6c3642c4cd2e8cf9953543e490159d4fd96

SHA256
47b8568bf9d8aafac592dcea7a107b8aa8bf2ad4f895d6c0da89bd4bacdddeaf

SHA512
ac811cbd747ae000448e5226447b1b94414a0a2db4110389290671ed9af88d23f2905d26d6b4a4ad9c430bb596aedeb156b25d0290130e2c8d7bb9d2e0a45b0c

Download Submit
C:\Users\Admin\AppData\Roaming\scs2.exe

Filesize
63KB

MD5
9dd10f9335e7979d2a90b3ab9106d261

SHA1
2633da3549195050d665d0fd3eefd96dcb15470d

SHA256
6bf8ec1cf3a7bb15d7f0cc5408dc9ba25226ca0456edde5c5ff3e0e785e1a7cd

SHA512
acc081e163e92f5c06d7185053b85e288639462486c85c718fd619cdce8fd84943735f597165b20045160c078144de88ef6178012f17bf2ebc7c47d5aada6ba8

Download Submit
memory/2452-17-0x00000000011B0000-0x00000000011C6000-memory.dmp

Filesize
88KB

Download
memory/2668-0-0x000007FEF5A23000-0x000007FEF5A24000-memory.dmp

Filesize
4KB

Download
memory/2668-1-0x0000000000240000-0x0000000000256000-memory.dmp

Filesize
88KB

Download
memory/2668-2-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/2668-13-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/2668-3-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download