Overview

overview

10

Static

static

3

477f89cc76...96.exe

windows7-x64

10

477f89cc76...96.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    54s
  • max time network
    59s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/03/2025, 19:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    477f89cc7690210c0e3f3cee9f562708092b3770539367555ecd2b84b2699a96.exe

  • Size

    7.5MB

  • MD5

    947eabafe59955146fdb714a09e74896

  • SHA1

    a229cea1a129676f7b7c3c7bc80a28e9c22268aa

  • SHA256

    477f89cc7690210c0e3f3cee9f562708092b3770539367555ecd2b84b2699a96

  • SHA512

    814a1ed776ae4dbff873cb61e72cad9b71fd8f813e38b203b7a68f351627685320aadaccfee160d2faa2f2867c492ce2428d0331aebfed6eacdc950b618a1e98

  • SSDEEP

    196608:TOIe9o8SdDSPvb9FLZmFZKPzs+l8By5k4SFn0r:yHm8Sd0FNm+bs2C4yn0r

Score
10/10
asyncratvenom clientsdefense_evasiondiscoveryrattrojan

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

C2

178.117.80.225:3998

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    defense_evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\477f89cc7690210c0e3f3cee9f562708092b3770539367555ecd2b84b2699a96.exe
    "C:\Users\Admin\AppData\Local\Temp\477f89cc7690210c0e3f3cee9f562708092b3770539367555ecd2b84b2699a96.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2648
    • C:\Users\Admin\AppData\Local\Temp\Client.exe
      "C:\Users\Admin\AppData\Local\Temp\Client.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2744
    • C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller (2).exe
      "C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller (2).exe"
      2⤵
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      PID:2680

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\Client.exe
    Filesize

    63KB

    MD5

    065916df76a29b60fae9879d48f6a23c

    SHA1

    39955f523f47653e72758e4a504ba2b28f65ae67

    SHA256

    281246ed2415cc6b47bdaa3af0910a7f0fc97a854e4b146a88469b97225bda9b

    SHA512

    dbf17e5ed7cc22b80ccc2626dc33206d207432bc18693e51d7ecf86a93b2a8ebfc25842fecdbe69d1379bc3218f4a0017dd75bb5abc60e244465d37a15abb133

    Download Submit

  • \Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller (2).exe
    Filesize

    7.4MB

    MD5

    443df84258f3cc21efb5ad185ed2fe4f

    SHA1

    22dc3b0c04ff55dca5a93856a1ff30cea6e5e7e8

    SHA256

    b982252fef5780ca193d07fb2754f721ef7869c2d583a09217b8d3c1e6d2ef49

    SHA512

    1e82a58c1ea297f761d4e1f85f45d16aa91d71bddc9df539c5e19e04f714f19353258337d6640b3c9bc51a77ed4fc2bffd0aa40102ec69eb30b01af859c5a1e0

    Download Submit

  • memory/2744-8-0x000007FEF6233000-0x000007FEF6234000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2744-13-0x0000000000270000-0x0000000000286000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2744-29-0x000007FEF6233000-0x000007FEF6234000-memory.dmp

    Filesize

    4KB

    Download