asyncrat | 49e718675e880dc00de6fff1466604de8df962207861a54c83ff99a070512d31

Analysis

max time kernel
150s
max time network
145s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
21/04/2025, 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ohiforgot.exe
Size

74KB
MD5

e061a0b37973b6466a192f1d18fd513b
SHA1

f884c6c06ef6109aa737ac9b67c7c11b73294e4a
SHA256

49e718675e880dc00de6fff1466604de8df962207861a54c83ff99a070512d31
SHA512

90dde439124f2db089ce0d0b88da3319d083ff90b84a6f7309a9b19e77873b8ddc37a5621307dc4f910511cbcdc4a85c238024c39ca811c510e76d29086046ae
SSDEEP

1536:2UaUcxoyR1CriPMV8H2sICH1bX/VskQzcaLVclN:2UDcxoyXkiPMV62IH1bXukQLBY

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

127.0.0.1:4449

127.0.0.1:8848

81.109.5.62:4449

81.109.5.62:8848

Mutex

fxgikqpbfkxg

Attributes

delay
1
install
true
install_file
svchost.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x001a00000002b1cf-12.dat	family_asyncrat

Executes dropped EXE 1 IoCs

pid	Process
5764	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
3628	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5100	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
564	ohiforgot.exe
564	ohiforgot.exe
564	ohiforgot.exe
564	ohiforgot.exe
564	ohiforgot.exe
564	ohiforgot.exe
564	ohiforgot.exe
564	ohiforgot.exe
564	ohiforgot.exe
564	ohiforgot.exe
564	ohiforgot.exe
564	ohiforgot.exe
564	ohiforgot.exe
564	ohiforgot.exe
564	ohiforgot.exe
564	ohiforgot.exe
564	ohiforgot.exe
564	ohiforgot.exe
564	ohiforgot.exe
564	ohiforgot.exe
564	ohiforgot.exe
564	ohiforgot.exe
564	ohiforgot.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe
5764	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	564	ohiforgot.exe
Token: SeDebugPrivilege	5764	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5764	svchost.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 564 wrote to memory of 5248	564	ohiforgot.exe	78
PID 564 wrote to memory of 5248	564	ohiforgot.exe	78
PID 564 wrote to memory of 3980	564	ohiforgot.exe	80
PID 564 wrote to memory of 3980	564	ohiforgot.exe	80
PID 5248 wrote to memory of 5100	5248	cmd.exe	82
PID 5248 wrote to memory of 5100	5248	cmd.exe	82
PID 3980 wrote to memory of 3628	3980	cmd.exe	83
PID 3980 wrote to memory of 3628	3980	cmd.exe	83
PID 3980 wrote to memory of 5764	3980	cmd.exe	84
PID 3980 wrote to memory of 5764	3980	cmd.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ohiforgot.exe
"C:\Users\Admin\AppData\Local\Temp\ohiforgot.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:564
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5248
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7BC7.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3980
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3628
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:896

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7BC7.tmp.bat

Filesize
151B

MD5
43928b0ad13b99052b7def3b0ea102d0

SHA1
9e65d09cbcafaeea95f7712c1037c7e6ecb341c9

SHA256
edc5767d632113934340551096bc444b62c86a27a6f8bfa20cee63543820d979

SHA512
d66c1ddc75d292954d3406a597166221aa9bfac60585641954ace976ed59984530455e83dcce7109f2580c6d585bffd56adbc93a8ea35ab1b1298567fca009df

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
74KB

MD5
e061a0b37973b6466a192f1d18fd513b

SHA1
f884c6c06ef6109aa737ac9b67c7c11b73294e4a

SHA256
49e718675e880dc00de6fff1466604de8df962207861a54c83ff99a070512d31

SHA512
90dde439124f2db089ce0d0b88da3319d083ff90b84a6f7309a9b19e77873b8ddc37a5621307dc4f910511cbcdc4a85c238024c39ca811c510e76d29086046ae

Download Submit
memory/564-0-0x00007FFB7D6D3000-0x00007FFB7D6D5000-memory.dmp

Filesize
8KB

Download
memory/564-1-0x0000000000050000-0x0000000000068000-memory.dmp

Filesize
96KB

Download
memory/564-3-0x00007FFB7D6D0000-0x00007FFB7E192000-memory.dmp

Filesize
10.8MB

Download
memory/564-4-0x00007FFB7D6D0000-0x00007FFB7E192000-memory.dmp

Filesize
10.8MB

Download
memory/564-9-0x00007FFB7D6D0000-0x00007FFB7E192000-memory.dmp

Filesize
10.8MB

Download
memory/5764-17-0x000000001DED0000-0x000000001DF46000-memory.dmp

Filesize
472KB

Download
memory/5764-18-0x000000001B9A0000-0x000000001B9AE000-memory.dmp

Filesize
56KB

Download
memory/5764-19-0x000000001B9D0000-0x000000001B9EE000-memory.dmp

Filesize
120KB

Download