asyncrat | 70e0812ded88b5159709e0bde051483af900540c9cc4b4c86e4b9aa749a8b4cc

Analysis

max time kernel
60s
max time network
60s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2025, 19:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70e0812ded88b5159709e0bde051483af900540c9cc4b4c86e4b9aa749a8b4cc.exe
Size

74KB
MD5

9a31ae4cc3085df2a38fb061253c0e50
SHA1

05f6b3dd3bb64977a81f03eee8c9692925872158
SHA256

70e0812ded88b5159709e0bde051483af900540c9cc4b4c86e4b9aa749a8b4cc
SHA512

bbf8dd64ae6ea5f3f04f64f7025dc71a445d5e3fa1f948f3fe1754e509d9288b8e376ff21e3681c82faec87d9b450f30f448613009143f85dc1e0d441d2e87e2
SSDEEP

1536:uUf8cxMcpCn6PMV2e9VdQuDI6H1bf/5Z6QzcqLVclN:uU0cxMmw6PMV2e9VdQsH1bfeQbBY

Score

10^/10

asyncrat nonames rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

nonames

127.0.0.1:4449

127.0.0.1:8848

Mutex

14211353252643673735242343242

Attributes

delay
1
install
true
install_file
12414141.exe
install_folder
%Temp%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000c000000024125-12.dat	family_asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	70e0812ded88b5159709e0bde051483af900540c9cc4b4c86e4b9aa749a8b4cc.exe

Executes dropped EXE 1 IoCs

pid	Process
4648	12414141.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
3532	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3516	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
6036	70e0812ded88b5159709e0bde051483af900540c9cc4b4c86e4b9aa749a8b4cc.exe
6036	70e0812ded88b5159709e0bde051483af900540c9cc4b4c86e4b9aa749a8b4cc.exe
6036	70e0812ded88b5159709e0bde051483af900540c9cc4b4c86e4b9aa749a8b4cc.exe
6036	70e0812ded88b5159709e0bde051483af900540c9cc4b4c86e4b9aa749a8b4cc.exe
6036	70e0812ded88b5159709e0bde051483af900540c9cc4b4c86e4b9aa749a8b4cc.exe
6036	70e0812ded88b5159709e0bde051483af900540c9cc4b4c86e4b9aa749a8b4cc.exe
6036	70e0812ded88b5159709e0bde051483af900540c9cc4b4c86e4b9aa749a8b4cc.exe
6036	70e0812ded88b5159709e0bde051483af900540c9cc4b4c86e4b9aa749a8b4cc.exe
6036	70e0812ded88b5159709e0bde051483af900540c9cc4b4c86e4b9aa749a8b4cc.exe
6036	70e0812ded88b5159709e0bde051483af900540c9cc4b4c86e4b9aa749a8b4cc.exe
6036	70e0812ded88b5159709e0bde051483af900540c9cc4b4c86e4b9aa749a8b4cc.exe
6036	70e0812ded88b5159709e0bde051483af900540c9cc4b4c86e4b9aa749a8b4cc.exe
6036	70e0812ded88b5159709e0bde051483af900540c9cc4b4c86e4b9aa749a8b4cc.exe
6036	70e0812ded88b5159709e0bde051483af900540c9cc4b4c86e4b9aa749a8b4cc.exe
6036	70e0812ded88b5159709e0bde051483af900540c9cc4b4c86e4b9aa749a8b4cc.exe
6036	70e0812ded88b5159709e0bde051483af900540c9cc4b4c86e4b9aa749a8b4cc.exe
6036	70e0812ded88b5159709e0bde051483af900540c9cc4b4c86e4b9aa749a8b4cc.exe
6036	70e0812ded88b5159709e0bde051483af900540c9cc4b4c86e4b9aa749a8b4cc.exe
6036	70e0812ded88b5159709e0bde051483af900540c9cc4b4c86e4b9aa749a8b4cc.exe
6036	70e0812ded88b5159709e0bde051483af900540c9cc4b4c86e4b9aa749a8b4cc.exe
6036	70e0812ded88b5159709e0bde051483af900540c9cc4b4c86e4b9aa749a8b4cc.exe
6036	70e0812ded88b5159709e0bde051483af900540c9cc4b4c86e4b9aa749a8b4cc.exe
6036	70e0812ded88b5159709e0bde051483af900540c9cc4b4c86e4b9aa749a8b4cc.exe
6036	70e0812ded88b5159709e0bde051483af900540c9cc4b4c86e4b9aa749a8b4cc.exe
6036	70e0812ded88b5159709e0bde051483af900540c9cc4b4c86e4b9aa749a8b4cc.exe
6036	70e0812ded88b5159709e0bde051483af900540c9cc4b4c86e4b9aa749a8b4cc.exe
6036	70e0812ded88b5159709e0bde051483af900540c9cc4b4c86e4b9aa749a8b4cc.exe
6036	70e0812ded88b5159709e0bde051483af900540c9cc4b4c86e4b9aa749a8b4cc.exe
6036	70e0812ded88b5159709e0bde051483af900540c9cc4b4c86e4b9aa749a8b4cc.exe
4648	12414141.exe
4648	12414141.exe
4648	12414141.exe
4648	12414141.exe
4648	12414141.exe
4648	12414141.exe
4648	12414141.exe
4648	12414141.exe
4648	12414141.exe
4648	12414141.exe
4648	12414141.exe
4648	12414141.exe
4648	12414141.exe
4648	12414141.exe
4648	12414141.exe
4648	12414141.exe
4648	12414141.exe
4648	12414141.exe
4648	12414141.exe
4648	12414141.exe
4648	12414141.exe
4648	12414141.exe
4648	12414141.exe
4648	12414141.exe
4648	12414141.exe
4648	12414141.exe
4648	12414141.exe
4648	12414141.exe
4648	12414141.exe
4648	12414141.exe
4648	12414141.exe
4648	12414141.exe
4648	12414141.exe
4648	12414141.exe
4648	12414141.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	6036	70e0812ded88b5159709e0bde051483af900540c9cc4b4c86e4b9aa749a8b4cc.exe
Token: SeDebugPrivilege	4648	12414141.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4648	12414141.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 6036 wrote to memory of 2480	6036	70e0812ded88b5159709e0bde051483af900540c9cc4b4c86e4b9aa749a8b4cc.exe	88
PID 6036 wrote to memory of 2480	6036	70e0812ded88b5159709e0bde051483af900540c9cc4b4c86e4b9aa749a8b4cc.exe	88
PID 6036 wrote to memory of 5776	6036	70e0812ded88b5159709e0bde051483af900540c9cc4b4c86e4b9aa749a8b4cc.exe	89
PID 6036 wrote to memory of 5776	6036	70e0812ded88b5159709e0bde051483af900540c9cc4b4c86e4b9aa749a8b4cc.exe	89
PID 5776 wrote to memory of 3532	5776	cmd.exe	93
PID 5776 wrote to memory of 3532	5776	cmd.exe	93
PID 2480 wrote to memory of 3516	2480	cmd.exe	92
PID 2480 wrote to memory of 3516	2480	cmd.exe	92
PID 5776 wrote to memory of 4648	5776	cmd.exe	98
PID 5776 wrote to memory of 4648	5776	cmd.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\70e0812ded88b5159709e0bde051483af900540c9cc4b4c86e4b9aa749a8b4cc.exe
"C:\Users\Admin\AppData\Local\Temp\70e0812ded88b5159709e0bde051483af900540c9cc4b4c86e4b9aa749a8b4cc.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:6036
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "12414141" /tr '"C:\Users\Admin\AppData\Local\Temp\12414141.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "12414141" /tr '"C:\Users\Admin\AppData\Local\Temp\12414141.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5832.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5776
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3532
- - C:\Users\Admin\AppData\Local\Temp\12414141.exe
    "C:\Users\Admin\AppData\Local\Temp\12414141.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4648

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\12414141.exe

Filesize
74KB

MD5
9a31ae4cc3085df2a38fb061253c0e50

SHA1
05f6b3dd3bb64977a81f03eee8c9692925872158

SHA256
70e0812ded88b5159709e0bde051483af900540c9cc4b4c86e4b9aa749a8b4cc

SHA512
bbf8dd64ae6ea5f3f04f64f7025dc71a445d5e3fa1f948f3fe1754e509d9288b8e376ff21e3681c82faec87d9b450f30f448613009143f85dc1e0d441d2e87e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5832.tmp.bat

Filesize
155B

MD5
cac276686a2c9b04e4cba01698464176

SHA1
ac3553f1f326335ce20e7fc8233a759db9db62b6

SHA256
03db41ac66b85d40be94dfd3cd20d18d4fce553611f7ae28ef59cf837d83ec50

SHA512
975ea88b088dc49d3933f08eca41755ff336f3f0985903e5244fd9c729fcb8239bd5c5e824ff661ca1255028e1b6b6cdc8e90f31e715a65db4778b52d585eded

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
memory/6036-0-0x00007FFB871E3000-0x00007FFB871E5000-memory.dmp

Filesize
8KB

Download
memory/6036-1-0x0000000000180000-0x0000000000198000-memory.dmp

Filesize
96KB

Download
memory/6036-3-0x00007FFB871E0000-0x00007FFB87CA1000-memory.dmp

Filesize
10.8MB

Download
memory/6036-6-0x00007FFB871E0000-0x00007FFB87CA1000-memory.dmp

Filesize
10.8MB

Download
memory/6036-9-0x00007FFB871E0000-0x00007FFB87CA1000-memory.dmp

Filesize
10.8MB

Download