Overview

overview

10

Static

static

Faktura re...78.exe

windows7_x64

10

Faktura re...78.exe

windows10_x64

10

Analysis

  • max time kernel
    154s
  • max time network
    159s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    25-01-2022 08:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Faktura ref. # IRQ-21-07778.exe

  • Size

    697KB

  • MD5

    d2c4ad3484a598f0848a7947fc45175f

  • SHA1

    2c7807352b5ece76d1e0364acdcfce3bc2cd9b72

  • SHA256

    1b662d7015e25e2eba4e7b535732df5310c28ddd80797c260eebadfed1a1197d

  • SHA512

    366f15e329de3e504cc2a91e17129377b07815f19cd849e30d776eadac0ad3d57f5b8b5182bfc2bd80ba99839903f794649310c21f46c3447662d762b1288b5e

Score
10/10
asyncratdefaultratspywarestealersuricata

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

89.238.150.43:57095

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • anti_vm

    false

  • bsod

    false

  • delay

    3

  • install

    true

  • install_file

    chromeex.exe

  • install_folder

    %Temp%

  • pastebin_config

    null

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

    suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

    suricata
  • Async RAT payload 2 IoCs
    rat
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 58 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Faktura ref. # IRQ-21-07778.exe
    "C:\Users\Admin\AppData\Local\Temp\Faktura ref. # IRQ-21-07778.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3676
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uSbiuPFvZX.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4420
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uSbiuPFvZX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp80D4.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:4304
    • C:\Users\Admin\AppData\Local\Temp\Faktura ref. # IRQ-21-07778.exe
      "C:\Users\Admin\AppData\Local\Temp\Faktura ref. # IRQ-21-07778.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4504
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "chromeex" /tr '"C:\Users\Admin\AppData\Local\Temp\chromeex.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:820
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "chromeex" /tr '"C:\Users\Admin\AppData\Local\Temp\chromeex.exe"'
          4⤵
          • Creates scheduled task(s)
          PID:1428
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9E7E.tmp.bat""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1060
        • C:\Windows\SysWOW64\timeout.exe
          timeout 3
          4⤵
          • Delays execution with timeout.exe
          PID:1496
        • C:\Users\Admin\AppData\Local\Temp\chromeex.exe
          "C:\Users\Admin\AppData\Local\Temp\chromeex.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1720
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uSbiuPFvZX.exe"
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2608
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uSbiuPFvZX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp453E.tmp"
            5⤵
            • Creates scheduled task(s)
            PID:1668
          • C:\Users\Admin\AppData\Local\Temp\chromeex.exe
            "C:\Users\Admin\AppData\Local\Temp\chromeex.exe"
            5⤵
            • Executes dropped EXE
            PID:1312
          • C:\Users\Admin\AppData\Local\Temp\chromeex.exe
            "C:\Users\Admin\AppData\Local\Temp\chromeex.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:856
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\iiqsap.exe"' & exit
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4596
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\iiqsap.exe"'
                7⤵
                  PID:4888
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\wnfhrq.exe"' & exit
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:4472
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\wnfhrq.exe"'
                  7⤵
                    PID:968

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Faktura ref. # IRQ-21-07778.exe.log
        MD5

        0c2899d7c6746f42d5bbe088c777f94c

        SHA1

        622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

        SHA256

        5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

        SHA512

        ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
        MD5

        1c19c16e21c97ed42d5beabc93391fc5

        SHA1

        8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

        SHA256

        1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

        SHA512

        7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        MD5

        925b53c7bd4fa8024aeefb5f78a4f124

        SHA1

        c1c1f0ce89ba5a33e21c94877cba23d47ae8510f

        SHA256

        1c73837e41ee1c13e613d8b00df835ab4988d95413480a90a576d3935da2b971

        SHA512

        6cb813c7af451fcd6d1f520baadb9d4c7a29ff3ef933ae5c8eea6e6eb19f13706a89f78a0db11dff71743e06ccc07fc19bdcbc7ce2cdecf8e43a66cc492b9a1a

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\chromeex.exe
        MD5

        d2c4ad3484a598f0848a7947fc45175f

        SHA1

        2c7807352b5ece76d1e0364acdcfce3bc2cd9b72

        SHA256

        1b662d7015e25e2eba4e7b535732df5310c28ddd80797c260eebadfed1a1197d

        SHA512

        366f15e329de3e504cc2a91e17129377b07815f19cd849e30d776eadac0ad3d57f5b8b5182bfc2bd80ba99839903f794649310c21f46c3447662d762b1288b5e

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\chromeex.exe
        MD5

        d2c4ad3484a598f0848a7947fc45175f

        SHA1

        2c7807352b5ece76d1e0364acdcfce3bc2cd9b72

        SHA256

        1b662d7015e25e2eba4e7b535732df5310c28ddd80797c260eebadfed1a1197d

        SHA512

        366f15e329de3e504cc2a91e17129377b07815f19cd849e30d776eadac0ad3d57f5b8b5182bfc2bd80ba99839903f794649310c21f46c3447662d762b1288b5e

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\chromeex.exe
        MD5

        d2c4ad3484a598f0848a7947fc45175f

        SHA1

        2c7807352b5ece76d1e0364acdcfce3bc2cd9b72

        SHA256

        1b662d7015e25e2eba4e7b535732df5310c28ddd80797c260eebadfed1a1197d

        SHA512

        366f15e329de3e504cc2a91e17129377b07815f19cd849e30d776eadac0ad3d57f5b8b5182bfc2bd80ba99839903f794649310c21f46c3447662d762b1288b5e

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\chromeex.exe
        MD5

        d2c4ad3484a598f0848a7947fc45175f

        SHA1

        2c7807352b5ece76d1e0364acdcfce3bc2cd9b72

        SHA256

        1b662d7015e25e2eba4e7b535732df5310c28ddd80797c260eebadfed1a1197d

        SHA512

        366f15e329de3e504cc2a91e17129377b07815f19cd849e30d776eadac0ad3d57f5b8b5182bfc2bd80ba99839903f794649310c21f46c3447662d762b1288b5e

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\tmp453E.tmp
        MD5

        0cefb57387f65bda3ee6d0034cfe569e

        SHA1

        afb981ce16bb7884a4fe7067bab9805124ab495a

        SHA256

        eac6f8c6c3f888ae5dfc9758b28798b92679194eb87a69f284e3bb36627481aa

        SHA512

        de17d68c1d157cbca34db601e55280e6bd167857c3da0f1ae419ae484589a1fa7dc886ec42c0b09eadb195482af52b7d77e6d33df5cd8b85c7ec899eeb79644a

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\tmp80D4.tmp
        MD5

        0cefb57387f65bda3ee6d0034cfe569e

        SHA1

        afb981ce16bb7884a4fe7067bab9805124ab495a

        SHA256

        eac6f8c6c3f888ae5dfc9758b28798b92679194eb87a69f284e3bb36627481aa

        SHA512

        de17d68c1d157cbca34db601e55280e6bd167857c3da0f1ae419ae484589a1fa7dc886ec42c0b09eadb195482af52b7d77e6d33df5cd8b85c7ec899eeb79644a

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\tmp9E7E.tmp.bat
        MD5

        c036fe3298879b04e0a0054e51e13df6

        SHA1

        72d4aae9043a37c7d39c5db47548a175a8439fe9

        SHA256

        56a5a1d5d7eba76c91bdac7dc2d34efa8e8b579681f00ca2ed5c60bc4275b9b8

        SHA512

        1880dd365c479eb9b3585e913378e461e9f3cdf0fa0402118e5b53294cfe33fbe7b5b5a3ce754c7974894b48f12b34e8ae40380436caed61f6270267cd0eb0b1

        Download Submit
      • memory/856-605-0x0000000005600000-0x0000000005601000-memory.dmp
        Filesize

        4KB

        Download
      • memory/856-611-0x0000000006F00000-0x0000000006F7E000-memory.dmp
        Filesize

        504KB

        Download
      • memory/856-612-0x0000000007060000-0x000000000707E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/856-613-0x0000000007160000-0x00000000074B0000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/856-614-0x00000000070D0000-0x00000000070DA000-memory.dmp
        Filesize

        40KB

        Download
      • memory/856-615-0x0000000007520000-0x00000000075B0000-memory.dmp
        Filesize

        576KB

        Download
      • memory/856-616-0x00000000076C0000-0x0000000007720000-memory.dmp
        Filesize

        384KB

        Download
      • memory/856-617-0x0000000007720000-0x000000000776B000-memory.dmp
        Filesize

        300KB

        Download
      • memory/856-618-0x0000000007110000-0x0000000007132000-memory.dmp
        Filesize

        136KB

        Download
      • memory/1720-149-0x000000007F020000-0x000000007F021000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1720-148-0x0000000005910000-0x0000000005E0E000-memory.dmp
        Filesize

        5.0MB

        Download
      • memory/2608-383-0x0000000008440000-0x000000000848B000-memory.dmp
        Filesize

        300KB

        Download
      • memory/2608-470-0x0000000007153000-0x0000000007154000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2608-384-0x0000000007150000-0x0000000007151000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2608-385-0x0000000007152000-0x0000000007153000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2608-398-0x0000000009960000-0x0000000009A05000-memory.dmp
        Filesize

        660KB

        Download
      • memory/2608-469-0x000000007EB30000-0x000000007EB31000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3676-118-0x0000000005690000-0x0000000005691000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3676-121-0x0000000005BD0000-0x0000000005BDE000-memory.dmp
        Filesize

        56KB

        Download
      • memory/3676-122-0x000000007EC20000-0x000000007EC21000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3676-123-0x0000000006690000-0x0000000006710000-memory.dmp
        Filesize

        512KB

        Download
      • memory/3676-120-0x0000000005A20000-0x0000000005ABC000-memory.dmp
        Filesize

        624KB

        Download
      • memory/3676-119-0x00000000056E0000-0x00000000056EA000-memory.dmp
        Filesize

        40KB

        Download
      • memory/3676-115-0x0000000000DE0000-0x0000000000E94000-memory.dmp
        Filesize

        720KB

        Download
      • memory/3676-117-0x0000000005780000-0x0000000005812000-memory.dmp
        Filesize

        584KB

        Download
      • memory/3676-116-0x0000000005BE0000-0x00000000060DE000-memory.dmp
        Filesize

        5.0MB

        Download
      • memory/4420-155-0x0000000009820000-0x000000000983E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/4420-160-0x0000000009BB0000-0x0000000009C55000-memory.dmp
        Filesize

        660KB

        Download
      • memory/4420-132-0x0000000007910000-0x0000000007F38000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/4420-138-0x00000000078F0000-0x000000000790C000-memory.dmp
        Filesize

        112KB

        Download
      • memory/4420-128-0x00000000072D0000-0x00000000072D1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4420-129-0x00000000072D2000-0x00000000072D3000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4420-361-0x0000000009750000-0x0000000009758000-memory.dmp
        Filesize

        32KB

        Download
      • memory/4420-356-0x0000000009760000-0x000000000977A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/4420-163-0x00000000072D3000-0x00000000072D4000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4420-162-0x000000007F8E0000-0x000000007F8E1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4420-161-0x0000000009D50000-0x0000000009DE4000-memory.dmp
        Filesize

        592KB

        Download
      • memory/4420-133-0x00000000076E0000-0x0000000007702000-memory.dmp
        Filesize

        136KB

        Download
      • memory/4420-126-0x00000000071B0000-0x00000000071E6000-memory.dmp
        Filesize

        216KB

        Download
      • memory/4420-139-0x0000000008050000-0x000000000809B000-memory.dmp
        Filesize

        300KB

        Download
      • memory/4420-154-0x0000000009A80000-0x0000000009AB3000-memory.dmp
        Filesize

        204KB

        Download
      • memory/4420-134-0x0000000007880000-0x00000000078E6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/4420-135-0x0000000008220000-0x0000000008286000-memory.dmp
        Filesize

        408KB

        Download
      • memory/4420-136-0x0000000008290000-0x00000000085E0000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/4420-141-0x00000000089D0000-0x0000000008A46000-memory.dmp
        Filesize

        472KB

        Download
      • memory/4504-137-0x0000000005250000-0x0000000005251000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4504-130-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download