Overview

overview

10

Static

static

Re-2181718.exe

windows7_x64

10

Re-2181718.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    30-06-2022 12:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Re-2181718.exe

  • Size

    172KB

  • MD5

    be2d1ca01da2a323960e94dcae0d4696

  • SHA1

    a0a404c6ef2dcb77f65ddf072402eeeecdd1dc2e

  • SHA256

    f1ff4fbaa6991440428ea8b228268b6ba82595aa8cdbcf2e7bb8a69835753b31

  • SHA512

    883cb35116de50ee923fb5101aa1a6b3dea61897d96a73a51e1bc351dc7181f116dc1e290bf86946300b8998f53e106a064b73e1ebf3f503e1e5e65e2a5ed27c

Score
10/10
asyncratblustealerdefaultpersistenceratspywarestealersuricata

Malware Config

Extracted

Family

blustealer

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.ru
  • Port:
    587
  • Username:
    t.liaen@yandex.com
  • Password:
    @vZe#$#28990

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:1111

62.197.136.167:6606

62.197.136.167:7707

62.197.136.167:8808

62.197.136.167:1111
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • BluStealer

    A Modular information stealer written in Visual Basic.

    stealerblustealer
  • suricata: ET MALWARE Generic AsyncRAT Style SSL Cert

    suricata: ET MALWARE Generic AsyncRAT Style SSL Cert

    suricata
  • suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

    suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

    suricata
  • Async RAT payload 1 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Re-2181718.exe
    "C:\Users\Admin\AppData\Local\Temp\Re-2181718.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3136
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2616
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAxAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:524
    • C:\Users\Admin\AppData\Local\Temp\Jcsbrafiyvpxtqostory5m.exe
      "C:\Users\Admin\AppData\Local\Temp\Jcsbrafiyvpxtqostory5m.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4468
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3120
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAxAA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3656
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1692
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      2⤵
        PID:4768
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        2⤵
          PID:3988
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
          2⤵
            PID:4000
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
            C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
            2⤵
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3324
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
              C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
              3⤵
                PID:3836

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Registry Run Keys / Startup Folder

          1
          T1060

          Privilege Escalation

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Credentials in Files

          1
          T1081

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          2
          T1082

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
            Filesize

            1KB

            MD5

            4280e36a29fa31c01e4d8b2ba726a0d8

            SHA1

            c485c2c9ce0a99747b18d899b71dfa9a64dabe32

            SHA256

            e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

            SHA512

            494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
            Filesize

            53KB

            MD5

            3337d66209faa998d52d781d0ff2d804

            SHA1

            6594b85a70f998f79f43cdf1ca56137997534156

            SHA256

            9b946b062865f68b9f0f43a011d33d7ea0926a3c8f78fb20d9cab6144314e1bd

            SHA512

            8bbd14bd73111f7b55712f5d1e1b727e41db8e6e0c1243ee6809ff32b509e52dec7af34c064151fb5beccd59dda434a3f83abe987c561a25abfbb4cbcf9c7f1f

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            15KB

            MD5

            255f2c6efa484bd1bf9e35de1a0f0a3f

            SHA1

            7adf1c0a00095e9c9606f0dc14508851128c4c0f

            SHA256

            79cf2a8006d9e45ce918f70ce02733f3ae757416098435027f094a8635627508

            SHA512

            3a1b1ed99c8eb55453eed8ea02bf3a9971b6f303eff89987f07d26d474649cefb1417463be05523cb7598a1f63e0ce744455a32f4accd591b51837676cab971d

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\Jcsbrafiyvpxtqostory5m.exe
            Filesize

            172KB

            MD5

            982f97ccf89f9d50dbc5d152c7139a50

            SHA1

            0ba6c448dd8566a1196e642ef1d834d55bf6e3e6

            SHA256

            f41360c7779e6656ec89fdfa40ae58b619d80dd27286802a9e902ab9dde19152

            SHA512

            c51127261b13e135e183c779c2bc10b5f43a2e27ccfd902829abc215beddd2070cf3739ac810201ae4eaf98dc9afab9b5e6923e97b1ca7bd0c7e661706c08fd1

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\Jcsbrafiyvpxtqostory5m.exe
            Filesize

            172KB

            MD5

            982f97ccf89f9d50dbc5d152c7139a50

            SHA1

            0ba6c448dd8566a1196e642ef1d834d55bf6e3e6

            SHA256

            f41360c7779e6656ec89fdfa40ae58b619d80dd27286802a9e902ab9dde19152

            SHA512

            c51127261b13e135e183c779c2bc10b5f43a2e27ccfd902829abc215beddd2070cf3739ac810201ae4eaf98dc9afab9b5e6923e97b1ca7bd0c7e661706c08fd1

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Tupbtqbro\Aeigqqh.exe
            Filesize

            172KB

            MD5

            982f97ccf89f9d50dbc5d152c7139a50

            SHA1

            0ba6c448dd8566a1196e642ef1d834d55bf6e3e6

            SHA256

            f41360c7779e6656ec89fdfa40ae58b619d80dd27286802a9e902ab9dde19152

            SHA512

            c51127261b13e135e183c779c2bc10b5f43a2e27ccfd902829abc215beddd2070cf3739ac810201ae4eaf98dc9afab9b5e6923e97b1ca7bd0c7e661706c08fd1

            Download Submit
          • C:\Users\Public\3037384246424646303030333036443242464246463030303330\SQLite3_StdCall.dll
            Filesize

            59KB

            MD5

            d77b227a28a78627c2323cac75948390

            SHA1

            e228c3951f2a9fd0febfe07390633ab4f35727f4

            SHA256

            527ec201dcd7695bd9830eb82ab35a3986121de9ea156193834aed9d79223b82

            SHA512

            5627fbc8bbb98f644e21f101a68f0e0b07b87c264d00ea227286bed8ab6dd4ebf5114f03b632604f775ff93666a409a1a179a81ebfc9246956ba8150ff5b0587

            Download Submit
          • C:\Users\Public\3037384246424646303030333036443242464246463030303330\sqlite3.dll
            Filesize

            585KB

            MD5

            5405413fff79b8d9c747aa900f60f082

            SHA1

            71caf8907ddd9a3a25d71356bd2ce09bd293bd78

            SHA256

            3e5a28ffde07ac661c26b6ccf94e64c1c90b1f25b3b24c90605aa922b87642eb

            SHA512

            2f09a30fc4da5166bd665210fefa1d44ce344f0ec6a37f127d677aeb3ca4fc0d09b7c9c1540f57da1e3449b7f588a1c61115395e965fa153d4baa5033266ed66

            Download Submit
          • memory/524-145-0x0000000000000000-mapping.dmp
            Download
          • memory/1692-173-0x0000000000000000-mapping.dmp
            Download
          • memory/1692-174-0x0000000000400000-0x0000000000412000-memory.dmp
            Filesize

            72KB

            Download
          • memory/1692-175-0x0000000005720000-0x00000000057BC000-memory.dmp
            Filesize

            624KB

            Download
          • memory/2616-143-0x0000000007B60000-0x00000000081DA000-memory.dmp
            Filesize

            6.5MB

            Download
          • memory/2616-138-0x0000000005930000-0x0000000005996000-memory.dmp
            Filesize

            408KB

            Download
          • memory/2616-144-0x0000000007500000-0x000000000751A000-memory.dmp
            Filesize

            104KB

            Download
          • memory/2616-142-0x0000000007460000-0x00000000074D6000-memory.dmp
            Filesize

            472KB

            Download
          • memory/2616-135-0x0000000002840000-0x0000000002876000-memory.dmp
            Filesize

            216KB

            Download
          • memory/2616-134-0x0000000000000000-mapping.dmp
            Download
          • memory/2616-137-0x00000000051A0000-0x00000000051C2000-memory.dmp
            Filesize

            136KB

            Download
          • memory/2616-141-0x00000000066B0000-0x00000000066F4000-memory.dmp
            Filesize

            272KB

            Download
          • memory/2616-140-0x0000000006140000-0x000000000615E000-memory.dmp
            Filesize

            120KB

            Download
          • memory/2616-139-0x0000000005B10000-0x0000000005B76000-memory.dmp
            Filesize

            408KB

            Download
          • memory/2616-136-0x0000000005300000-0x0000000005928000-memory.dmp
            Filesize

            6.2MB

            Download
          • memory/3120-151-0x0000000000000000-mapping.dmp
            Download
          • memory/3136-132-0x0000000004A50000-0x0000000004AE2000-memory.dmp
            Filesize

            584KB

            Download
          • memory/3136-131-0x0000000005100000-0x00000000056A4000-memory.dmp
            Filesize

            5.6MB

            Download
          • memory/3136-130-0x0000000000090000-0x00000000000C0000-memory.dmp
            Filesize

            192KB

            Download
          • memory/3136-133-0x0000000004B00000-0x0000000004B0A000-memory.dmp
            Filesize

            40KB

            Download
          • memory/3324-156-0x0000000000000000-mapping.dmp
            Download
          • memory/3324-157-0x0000000000400000-0x0000000000498000-memory.dmp
            Filesize

            608KB

            Download
          • memory/3324-159-0x0000000000400000-0x0000000000498000-memory.dmp
            Filesize

            608KB

            Download
          • memory/3324-162-0x0000000000400000-0x0000000000498000-memory.dmp
            Filesize

            608KB

            Download
          • memory/3324-168-0x0000000000400000-0x0000000000498000-memory.dmp
            Filesize

            608KB

            Download
          • memory/3656-170-0x0000000000000000-mapping.dmp
            Download
          • memory/3836-163-0x0000000000000000-mapping.dmp
            Download
          • memory/3836-167-0x000000006F520000-0x000000006FAD1000-memory.dmp
            Filesize

            5.7MB

            Download
          • memory/3836-169-0x000000006F520000-0x000000006FAD1000-memory.dmp
            Filesize

            5.7MB

            Download
          • memory/3836-164-0x00000000001E0000-0x00000000001EE000-memory.dmp
            Filesize

            56KB

            Download
          • memory/3988-154-0x0000000000000000-mapping.dmp
            Download
          • memory/4000-155-0x0000000000000000-mapping.dmp
            Download
          • memory/4468-150-0x0000000000920000-0x0000000000950000-memory.dmp
            Filesize

            192KB

            Download
          • memory/4468-147-0x0000000000000000-mapping.dmp
            Download
          • memory/4768-152-0x0000000000000000-mapping.dmp
            Download