Overview

overview

10

Static

static

168ee84037...57.exe

windows7-x64

10

168ee84037...57.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-09-2022 23:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    168ee8403709fc4848328051ff819157.exe

  • Size

    70KB

  • MD5

    168ee8403709fc4848328051ff819157

  • SHA1

    bf96e4267c22e283d192e34fc50ded40802ac83c

  • SHA256

    bf765420bbb03b49f594002013915e508160a4efede03e051075cabad32c51b3

  • SHA512

    9e86bdb6f49881fc39a1cea97047164dc02e21cb8bfc43526997840effcde497c3411bfed256fce7738f3b3a3814d1fb8f4295cec09034453aff326cf97a449c

  • SSDEEP

    1536:L2pM3Poamv/TQ6MLXIRakKVyreBOPew0ikXx5utYdsOWg+7/MajDw:iW3ADXcBURL4OmikXbuuVA/Rw

Score
10/10
asyncratdefaultcollectionpersistenceratspywarestealer

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

20.171.107.243:6606

20.171.107.243:7707

20.171.107.243:8808

rositxado.tk:6606

rositxado.tk:7707

rositxado.tk:8808
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\168ee8403709fc4848328051ff819157.exe
    "C:\Users\Admin\AppData\Local\Temp\168ee8403709fc4848328051ff819157.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4196
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'HWMonitor';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'HWMonitor' -Value '"C:\Users\Admin\AppData\Roaming\vlc\HWMonitor.exe"' -PropertyType 'String'
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3580
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:4828
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2908
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
            PID:3108
          • C:\Windows\SysWOW64\netsh.exe
            netsh wlan show profile
            4⤵
              PID:4512
            • C:\Windows\SysWOW64\findstr.exe
              findstr All
              4⤵
                PID:3912
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:4460
              • C:\Windows\SysWOW64\chcp.com
                chcp 65001
                4⤵
                  PID:3552
                • C:\Windows\SysWOW64\netsh.exe
                  netsh wlan show networks mode=bssid
                  4⤵
                    PID:4540
            • C:\Windows\system32\msiexec.exe
              C:\Windows\system32\msiexec.exe /V
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:4748

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Registry Run Keys / Startup Folder

            1
            T1060

            Privilege Escalation

            Defense Evasion

            Modify Registry

            1
            T1112

            Credential Access

            Credentials in Files

            1
            T1081

            Discovery

            Query Registry

            1
            T1012

            System Information Discovery

            1
            T1082

            Lateral Movement

            Collection

            Data from Local System

            1
            T1005

            Email Collection

            1
            T1114

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/2908-151-0x0000000000000000-mapping.dmp
              Download
            • memory/3108-152-0x0000000000000000-mapping.dmp
              Download
            • memory/3552-156-0x0000000000000000-mapping.dmp
              Download
            • memory/3580-144-0x0000000006150000-0x00000000061B6000-memory.dmp
              Filesize

              408KB

              Download
            • memory/3580-146-0x0000000006940000-0x000000000695E000-memory.dmp
              Filesize

              120KB

              Download
            • memory/3580-149-0x0000000006E60000-0x0000000006E82000-memory.dmp
              Filesize

              136KB

              Download
            • memory/3580-138-0x0000000000000000-mapping.dmp
              Download
            • memory/3580-148-0x0000000006E10000-0x0000000006E2A000-memory.dmp
              Filesize

              104KB

              Download
            • memory/3580-147-0x0000000007930000-0x00000000079C6000-memory.dmp
              Filesize

              600KB

              Download
            • memory/3580-141-0x0000000005300000-0x0000000005336000-memory.dmp
              Filesize

              216KB

              Download
            • memory/3580-142-0x0000000005970000-0x0000000005F98000-memory.dmp
              Filesize

              6.2MB

              Download
            • memory/3580-143-0x00000000058F0000-0x0000000005912000-memory.dmp
              Filesize

              136KB

              Download
            • memory/3580-145-0x0000000006270000-0x00000000062D6000-memory.dmp
              Filesize

              408KB

              Download
            • memory/3912-154-0x0000000000000000-mapping.dmp
              Download
            • memory/4196-135-0x0000000002900000-0x000000000290A000-memory.dmp
              Filesize

              40KB

              Download
            • memory/4196-137-0x0000000002A70000-0x0000000002A8E000-memory.dmp
              Filesize

              120KB

              Download
            • memory/4196-132-0x0000000000490000-0x00000000004A8000-memory.dmp
              Filesize

              96KB

              Download
            • memory/4196-134-0x0000000004EE0000-0x0000000004F72000-memory.dmp
              Filesize

              584KB

              Download
            • memory/4196-136-0x0000000005180000-0x00000000051F6000-memory.dmp
              Filesize

              472KB

              Download
            • memory/4196-133-0x0000000005490000-0x0000000005A34000-memory.dmp
              Filesize

              5.6MB

              Download
            • memory/4460-155-0x0000000000000000-mapping.dmp
              Download
            • memory/4512-153-0x0000000000000000-mapping.dmp
              Download
            • memory/4540-157-0x0000000000000000-mapping.dmp
              Download
            • memory/4828-140-0x0000000000400000-0x0000000000412000-memory.dmp
              Filesize

              72KB

              Download
            • memory/4828-139-0x0000000000000000-mapping.dmp
              Download
            • memory/4828-150-0x0000000006490000-0x000000000652C000-memory.dmp
              Filesize

              624KB

              Download