Overview

overview

10

Static

static

Steam Chec...ne.dll

windows7-x64

1

Steam Chec...ne.dll

windows10-2004-x64

1

Steam Chec...52.dll

windows7-x64

1

Steam Chec...52.dll

windows10-2004-x64

1

Steam Chec...me.dll

windows7-x64

1

Steam Chec...me.dll

windows10-2004-x64

1

Steam Chec...in.dll

windows7-x64

1

Steam Chec...in.dll

windows10-2004-x64

1

Steam Chec...gn.dll

windows7-x64

1

Steam Chec...gn.dll

windows10-2004-x64

1

Steam Chec...ts.dll

windows7-x64

1

Steam Chec...ts.dll

windows10-2004-x64

1

Steam Chec...rk.dll

windows7-x64

1

Steam Chec...rk.dll

windows10-2004-x64

1

Steam Chec....0.dll

windows7-x64

1

Steam Chec....0.dll

windows10-2004-x64

1

Steam Chec...on.dll

windows7-x64

1

Steam Chec...on.dll

windows10-2004-x64

1

Steam Chec...on.exe

windows7-x64

10

Steam Chec...on.exe

windows10-2004-x64

10

Steam Chec...ne.dll

windows7-x64

1

Steam Chec...ne.dll

windows10-2004-x64

1

Steam Chec...en.dll

windows7-x64

1

Steam Chec...en.dll

windows10-2004-x64

1

Steam Chec...ig.bat

windows7-x64

10

Steam Chec...ig.bat

windows10-2004-x64

10

Steam Chec...C2.ps1

windows7-x64

1

Steam Chec...C2.ps1

windows10-2004-x64

1

Steam Chec...To.ps1

windows7-x64

1

Steam Chec...To.ps1

windows10-2004-x64

1

Steam Chec...rk.bat

windows7-x64

10

Steam Chec...rk.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220812-es
  • resource tags

    arch:x64arch:x86image:win7-20220812-eslocale:es-esos:windows7-x64systemwindows
  • submitted
    01-01-2023 04:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Steam Checker By abbadon/config/System/FrameWork.bat

  • Size

    520B

  • MD5

    e2bbc4167314dc0fc9acba48f2c94b74

  • SHA1

    a6b4a5502f2078353769d9bd22ce632ff9035067

  • SHA256

    20cf5b36516ca5251a79e6dcd08f6f8e6f3696ef24959829bc5a387950b7d178

  • SHA512

    4cc2946ce8ce192b3e7bf1ea51a3305e7656c229ca1c5795c4f3762df0005d7b3db2a4e676c8b9ecbf9d770b6c379a9c15a9f3fa994ca829faea30dd64fece9d

Score
10/10
asyncratcrat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

C

C2

185.81.157.169:2023

Mutex

7G6ZCBCA-NJ11-YS93-65bg-CX918E7238D5

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 6 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Steam Checker By abbadon\config\System\FrameWork.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:564
    • C:\Windows\system32\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Microsoft\MicrosoftEdgeUpdates\EdgeUpdate" /tr "C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdates\MicrosoftEdgeUpdates.exe" /RL HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:952
    • C:\Windows\system32\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Microsoft\SystemUpdates\SysUpdate" /tr "C:\Users\Admin\AppData\Roaming\SystemUpdates\SystemUpdates.exe" /RL HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:1924
    • C:\Windows\system32\attrib.exe
      attrib +h +s C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdates
      2⤵
      • Views/modifies file attributes
      PID:1720
    • C:\Windows\system32\attrib.exe
      attrib +h +s C:\Users\Admin\AppData\Roaming\SystemUpdates
      2⤵
      • Views/modifies file attributes
      PID:1920
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -WindowStyle Hidden -ExecutionPolicy RemoteSigned -File CopyTo.PS1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1000
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -WindowStyle Hidden -ExecutionPolicy RemoteSigned -File C2.PS1
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1380
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {5B191E99-7803-4A32-9DCD-B6908A3C2E2F} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:600
    • C:\Users\Admin\AppData\Roaming\SystemUpdates\SystemUpdates.exe
      C:\Users\Admin\AppData\Roaming\SystemUpdates\SystemUpdates.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1056
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        3⤵
          PID:1956
      • C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdates\MicrosoftEdgeUpdates.exe
        C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdates\MicrosoftEdgeUpdates.exe
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: AddClipboardFormatListener
        PID:1152

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdates\MicrosoftEdgeUpdates.exe
      Filesize

      15KB

      MD5

      492bd942c673806c4dc7d076d44a06de

      SHA1

      ace44cc6d1f875aa1b58c2c0c51901f9c11b0221

      SHA256

      30e04b25281b27e83652be61a8a61821730e30be65a95452c3b93a7a17333f00

      SHA512

      8a328d28055337629823795dcc96adf1fce2dba6079ec29472b81f8b89917d6b312efc0ec566732effcbfa95ddf96848dead444900096ed71da590dd3861477f

      Download Submit

    • C:\Users\Admin\AppData\Roaming\MicrosoftEdgeUpdates\MicrosoftEdgeUpdates.exe
      Filesize

      15KB

      MD5

      492bd942c673806c4dc7d076d44a06de

      SHA1

      ace44cc6d1f875aa1b58c2c0c51901f9c11b0221

      SHA256

      30e04b25281b27e83652be61a8a61821730e30be65a95452c3b93a7a17333f00

      SHA512

      8a328d28055337629823795dcc96adf1fce2dba6079ec29472b81f8b89917d6b312efc0ec566732effcbfa95ddf96848dead444900096ed71da590dd3861477f

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      2c93b9455ceb49131233bcf259b5f07b

      SHA1

      59e32a54e7f5e9b7e47148413cec4753b40b2ec5

      SHA256

      e969762ddc44158b1aaa03aaa42cea2bffd62dc72b02ad5819d386065ff5593d

      SHA512

      233a588bffef05dcd8ce7c631b96caa87079a1a3b4b15c38f7a862ba1ca8b9272ad936666ab9cbead91bd1a94d405c6f96c94a89648bd1c5ca354555b4ece3a6

      Download Submit

    • C:\Users\Admin\AppData\Roaming\SystemUpdates\SystemUpdates.exe
      Filesize

      242KB

      MD5

      640d55589c839016931890b47305d638

      SHA1

      bf5062f9c16a3966abe3e7dbb083f539f1b38126

      SHA256

      6dba74aedcdd6b0f36d2b7ea79b9c9f40fe669ac41ec0560bc67d4039279f689

      SHA512

      da1142c340124a682f88790d06434c42e9df0ce9ebbe21920235db9de76800728f47a96aa489bf6673b426d16172664dcb4af1e1c134623d0a6eebe20fb7baaa

      Download Submit

    • C:\Users\Admin\AppData\Roaming\SystemUpdates\SystemUpdates.exe
      Filesize

      242KB

      MD5

      640d55589c839016931890b47305d638

      SHA1

      bf5062f9c16a3966abe3e7dbb083f539f1b38126

      SHA256

      6dba74aedcdd6b0f36d2b7ea79b9c9f40fe669ac41ec0560bc67d4039279f689

      SHA512

      da1142c340124a682f88790d06434c42e9df0ce9ebbe21920235db9de76800728f47a96aa489bf6673b426d16172664dcb4af1e1c134623d0a6eebe20fb7baaa

      Download Submit

    • memory/1000-64-0x00000000023B4000-0x00000000023B7000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1000-59-0x000007FEFBB11000-0x000007FEFBB13000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1000-61-0x000007FEF35E0000-0x000007FEF413D000-memory.dmp

      Filesize

      11.4MB

      Download

    • memory/1000-63-0x000000001B720000-0x000000001BA1F000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/1000-60-0x000007FEF4140000-0x000007FEF4B63000-memory.dmp

      Filesize

      10.1MB

      Download

    • memory/1000-65-0x00000000023BB000-0x00000000023DA000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1000-62-0x00000000023B4000-0x00000000023B7000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1056-87-0x0000000004A75000-0x0000000004A86000-memory.dmp

      Filesize

      68KB

      Download

    • memory/1056-85-0x0000000000500000-0x000000000050A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1056-86-0x0000000000500000-0x000000000050A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1056-81-0x00000000008C0000-0x0000000000902000-memory.dmp

      Filesize

      264KB

      Download

    • memory/1056-88-0x0000000000500000-0x000000000050A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1152-82-0x0000000001060000-0x000000000106A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1152-83-0x0000000075361000-0x0000000075363000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1380-69-0x000007FEF37A0000-0x000007FEF41C3000-memory.dmp

      Filesize

      10.1MB

      Download

    • memory/1380-70-0x000007FEF2C40000-0x000007FEF379D000-memory.dmp

      Filesize

      11.4MB

      Download

    • memory/1380-73-0x0000000002994000-0x0000000002997000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1380-72-0x000000001B750000-0x000000001BA4F000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/1380-74-0x000000000299B000-0x00000000029BA000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1380-71-0x0000000002994000-0x0000000002997000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1956-89-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1956-90-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1956-93-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1956-92-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1956-94-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1956-97-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1956-99-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download