Analysis
-
max time kernel
135s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01/05/2023, 05:04
Behavioral task
behavioral1
Sample
stub.exe
Resource
win7-20230220-en
6 signatures
150 seconds
General
-
Target
stub.exe
-
Size
66KB
-
MD5
97845eca9567226161ecac97a9cfdd4c
-
SHA1
c5cdb968f6532d56777afec6276073228ba9df4b
-
SHA256
60ae5794afacdc55c75268040eedce59d20776dced641d2cba250bd768359d8a
-
SHA512
a3cf1701eec8f4347b8283157f3ffe404ad75c5db0de40d25c048956e43ba47ae1a78c5f4c5c1a8d6c6e6f6d8344a958d256cd27d2ed72ed3218f9d7df558d9c
-
SSDEEP
1536:J2wukvF1ak9gcKu5UYF8d5cO+vXMbztfuoKMCqorQTGpx:J2dkvF1ak9Ku5UYF2crPMbztfiMCBGqx
Malware Config
Extracted
Family
asyncrat
Version
| Edit 3LOSH RAT
Botnet
Default
C2
alertgeeks.ddnsfree.com:8808
Mutex
AsyncMutex_6SI8OkPnk
Attributes
-
delay
3
-
install
false
-
install_folder
%AppData%
aes.plain
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/memory/1512-133-0x00000000008F0000-0x0000000000906000-memory.dmp asyncrat -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1512 stub.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1512 stub.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1512 stub.exe