Analysis
-
max time kernel
36s -
max time network
162s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
01/05/2023, 20:11
Behavioral task
behavioral1
Sample
stub.exe
Resource
win7-20230220-en
6 signatures
150 seconds
General
-
Target
stub.exe
-
Size
66KB
-
MD5
c80f44f67aa862099f67866a26e84253
-
SHA1
e55c67dc7a05b0a1a32c30b66431642c075e6724
-
SHA256
cd279fe4806f1925c2985f4a3f4a0052b140e85ffad9a2e46b27f8ff2cd99baa
-
SHA512
9e609170436eda8479d442d93a29eaef191227c0dd56ed21ac5cac64c6436b57c17e33aac4f3f3d47c04cce41236d6f224bf4e004e65e0470239916fe402ecf0
-
SSDEEP
1536:n2UukvF1tkk/hEYRo2NQphePvUgcKu5UYF17uKRlME0IbpUCY1KwrCrCVx:n2JkvF1tkXKu5UYF17uSyEpbpy46x
Malware Config
Extracted
Family
asyncrat
Version
| Edit 3LOSH RAT
Botnet
Default
C2
bahrdevo.endoftheinternet.org:6606
bahrdevo.endoftheinternet.org:7707
bahrdevo.endoftheinternet.org:8808
Mutex
AsyncMutex_gekPnk
Attributes
-
delay
3
-
install
false
-
install_folder
%AppData%
aes.plain
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/memory/1632-54-0x0000000001160000-0x0000000001176000-memory.dmp asyncrat -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1632 stub.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1632 stub.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1632 stub.exe