Overview

overview

10

Static

static

3

7185d3a43d...c2.exe

windows7-x64

10

7185d3a43d...c2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2023, 07:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7185d3a43d3c8bdf79f5e2bef494edbe450244e1af247af36cf1d8992fdbb6c2.exe

  • Size

    912KB

  • MD5

    b85a889fd4821baf56d94ffabacaa7b0

  • SHA1

    685938698362ecefdb0fb4ef583babadc254914c

  • SHA256

    7185d3a43d3c8bdf79f5e2bef494edbe450244e1af247af36cf1d8992fdbb6c2

  • SHA512

    6118bea74222900a2ff2052c3ccde1e5d6d125bc980371c356b92dcec19b7f58a10a07babc5076d084b910f1bd45196c8a2ff5da44056bfa3900c1b34d99b772

  • SSDEEP

    24576:SNA3R5drXPYhkXJJBRMUrjU+ydUMN0hIukeLPlZjKszG:r5QOZNMr+sdNEqepEszG

Score
10/10
asyncratdefault5rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default5

C2

floptuytonroyem.sytes.net:7707

floptuytonroyem.sytes.net:8808

mloptuytonroyem.sytes.net:7707

mloptuytonroyem.sytes.net:8808
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    vssr.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7185d3a43d3c8bdf79f5e2bef494edbe450244e1af247af36cf1d8992fdbb6c2.exe
    "C:\Users\Admin\AppData\Local\Temp\7185d3a43d3c8bdf79f5e2bef494edbe450244e1af247af36cf1d8992fdbb6c2.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4336
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hgkfin.cmd" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:544
      • C:\Users\Admin\AppData\Local\Temp\fchsg.sfx.exe
        fchsg.sfx.exe -ptujhmyiwsafigsohdfuishgrygfysrsoihfihgsoifghsithngmkaswodtyuiofxvflfadfdyehngfszafugyRhhguhrsugsudbfrgsfskfshbrkgysgrhgnmeUvqxsYb -dC:\Users\Admin\AppData\Local\Temp
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:5112
        • C:\Users\Admin\AppData\Local\Temp\fchsg.exe
          "C:\Users\Admin\AppData\Local\Temp\fchsg.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4812
          • C:\Users\Admin\AppData\Local\Temp\fchsg.exe
            C:\Users\Admin\AppData\Local\Temp\fchsg.exe
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1904
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "vssr" /tr '"C:\Users\Admin\AppData\Roaming\vssr.exe"' & exit
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:3488
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /f /sc onlogon /rl highest /tn "vssr" /tr '"C:\Users\Admin\AppData\Roaming\vssr.exe"'
                7⤵
                • Creates scheduled task(s)
                PID:1816
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEAEC.tmp.bat""
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1192
              • C:\Windows\SysWOW64\timeout.exe
                timeout 3
                7⤵
                • Delays execution with timeout.exe
                PID:4132
              • C:\Users\Admin\AppData\Roaming\vssr.exe
                "C:\Users\Admin\AppData\Roaming\vssr.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4172
                • C:\Users\Admin\AppData\Roaming\vssr.exe
                  C:\Users\Admin\AppData\Roaming\vssr.exe
                  8⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4748

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fchsg.exe.log
    Filesize

    706B

    MD5

    d95c58e609838928f0f49837cab7dfd2

    SHA1

    55e7139a1e3899195b92ed8771d1ca2c7d53c916

    SHA256

    0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339

    SHA512

    405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vssr.exe.log
    Filesize

    706B

    MD5

    d95c58e609838928f0f49837cab7dfd2

    SHA1

    55e7139a1e3899195b92ed8771d1ca2c7d53c916

    SHA256

    0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339

    SHA512

    405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\fchsg.exe
    Filesize

    234KB

    MD5

    4f73df356c838206679bba47f79d7f45

    SHA1

    6e622fd798bb5e4c016e5c3a3d70f15acc61e6ca

    SHA256

    87142e0539111c74213e5d87d1d0c4039b21f55054c4cc2189e69f1e0bd9268b

    SHA512

    5c13a30f0089ee2323f203d44f49df54e30d1401bab09af3d00345c9aec75f48506566d4e0d0167ca81ca0939cf572bf57794ab551b032cd0ae694d5b672e4d2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\fchsg.exe
    Filesize

    234KB

    MD5

    4f73df356c838206679bba47f79d7f45

    SHA1

    6e622fd798bb5e4c016e5c3a3d70f15acc61e6ca

    SHA256

    87142e0539111c74213e5d87d1d0c4039b21f55054c4cc2189e69f1e0bd9268b

    SHA512

    5c13a30f0089ee2323f203d44f49df54e30d1401bab09af3d00345c9aec75f48506566d4e0d0167ca81ca0939cf572bf57794ab551b032cd0ae694d5b672e4d2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\fchsg.exe
    Filesize

    234KB

    MD5

    4f73df356c838206679bba47f79d7f45

    SHA1

    6e622fd798bb5e4c016e5c3a3d70f15acc61e6ca

    SHA256

    87142e0539111c74213e5d87d1d0c4039b21f55054c4cc2189e69f1e0bd9268b

    SHA512

    5c13a30f0089ee2323f203d44f49df54e30d1401bab09af3d00345c9aec75f48506566d4e0d0167ca81ca0939cf572bf57794ab551b032cd0ae694d5b672e4d2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\fchsg.exe
    Filesize

    234KB

    MD5

    4f73df356c838206679bba47f79d7f45

    SHA1

    6e622fd798bb5e4c016e5c3a3d70f15acc61e6ca

    SHA256

    87142e0539111c74213e5d87d1d0c4039b21f55054c4cc2189e69f1e0bd9268b

    SHA512

    5c13a30f0089ee2323f203d44f49df54e30d1401bab09af3d00345c9aec75f48506566d4e0d0167ca81ca0939cf572bf57794ab551b032cd0ae694d5b672e4d2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\fchsg.sfx.exe
    Filesize

    726KB

    MD5

    e98ca37bf501a94cc1014db34defbeb1

    SHA1

    3fb8821eb77364bd567614df43f7e823ba105867

    SHA256

    8e3b07dad016d04f0678d96b42db5107b6d616c301b2826f90caa475b4842876

    SHA512

    09d741d3d172c322f7000c53479ac1ab5c6b1f4c05ec74def5d4bf0d1795f05cfb688a588b1f1de8471a518e3d802d57e5769a3c92ab0d1918c822cf2488e263

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\fchsg.sfx.exe
    Filesize

    726KB

    MD5

    e98ca37bf501a94cc1014db34defbeb1

    SHA1

    3fb8821eb77364bd567614df43f7e823ba105867

    SHA256

    8e3b07dad016d04f0678d96b42db5107b6d616c301b2826f90caa475b4842876

    SHA512

    09d741d3d172c322f7000c53479ac1ab5c6b1f4c05ec74def5d4bf0d1795f05cfb688a588b1f1de8471a518e3d802d57e5769a3c92ab0d1918c822cf2488e263

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\hgkfin.cmd
    Filesize

    19KB

    MD5

    026747f1d249e51a9bba06d032e0a31d

    SHA1

    6adf6ab2c66b5129ccbf85fe2e28dc3e0ade2375

    SHA256

    bec1a21e0c77af544ddaaa82614eae744aab6935c0c9783230dc81b53619ac94

    SHA512

    37eacdb8cb03942356e6426acd1d050854b7123ec5a299eac55a5de64635c3dd2eccf6c85018184f48ca46a0336d9619e6256bf706155abb511f7016a5f24466

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpEAEC.tmp.bat
    Filesize

    148B

    MD5

    67f533a059c9cadef7bec548f0d2d5f5

    SHA1

    cb04610f6f337122c2756f1fb1d9014e063da958

    SHA256

    602abb3a0dfc6be697f97e0c73686de4c47bbeeefb125704a93ece3d84e97efa

    SHA512

    4909f40fe92fff1bcc368aba6a9fe1a4efeeff5b186642656786c722cd8b7d70a0f060b4e7729654be585c7a2d6b579871e43df4e3ddef02b92138fa94a36759

    Download Submit

  • C:\Users\Admin\AppData\Roaming\vssr.exe
    Filesize

    234KB

    MD5

    4f73df356c838206679bba47f79d7f45

    SHA1

    6e622fd798bb5e4c016e5c3a3d70f15acc61e6ca

    SHA256

    87142e0539111c74213e5d87d1d0c4039b21f55054c4cc2189e69f1e0bd9268b

    SHA512

    5c13a30f0089ee2323f203d44f49df54e30d1401bab09af3d00345c9aec75f48506566d4e0d0167ca81ca0939cf572bf57794ab551b032cd0ae694d5b672e4d2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\vssr.exe
    Filesize

    234KB

    MD5

    4f73df356c838206679bba47f79d7f45

    SHA1

    6e622fd798bb5e4c016e5c3a3d70f15acc61e6ca

    SHA256

    87142e0539111c74213e5d87d1d0c4039b21f55054c4cc2189e69f1e0bd9268b

    SHA512

    5c13a30f0089ee2323f203d44f49df54e30d1401bab09af3d00345c9aec75f48506566d4e0d0167ca81ca0939cf572bf57794ab551b032cd0ae694d5b672e4d2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\vssr.exe
    Filesize

    234KB

    MD5

    4f73df356c838206679bba47f79d7f45

    SHA1

    6e622fd798bb5e4c016e5c3a3d70f15acc61e6ca

    SHA256

    87142e0539111c74213e5d87d1d0c4039b21f55054c4cc2189e69f1e0bd9268b

    SHA512

    5c13a30f0089ee2323f203d44f49df54e30d1401bab09af3d00345c9aec75f48506566d4e0d0167ca81ca0939cf572bf57794ab551b032cd0ae694d5b672e4d2

    Download Submit

  • memory/1904-38-0x0000000005600000-0x0000000005666000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1904-31-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1904-42-0x0000000073EA0000-0x0000000074650000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1904-35-0x0000000073EA0000-0x0000000074650000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1904-37-0x0000000005380000-0x0000000005390000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4172-47-0x0000000074420000-0x0000000074BD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4172-48-0x0000000005290000-0x00000000052A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4172-54-0x0000000074420000-0x0000000074BD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4748-55-0x0000000005850000-0x0000000005860000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4748-53-0x0000000074420000-0x0000000074BD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4748-56-0x0000000074420000-0x0000000074BD0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4748-57-0x0000000005850000-0x0000000005860000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4812-24-0x0000000003210000-0x0000000003216000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4812-23-0x0000000000C00000-0x0000000000C40000-memory.dmp

    Filesize

    256KB

    Download

  • memory/4812-27-0x0000000007B40000-0x0000000007BDC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4812-36-0x0000000073EA0000-0x0000000074650000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4812-22-0x0000000073EA0000-0x0000000074650000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4812-25-0x00000000032A0000-0x00000000032B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4812-26-0x0000000003220000-0x000000000325E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4812-30-0x0000000007BE0000-0x0000000007BE6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4812-29-0x0000000007C80000-0x0000000007D12000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4812-28-0x0000000008190000-0x0000000008734000-memory.dmp

    Filesize

    5.6MB

    Download