Analysis

  • max time kernel
    124s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-10-2023 17:33

General

  • Target

    Infected.exe

  • Size

    63KB

  • MD5

    717dc78094e7b5c0fd501ace3341bfdc

  • SHA1

    dfd728fa410cd296b37b9d8c04ad8bad3f9144cd

  • SHA256

    ef43dced53ef25f2aca977c3c7417bf5b11c64129c8bc582aad7c292f73198d4

  • SHA512

    98a2e5132057c2a203a0b4f817f014ec5544cd1880571dd62c7dc3bf74e58ffe4e018c63aaa6cd5f21401c60110bd501e97e51c0fa3a33d10dcbab70fc900ced

  • SSDEEP

    768:VKO0JDEIM78K/fC8A+XOyazcBRL5JTk1+T4KSBGHmDbD/ph0oXDq3xWZD/0+Su7V:3VIGn1dSJYUbdh9DqhWpau7dpqKmY7

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:3232

127.0.0.1:12956

127.0.0.1:11088

2.tcp.eu.ngrok.io:3232

2.tcp.eu.ngrok.io:12956

2.tcp.eu.ngrok.io:11088

6.tcp.eu.ngrok.io:3232

6.tcp.eu.ngrok.io:12956

6.tcp.eu.ngrok.io:11088

Mutex

比sQ比kMczl西F开zeZR吉勒迪E

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Stealerium

    An open source info stealer written in C# first seen in May 2022.

  • Async RAT payload 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Infected.exe
    "C:\Users\Admin\AppData\Local\Temp\Infected.exe"
    1⤵
    • Accesses Microsoft Outlook profiles
    • Checks processor information in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:2208
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:208
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:4912
        • C:\Windows\system32\netsh.exe
          netsh wlan show profile
          3⤵
            PID:4576
          • C:\Windows\system32\findstr.exe
            findstr All
            3⤵
              PID:4476
          • C:\Windows\SYSTEM32\cmd.exe
            "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4116
            • C:\Windows\system32\chcp.com
              chcp 65001
              3⤵
                PID:5108
              • C:\Windows\system32\netsh.exe
                netsh wlan show networks mode=bssid
                3⤵
                  PID:3840

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\d393223438ae649f98d07ac4eab53931\Admin@TPTLJPNX_en-US\Browsers\Mozilla\Firefox\Bookmarks.txt

              Filesize

              105B

              MD5

              2e9d094dda5cdc3ce6519f75943a4ff4

              SHA1

              5d989b4ac8b699781681fe75ed9ef98191a5096c

              SHA256

              c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

              SHA512

              d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

            • C:\Users\Admin\AppData\Local\d393223438ae649f98d07ac4eab53931\Admin@TPTLJPNX_en-US\System\Process.txt

              Filesize

              4KB

              MD5

              73fea31b1dff2ced7f9df18ec430f331

              SHA1

              93a18a6fdc057056f29c7e96902d1eaf9312f07f

              SHA256

              f92915be652ad66e4e4de872fbe105ab5539e506b7df93198cd861527acee80e

              SHA512

              1ef151be4999286ea01cf968874e7209c8e01ee2347bc896a1fb30dcab50362947d0377e03a45fbf75af53881706464ab209c90fb13f2fdd81ab763fe59a7a06

            • C:\Users\Admin\AppData\Local\d393223438ae649f98d07ac4eab53931\Admin@TPTLJPNX_en-US\System\Process.txt

              Filesize

              1KB

              MD5

              3c7c990c1c744b60da3c4a69f11b5e66

              SHA1

              d43129f475d3f03778d26c381b447ff6fd3a8e32

              SHA256

              fb906dddef14bd3419faa23f44e3dcf1f6f5f08e75274f0f936b6c982940569a

              SHA512

              e15abe9b074c648bc8613db17a1580bfa73ea909a0d1a06943c1ab2d25b5c243bdd3c404aef70a689e573c611579b23fdf713d992c39c46d74c45e8190ad63d2

            • memory/2208-10-0x0000000002AB0000-0x0000000002AE2000-memory.dmp

              Filesize

              200KB

            • memory/2208-16-0x000000001CA80000-0x000000001CA8A000-memory.dmp

              Filesize

              40KB

            • memory/2208-5-0x000000001B610000-0x000000001B620000-memory.dmp

              Filesize

              64KB

            • memory/2208-6-0x00007FFA456B0000-0x00007FFA458A5000-memory.dmp

              Filesize

              2.0MB

            • memory/2208-7-0x000000001C4D0000-0x000000001C546000-memory.dmp

              Filesize

              472KB

            • memory/2208-8-0x000000001C550000-0x000000001C602000-memory.dmp

              Filesize

              712KB

            • memory/2208-9-0x000000001B5E0000-0x000000001B5FE000-memory.dmp

              Filesize

              120KB

            • memory/2208-0-0x0000000000A00000-0x0000000000A16000-memory.dmp

              Filesize

              88KB

            • memory/2208-11-0x000000001D700000-0x000000001D888000-memory.dmp

              Filesize

              1.5MB

            • memory/2208-4-0x00007FFA27830000-0x00007FFA282F1000-memory.dmp

              Filesize

              10.8MB

            • memory/2208-3-0x00007FFA456B0000-0x00007FFA458A5000-memory.dmp

              Filesize

              2.0MB

            • memory/2208-2-0x000000001B610000-0x000000001B620000-memory.dmp

              Filesize

              64KB

            • memory/2208-151-0x000000001B610000-0x000000001B620000-memory.dmp

              Filesize

              64KB

            • memory/2208-152-0x000000001B610000-0x000000001B620000-memory.dmp

              Filesize

              64KB

            • memory/2208-165-0x000000001C600000-0x000000001C67A000-memory.dmp

              Filesize

              488KB

            • memory/2208-1-0x00007FFA27830000-0x00007FFA282F1000-memory.dmp

              Filesize

              10.8MB

            • memory/2208-200-0x000000001B610000-0x000000001B620000-memory.dmp

              Filesize

              64KB