Malware Analysis Report

2024-10-23 19:20

Sample ID 231022-v5avhsbc4t
Target Infected.exe
SHA256 ef43dced53ef25f2aca977c3c7417bf5b11c64129c8bc582aad7c292f73198d4
Tags
rat default asyncrat stealerium collection spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ef43dced53ef25f2aca977c3c7417bf5b11c64129c8bc582aad7c292f73198d4

Threat Level: Known bad

The file Infected.exe was found to be: Known bad.

Malicious Activity Summary

rat default asyncrat stealerium collection spyware stealer

Async RAT payload

AsyncRat

Stealerium

Asyncrat family

Async RAT payload

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Looks up geolocation information via web service

Unsigned PE

outlook_office_path

outlook_win_path

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-22 17:33

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-22 17:33

Reported

2023-10-22 17:36

Platform

win10v2004-20231020-en

Max time kernel

124s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Infected.exe"

Signatures

AsyncRat

rat asyncrat

Stealerium

stealer stealerium

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A
N/A ip-api.com N/A N/A

Looks up geolocation information via web service

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Infected.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Infected.exe

"C:\Users\Admin\AppData\Local\Temp\Infected.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\findstr.exe

findstr All

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 6.tcp.eu.ngrok.io udp
DE 3.69.157.220:11088 6.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 220.157.69.3.in-addr.arpa udp
DE 3.69.157.220:11088 6.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
DE 3.69.157.220:11088 6.tcp.eu.ngrok.io tcp
DE 3.69.157.220:11088 6.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 icanhazip.com udp
US 104.18.114.97:80 icanhazip.com tcp
US 8.8.8.8:53 97.114.18.104.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 api.mylnikov.org udp
US 104.21.44.66:443 api.mylnikov.org tcp
US 8.8.8.8:53 66.44.21.104.in-addr.arpa udp
US 8.8.8.8:53 48.101.122.92.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp

Files

memory/2208-0-0x0000000000A00000-0x0000000000A16000-memory.dmp

memory/2208-1-0x00007FFA27830000-0x00007FFA282F1000-memory.dmp

memory/2208-2-0x000000001B610000-0x000000001B620000-memory.dmp

memory/2208-3-0x00007FFA456B0000-0x00007FFA458A5000-memory.dmp

memory/2208-4-0x00007FFA27830000-0x00007FFA282F1000-memory.dmp

memory/2208-5-0x000000001B610000-0x000000001B620000-memory.dmp

memory/2208-6-0x00007FFA456B0000-0x00007FFA458A5000-memory.dmp

memory/2208-7-0x000000001C4D0000-0x000000001C546000-memory.dmp

memory/2208-8-0x000000001C550000-0x000000001C602000-memory.dmp

memory/2208-9-0x000000001B5E0000-0x000000001B5FE000-memory.dmp

memory/2208-10-0x0000000002AB0000-0x0000000002AE2000-memory.dmp

memory/2208-11-0x000000001D700000-0x000000001D888000-memory.dmp

memory/2208-16-0x000000001CA80000-0x000000001CA8A000-memory.dmp

C:\Users\Admin\AppData\Local\d393223438ae649f98d07ac4eab53931\Admin@TPTLJPNX_en-US\System\Process.txt

MD5 3c7c990c1c744b60da3c4a69f11b5e66
SHA1 d43129f475d3f03778d26c381b447ff6fd3a8e32
SHA256 fb906dddef14bd3419faa23f44e3dcf1f6f5f08e75274f0f936b6c982940569a
SHA512 e15abe9b074c648bc8613db17a1580bfa73ea909a0d1a06943c1ab2d25b5c243bdd3c404aef70a689e573c611579b23fdf713d992c39c46d74c45e8190ad63d2

C:\Users\Admin\AppData\Local\d393223438ae649f98d07ac4eab53931\Admin@TPTLJPNX_en-US\System\Process.txt

MD5 73fea31b1dff2ced7f9df18ec430f331
SHA1 93a18a6fdc057056f29c7e96902d1eaf9312f07f
SHA256 f92915be652ad66e4e4de872fbe105ab5539e506b7df93198cd861527acee80e
SHA512 1ef151be4999286ea01cf968874e7209c8e01ee2347bc896a1fb30dcab50362947d0377e03a45fbf75af53881706464ab209c90fb13f2fdd81ab763fe59a7a06

memory/2208-151-0x000000001B610000-0x000000001B620000-memory.dmp

memory/2208-152-0x000000001B610000-0x000000001B620000-memory.dmp

memory/2208-165-0x000000001C600000-0x000000001C67A000-memory.dmp

C:\Users\Admin\AppData\Local\d393223438ae649f98d07ac4eab53931\Admin@TPTLJPNX_en-US\Browsers\Mozilla\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

memory/2208-200-0x000000001B610000-0x000000001B620000-memory.dmp