Analysis Overview
SHA256
ef43dced53ef25f2aca977c3c7417bf5b11c64129c8bc582aad7c292f73198d4
Threat Level: Known bad
The file Infected.exe was found to be: Known bad.
Malicious Activity Summary
Async RAT payload
AsyncRat
Stealerium
Asyncrat family
Async RAT payload
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Looks up geolocation information via web service
Unsigned PE
outlook_office_path
outlook_win_path
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-22 17:33
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Asyncrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-22 17:33
Reported
2023-10-22 17:36
Platform
win10v2004-20231020-en
Max time kernel
124s
Max time network
158s
Command Line
Signatures
AsyncRat
Stealerium
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Infected.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Infected.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Infected.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Looks up geolocation information via web service
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Infected.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\Infected.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Infected.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Infected.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Infected.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Infected.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-356073083-3299209671-3108880702-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Infected.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Infected.exe
"C:\Users\Admin\AppData\Local\Temp\Infected.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\findstr.exe
findstr All
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show networks mode=bssid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 3.69.157.220:11088 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 220.157.69.3.in-addr.arpa | udp |
| DE | 3.69.157.220:11088 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.69.157.220:11088 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.69.157.220:11088 | 6.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.18.114.97:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | 97.114.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.mylnikov.org | udp |
| US | 104.21.44.66:443 | api.mylnikov.org | tcp |
| US | 8.8.8.8:53 | 66.44.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.101.122.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
Files
memory/2208-0-0x0000000000A00000-0x0000000000A16000-memory.dmp
memory/2208-1-0x00007FFA27830000-0x00007FFA282F1000-memory.dmp
memory/2208-2-0x000000001B610000-0x000000001B620000-memory.dmp
memory/2208-3-0x00007FFA456B0000-0x00007FFA458A5000-memory.dmp
memory/2208-4-0x00007FFA27830000-0x00007FFA282F1000-memory.dmp
memory/2208-5-0x000000001B610000-0x000000001B620000-memory.dmp
memory/2208-6-0x00007FFA456B0000-0x00007FFA458A5000-memory.dmp
memory/2208-7-0x000000001C4D0000-0x000000001C546000-memory.dmp
memory/2208-8-0x000000001C550000-0x000000001C602000-memory.dmp
memory/2208-9-0x000000001B5E0000-0x000000001B5FE000-memory.dmp
memory/2208-10-0x0000000002AB0000-0x0000000002AE2000-memory.dmp
memory/2208-11-0x000000001D700000-0x000000001D888000-memory.dmp
memory/2208-16-0x000000001CA80000-0x000000001CA8A000-memory.dmp
C:\Users\Admin\AppData\Local\d393223438ae649f98d07ac4eab53931\Admin@TPTLJPNX_en-US\System\Process.txt
| MD5 | 3c7c990c1c744b60da3c4a69f11b5e66 |
| SHA1 | d43129f475d3f03778d26c381b447ff6fd3a8e32 |
| SHA256 | fb906dddef14bd3419faa23f44e3dcf1f6f5f08e75274f0f936b6c982940569a |
| SHA512 | e15abe9b074c648bc8613db17a1580bfa73ea909a0d1a06943c1ab2d25b5c243bdd3c404aef70a689e573c611579b23fdf713d992c39c46d74c45e8190ad63d2 |
C:\Users\Admin\AppData\Local\d393223438ae649f98d07ac4eab53931\Admin@TPTLJPNX_en-US\System\Process.txt
| MD5 | 73fea31b1dff2ced7f9df18ec430f331 |
| SHA1 | 93a18a6fdc057056f29c7e96902d1eaf9312f07f |
| SHA256 | f92915be652ad66e4e4de872fbe105ab5539e506b7df93198cd861527acee80e |
| SHA512 | 1ef151be4999286ea01cf968874e7209c8e01ee2347bc896a1fb30dcab50362947d0377e03a45fbf75af53881706464ab209c90fb13f2fdd81ab763fe59a7a06 |
memory/2208-151-0x000000001B610000-0x000000001B620000-memory.dmp
memory/2208-152-0x000000001B610000-0x000000001B620000-memory.dmp
memory/2208-165-0x000000001C600000-0x000000001C67A000-memory.dmp
C:\Users\Admin\AppData\Local\d393223438ae649f98d07ac4eab53931\Admin@TPTLJPNX_en-US\Browsers\Mozilla\Firefox\Bookmarks.txt
| MD5 | 2e9d094dda5cdc3ce6519f75943a4ff4 |
| SHA1 | 5d989b4ac8b699781681fe75ed9ef98191a5096c |
| SHA256 | c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142 |
| SHA512 | d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7 |
memory/2208-200-0x000000001B610000-0x000000001B620000-memory.dmp