Analysis Overview
SHA256
c6a33b915259179c2c19ad2cc0477a0e6e6d08baca8d7dca485fc1bcf13808ec
Threat Level: Known bad
The file Infected.exe was found to be: Known bad.
Malicious Activity Summary
Async RAT payload
Stealerium
Asyncrat family
AsyncRat
Async RAT payload
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Looks up geolocation information via web service
Unsigned PE
outlook_win_path
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Suspicious use of WriteProcessMemory
outlook_office_path
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-11-16 19:38
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Asyncrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-11-16 19:38
Reported
2023-11-16 19:43
Platform
win10v2004-20231023-en
Max time kernel
272s
Max time network
278s
Command Line
Signatures
AsyncRat
Stealerium
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Infected.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Infected.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Infected.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | icanhazip.com | N/A | N/A |
Looks up geolocation information via web service
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Infected.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\Infected.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Infected.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Infected.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Infected.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Infected.exe
"C:\Users\Admin\AppData\Local\Temp\Infected.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\findstr.exe
findstr All
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show networks mode=bssid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.194.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.245.36.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | agent-thumbnail.gl.at.ply.gg | udp |
| US | 147.185.221.17:21402 | agent-thumbnail.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 17.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.33.253.131.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.240.110.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 126.177.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.15.104.51.in-addr.arpa | udp |
| US | 147.185.221.17:21402 | agent-thumbnail.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.18.114.97:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | 97.114.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.mylnikov.org | udp |
| US | 104.21.44.66:443 | api.mylnikov.org | tcp |
| US | 8.8.8.8:53 | 66.44.21.104.in-addr.arpa | udp |
Files
memory/2868-0-0x00000000007D0000-0x00000000007E6000-memory.dmp
memory/2868-1-0x00007FFBE0860000-0x00007FFBE1321000-memory.dmp
memory/2868-2-0x000000001B5F0000-0x000000001B600000-memory.dmp
memory/2868-3-0x00007FFBF4910000-0x00007FFBF4B05000-memory.dmp
memory/2868-6-0x00007FFBE0860000-0x00007FFBE1321000-memory.dmp
memory/2868-7-0x000000001B5F0000-0x000000001B600000-memory.dmp
memory/2868-8-0x00007FFBF4910000-0x00007FFBF4B05000-memory.dmp
memory/2868-9-0x000000001B510000-0x000000001B586000-memory.dmp
memory/2868-10-0x000000001D2F0000-0x000000001D478000-memory.dmp
memory/2868-11-0x0000000002A80000-0x0000000002A9E000-memory.dmp
memory/2868-16-0x00000000028C0000-0x00000000028CA000-memory.dmp
C:\Users\Admin\AppData\Local\957b65dc9ff4dfdf0fc76aada1e55ec9\Admin@FEUTZCII_en-US\Browsers\Mozilla\Firefox\Bookmarks.txt
| MD5 | 2e9d094dda5cdc3ce6519f75943a4ff4 |
| SHA1 | 5d989b4ac8b699781681fe75ed9ef98191a5096c |
| SHA256 | c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142 |
| SHA512 | d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7 |
C:\Users\Admin\AppData\Local\957b65dc9ff4dfdf0fc76aada1e55ec9\Admin@FEUTZCII_en-US\System\Process.txt
| MD5 | de769046c672e8f33dc5333c79312590 |
| SHA1 | 5adcae6f4048dbb64725ad15d8d1270c4e055926 |
| SHA256 | 21cab09f31a298d3ef2c4df90e0d505aab5017da6383dc8e34d3184ec574c87d |
| SHA512 | f26558591b001651eb08261e445b068add9b78e0be1448cc5618eb9bd1b076bf4400fe3f2be14391695d46a4eed6b017030f44571bcf99650ce477c5b06b5084 |
memory/2868-151-0x000000001B5F0000-0x000000001B600000-memory.dmp
memory/2868-152-0x000000001B5F0000-0x000000001B600000-memory.dmp
memory/2868-163-0x000000001BA00000-0x000000001BA7A000-memory.dmp