Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
07-12-2023 15:41
Static task
static1
Behavioral task
behavioral1
Sample
b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe
Resource
win10v2004-20231130-en
General
-
Target
b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe
-
Size
1.5MB
-
MD5
9ad26bb1c0b4b036924ca19466970f68
-
SHA1
b6079c55e40206fbc4d1ead67d36ba7d8b850eca
-
SHA256
b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9
-
SHA512
33f71941d5c0e9c6598468d8f1837ecc3f4d204d936d23469ddf178de9c147b06f3bed2c616e1a156192c397f499c3c01406846a993a81f50dd4328efe7f1a4d
-
SSDEEP
49152:LfwEitJhjw4g6Rcdz8brR4WdzbcLav8TWwzzeWof94TV/F8RvF9:8EiJjRg6Rcdz8brRxd0LavKLof98V/FO
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
113.207.105.195:15806
hanpmclowlyazr
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1212-18-0x00000000030C0000-0x00000000030D8000-memory.dmp asyncrat -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exepid process 1212 b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe 1212 b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe 1212 b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe 1212 b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe 1212 b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe 1212 b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe 1212 b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe 1212 b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe 1212 b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe 1212 b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe 1212 b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe 1212 b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe 1212 b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe 1212 b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe 1212 b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe 1212 b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe 1212 b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe 1212 b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe 1212 b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe 1212 b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe 1212 b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe 1212 b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe 1212 b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe 1212 b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe 1212 b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exedescription pid process Token: SeDebugPrivilege 1212 b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exepid process 1212 b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe"C:\Users\Admin\AppData\Local\Temp\b97e887c34e4c51185710f3e495bb479a3a5376b0fa5c8a3828ecc12ff4bcab9.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1212
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD53440c7406b2fe01403fa6df19e746657
SHA1db1cbbbbc51c7f8ea53ecea7b06228fd41edef18
SHA25684869fdde1399306cbb271313372ba1b738b3fe2ebb3127ab3922dbb4235f821
SHA512cb2b64016781d0d741172ec622598d4617d67811dd34b9102b449a06d22e3f5139d9660c433200b51dcddc8ea508787f71c34b06bc69577b5314f78411c59f97
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06