Analysis
-
max time kernel
1s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
12-01-2024 17:18
General
-
Target
38312527c8f936445c85e7ddde36f420.exe
-
Size
73KB
-
MD5
38312527c8f936445c85e7ddde36f420
-
SHA1
725a7f7522e907878eb84456ccb0424332b5cdd6
-
SHA256
3df5b2d8fa12771d01180865d86b83385535794b18232cca17e5a7e3fac585fb
-
SHA512
b748a3c76aaeefe29ca856ebbe49b7e316c992af399e6678bb43e0bef297e03cf0144b06cad64a9c46c6a2950e38036a07bd9e3dc23cc67f1b63702153fc38d0
-
SSDEEP
1536:6aUqAcxVMW7eTmJ9rxjJTkdK4WaxHdSzPMwy/eqmmRhdWVH1bfbCeZkwzUIbVclN:6aUTcxVMW7eiJ9rxjJTkdK4WaP0PMwh6
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.2
Exodus
91.92.255.187:4449
ypyertvpyqfr
-
delay
1
-
install
true
-
install_file
chromeupdate.exe
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Async RAT payload 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\38312527c8f936445c85e7ddde36f420.exe"C:\Users\Admin\AppData\Local\Temp\38312527c8f936445c85e7ddde36f420.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4DC2.tmp.bat""2⤵
-
C:\Users\Admin\AppData\Roaming\chromeupdate.exe"C:\Users\Admin\AppData\Roaming\chromeupdate.exe"3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "chromeupdate" /tr '"C:\Users\Admin\AppData\Roaming\chromeupdate.exe"' & exit2⤵
-
C:\Windows\system32\timeout.exetimeout 31⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "chromeupdate" /tr '"C:\Users\Admin\AppData\Roaming\chromeupdate.exe"'1⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp4DC2.tmp.batFilesize
156B
MD5dd7505e530bfc8c32155079ec879a969
SHA122245288547179d544844385161cfba332851f86
SHA256f5a1eb941d9ad98655252ff0285e887e34ef35a636d637d2377ce21d075a6caa
SHA512d8babc5dd71a246347522aca10b62346325365487490cca4acab888591ea6a3f7d8866254ff41a3ae665618dda3d09d47414b798bbdc687b69e4c37c98204e35
-
memory/864-17-0x000000001B170000-0x000000001B180000-memory.dmpFilesize
64KB
-
memory/864-16-0x00007FFD58560000-0x00007FFD59021000-memory.dmpFilesize
10.8MB
-
memory/864-18-0x00007FFD58560000-0x00007FFD59021000-memory.dmpFilesize
10.8MB
-
memory/864-19-0x000000001B170000-0x000000001B180000-memory.dmpFilesize
64KB
-
memory/4600-0-0x00000000008D0000-0x00000000008E8000-memory.dmpFilesize
96KB
-
memory/4600-3-0x0000000001190000-0x00000000011A0000-memory.dmpFilesize
64KB
-
memory/4600-2-0x00007FFD58FC0000-0x00007FFD59A81000-memory.dmpFilesize
10.8MB
-
memory/4600-10-0x00007FFD58FC0000-0x00007FFD59A81000-memory.dmpFilesize
10.8MB
-
memory/4600-11-0x00007FFD76F70000-0x00007FFD77165000-memory.dmpFilesize
2.0MB
-
memory/4600-8-0x00007FFD76F70000-0x00007FFD77165000-memory.dmpFilesize
2.0MB