Analysis

  • max time kernel
    121s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02/04/2024, 11:27

General

  • Target

    2e48ee0fb3ddd63efeecd900a9d2bde365e2fe1fcbb3c43c882362ae935c5066.exe

  • Size

    647KB

  • MD5

    4532fe89506406de9ebaa83778d74c8f

  • SHA1

    8015b822fc7df8d33ec3416e773f7189e9b74b5f

  • SHA256

    2e48ee0fb3ddd63efeecd900a9d2bde365e2fe1fcbb3c43c882362ae935c5066

  • SHA512

    50706520d3df0669ac2b7a75a6a234cd28deec92e8be98e0e4ce7ef8848952cc07b53e30723bf4668ee3f940714360f6ba705bfe83e2d47f3163c86e407ba36a

  • SSDEEP

    12288:w3qcsNKVUdaaPDodw7y1Q3krddMK341VhJ5mhj2ZCm03Pjzkjp:w33uK2daGz+1Q3qdMKoDhJkhWCmQjzAp

Malware Config

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

NEW_N4

C2

fttuvgt.ddnsfree.com:6969

fttuvgt.ddnsfree.com:6668

fttuvgt.ddnsfree.com:6667

Mutex

AsyncMutex_xxx342592

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 53 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1216
      • C:\Users\Admin\AppData\Local\Temp\2e48ee0fb3ddd63efeecd900a9d2bde365e2fe1fcbb3c43c882362ae935c5066.exe
        "C:\Users\Admin\AppData\Local\Temp\2e48ee0fb3ddd63efeecd900a9d2bde365e2fe1fcbb3c43c882362ae935c5066.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1964
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c move Newsletters Newsletters.bat & Newsletters.bat
          3⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2828
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:2612
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "wrsa.exe opssvc.exe"
            4⤵
              PID:2628
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              4⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:2908
            • C:\Windows\SysWOW64\findstr.exe
              findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
              4⤵
                PID:2676
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c md 5222
                4⤵
                  PID:2444
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c copy /b Reaching + Finest + Environmental + Tons + Symbols + Rice 5222\Soldiers.pif
                  4⤵
                    PID:2600
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c copy /b Triangle + Ave + Tray 5222\o
                    4⤵
                      PID:2672
                    • C:\Users\Admin\AppData\Local\Temp\5222\Soldiers.pif
                      5222\Soldiers.pif 5222\o
                      4⤵
                      • Suspicious use of NtCreateUserProcessOtherParentProcess
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SendNotifyMessage
                      • Suspicious use of WriteProcessMemory
                      PID:2332
                    • C:\Windows\SysWOW64\PING.EXE
                      ping -n 5 127.0.0.1
                      4⤵
                      • Runs ping.exe
                      PID:2412
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FinestitchR.url" & echo URL="C:\Users\Admin\AppData\Local\StitchCraft Studios Co\FinestitchR.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FinestitchR.url" & exit
                  2⤵
                  • Drops startup file
                  PID:2488
                • C:\Users\Admin\AppData\Local\Temp\5222\RegAsm.exe
                  C:\Users\Admin\AppData\Local\Temp\5222\RegAsm.exe
                  2⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  PID:1596

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

                Filesize

                68KB

                MD5

                29f65ba8e88c063813cc50a4ea544e93

                SHA1

                05a7040d5c127e68c25d81cc51271ffb8bef3568

                SHA256

                1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

                SHA512

                e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

              • C:\Users\Admin\AppData\Local\Temp\5222\o

                Filesize

                507KB

                MD5

                fc2e0f6ae9c49f4c1f73e1a455bda758

                SHA1

                00297b73b0b5152c46e8a5517c10660fa37b1724

                SHA256

                d2f8bad64a400060d230415a15f38449037907a6dd0e2d8e3f3b3c047a5be3f2

                SHA512

                c88c0329f7827ac803b15dbfd59d09965832cb76e82390b1d27f22e9114f7e4adf38493fc97f816c0e0b8bbbc0b68a5d22f74bd7d783cf9bad0485e8328df2a0

              • C:\Users\Admin\AppData\Local\Temp\Ave

                Filesize

                282KB

                MD5

                2af9a11316c5ec31d8429dd37e50b06b

                SHA1

                cee13a90c0ba136825716f2dd1d517ec55bc3777

                SHA256

                a49d011010b21fbe725d1f635e279285580a7d35e0eaf6d53ba8fc1d3bc8d8f0

                SHA512

                2e05fbbd670b291b4fdb5f41b27c120f16b3a49ad61eed467efdb9178345c2b6889a5ed18728c123e1a5c7d29d26fa3ad98c50565bc4a88b6868708931a09831

              • C:\Users\Admin\AppData\Local\Temp\Environmental

                Filesize

                184KB

                MD5

                4a094b9a89ae4c55768e8e012ee4d023

                SHA1

                9d625903d40e8563a91171db01549302acb26091

                SHA256

                8948e23d1611624abd88ef91d7ab119efe22896b8d12370ab2989d10f5fd8185

                SHA512

                c40ad8c7294cbd4e3bd26229d4b2054b131a912005a0221c442c3f12d6cfebe1541738a8f4d1439071fd15c794b4cbc1b5ba0fd2a64adcd7d35615523bb590bc

              • C:\Users\Admin\AppData\Local\Temp\Finest

                Filesize

                286KB

                MD5

                190d5cc5f06756ecfd8284f7ca962cba

                SHA1

                0192bc94f63a4d999848d18b5b3400f53bc266ea

                SHA256

                c848899356852d7cdd43ce525b0f464db427252ad07c539c064cb89a7bdbc5a2

                SHA512

                e83ece7b2de4d376e08fb41e08139fe2793f705af86a0ebe379396712fd005e6961e8b7eb2d3b8b8c9711ee515d73a4870968038090885e4795c8f6b39e5f0ad

              • C:\Users\Admin\AppData\Local\Temp\Newsletters

                Filesize

                26KB

                MD5

                1c4cabf20ffeef1a7d9e71d77d5c62fa

                SHA1

                b6cfa0efd9b12a9b5f929ce3a41dab8dbb454656

                SHA256

                8145332923bbb85ae2517c87b587b2de275219badf769fbc4064e3f76d1b26c0

                SHA512

                39abf36ba0d2cc633abe7525e267b09418bd13aac906c24c00c106f0358671b1fc75cff6a26e6a9a3ec01249fc140441431ef18d2585c00e78f9973504f22a0b

              • C:\Users\Admin\AppData\Local\Temp\Reaching

                Filesize

                292KB

                MD5

                c3a422b148a736804f525f481f289d2d

                SHA1

                2cead45c5bdcc21213701bc92f45d2ab3e9e7258

                SHA256

                520b4a0ca94396abb97ea723ed7d6dfa7880cce4013d2f998b3c83090295d254

                SHA512

                ddf1ba3d23f9b5363f3b1817e705ae4da6cddc3218c6778896eca9ec30ed0d0daf66cc502d133a56c4f880efeea026b0d513024e82d825684701e12a7339bb50

              • C:\Users\Admin\AppData\Local\Temp\Rice

                Filesize

                41KB

                MD5

                0b0c7642bf84588d7fb643e251001b81

                SHA1

                4a7435708db3e0eea8d3e5ab9e78cdcfafdec4cd

                SHA256

                047ee02962359b321112610fd3fa7ab416b028b9a2bee3cd7343de7641136aec

                SHA512

                09b1800306461fe1fa1df0dc3a7a2b91de4a44dff950bec7eaef0de7b9c4f5c46d087f09f67ba4d819d5fd9ca1a6c44d8fa3d26ca20d80b672423c7bdc5b3dae

              • C:\Users\Admin\AppData\Local\Temp\Symbols

                Filesize

                33KB

                MD5

                ced8fcd39719d599d0f4d9561e6fe507

                SHA1

                59eb5f73d676efae575623e546978d42decf6260

                SHA256

                1927ede910ccaee4f846eb85401f63dc5860f5db5a66562b54853e59e437dd1e

                SHA512

                a7bb599680bdb57e8a4c559a21403737e75d206798cebd53d0dd3939ef00445d8009c404772e23015919ba90ba522b87ef3cf44a7df6682fb2b622b2b67edfe0

              • C:\Users\Admin\AppData\Local\Temp\Tar7A17.tmp

                Filesize

                177KB

                MD5

                435a9ac180383f9fa094131b173a2f7b

                SHA1

                76944ea657a9db94f9a4bef38f88c46ed4166983

                SHA256

                67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

                SHA512

                1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

              • C:\Users\Admin\AppData\Local\Temp\Tons

                Filesize

                89KB

                MD5

                639ac7a58107cc48b3d0f9ea512c4fae

                SHA1

                a34aede82b0042f6e87902fbdd8e4a3ead6746f8

                SHA256

                72d8b933bbe09704f7f5200ba648fbc12a26b0cf7b232c2f7172c1dcf6b5abef

                SHA512

                794349c95e93f6fd5227ddce23bba317d8862c7d7ba4ac6c84adf59a127f39943a3c55e4949664197e7970b2d48d9afbe1b0fdde55562ffdacc5b2821621c85c

              • C:\Users\Admin\AppData\Local\Temp\Tray

                Filesize

                12KB

                MD5

                83838b9779309c6deff2ecd321607cea

                SHA1

                09e321410d80ea507e8426de23967db9d9478e72

                SHA256

                6718bc24cfddc6f194e5fe687fdeae9a189aaec7908a1545863cb1b43fdbf30c

                SHA512

                5076d2808b31f63dc03f686b3434e210ee598b633df1b1f151d0a7c5e2fc3074209174451a5493fd232d52fdbf35a6459f29a45411144153464cf87ef558fc58

              • C:\Users\Admin\AppData\Local\Temp\Triangle

                Filesize

                213KB

                MD5

                530605e3eccc1595d537b0baeabf2b36

                SHA1

                6a52cb76c3b5a615895f85e565cb219d5da56416

                SHA256

                86151ad1b478399281ea7d5de476f6e3709fa17383d44e607ef62df9fefe8ec1

                SHA512

                e397c19f63350bf6066f702cb7e9140effd235656d3f7c02bd8fdc11f4bdd36c1947a2109e845118b3cc9224e4c50dc1fb3a3cd3762348ee1d4006e368f52614

              • \Users\Admin\AppData\Local\Temp\5222\RegAsm.exe

                Filesize

                63KB

                MD5

                b58b926c3574d28d5b7fdd2ca3ec30d5

                SHA1

                d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

                SHA256

                6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

                SHA512

                b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

              • \Users\Admin\AppData\Local\Temp\5222\Soldiers.pif

                Filesize

                925KB

                MD5

                62d09f076e6e0240548c2f837536a46a

                SHA1

                26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

                SHA256

                1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

                SHA512

                32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

              • memory/1596-37-0x0000000000090000-0x00000000000A6000-memory.dmp

                Filesize

                88KB

              • memory/1596-42-0x0000000000090000-0x00000000000A6000-memory.dmp

                Filesize

                88KB

              • memory/1596-40-0x0000000000090000-0x00000000000A6000-memory.dmp

                Filesize

                88KB

              • memory/2332-36-0x00000000000B0000-0x00000000000B1000-memory.dmp

                Filesize

                4KB

              • memory/2332-26-0x00000000775E0000-0x00000000776B6000-memory.dmp

                Filesize

                856KB