Malware Analysis Report

2025-04-13 12:31

Sample ID 240402-nklyqagh37
Target 2e48ee0fb3ddd63efeecd900a9d2bde365e2fe1fcbb3c43c882362ae935c5066.zip
SHA256 4ef157a28994487a5d0bf16155550b380caeaf8d889b9d002a5a28029ddb5bd9
Tags
asyncrat new_n4 rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4ef157a28994487a5d0bf16155550b380caeaf8d889b9d002a5a28029ddb5bd9

Threat Level: Known bad

The file 2e48ee0fb3ddd63efeecd900a9d2bde365e2fe1fcbb3c43c882362ae935c5066.zip was found to be: Known bad.

Malicious Activity Summary

asyncrat new_n4 rat spyware stealer

AsyncRat

Suspicious use of NtCreateUserProcessOtherParentProcess

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Drops startup file

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates processes with tasklist

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-02 11:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-02 11:27

Reported

2024-04-02 11:29

Platform

win7-20240221-en

Max time kernel

121s

Max time network

145s

Command Line

C:\Windows\Explorer.EXE

Signatures

AsyncRat

rat asyncrat

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2332 created 1216 N/A C:\Users\Admin\AppData\Local\Temp\5222\Soldiers.pif C:\Windows\Explorer.EXE
PID 2332 created 1216 N/A C:\Users\Admin\AppData\Local\Temp\5222\Soldiers.pif C:\Windows\Explorer.EXE

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FinestitchR.url C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FinestitchR.url C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5222\Soldiers.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5222\RegAsm.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5222\Soldiers.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5222\RegAsm.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5222\RegAsm.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5222\Soldiers.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5222\Soldiers.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5222\Soldiers.pif N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5222\Soldiers.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5222\Soldiers.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5222\Soldiers.pif N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5222\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1964 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2e48ee0fb3ddd63efeecd900a9d2bde365e2fe1fcbb3c43c882362ae935c5066.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2e48ee0fb3ddd63efeecd900a9d2bde365e2fe1fcbb3c43c882362ae935c5066.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2e48ee0fb3ddd63efeecd900a9d2bde365e2fe1fcbb3c43c882362ae935c5066.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2e48ee0fb3ddd63efeecd900a9d2bde365e2fe1fcbb3c43c882362ae935c5066.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2828 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2828 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2828 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2828 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2828 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2828 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2828 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2828 wrote to memory of 2908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2828 wrote to memory of 2908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2828 wrote to memory of 2908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2828 wrote to memory of 2908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2828 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2828 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2828 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2828 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2828 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 2332 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\5222\Soldiers.pif
PID 2828 wrote to memory of 2332 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\5222\Soldiers.pif
PID 2828 wrote to memory of 2332 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\5222\Soldiers.pif
PID 2828 wrote to memory of 2332 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\5222\Soldiers.pif
PID 2828 wrote to memory of 2412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2828 wrote to memory of 2412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2828 wrote to memory of 2412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2828 wrote to memory of 2412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2332 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\5222\Soldiers.pif C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\5222\Soldiers.pif C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\5222\Soldiers.pif C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\5222\Soldiers.pif C:\Windows\SysWOW64\cmd.exe
PID 2332 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\5222\Soldiers.pif C:\Users\Admin\AppData\Local\Temp\5222\RegAsm.exe
PID 2332 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\5222\Soldiers.pif C:\Users\Admin\AppData\Local\Temp\5222\RegAsm.exe
PID 2332 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\5222\Soldiers.pif C:\Users\Admin\AppData\Local\Temp\5222\RegAsm.exe
PID 2332 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\5222\Soldiers.pif C:\Users\Admin\AppData\Local\Temp\5222\RegAsm.exe
PID 2332 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\5222\Soldiers.pif C:\Users\Admin\AppData\Local\Temp\5222\RegAsm.exe
PID 2332 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\5222\Soldiers.pif C:\Users\Admin\AppData\Local\Temp\5222\RegAsm.exe
PID 2332 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\5222\Soldiers.pif C:\Users\Admin\AppData\Local\Temp\5222\RegAsm.exe
PID 2332 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\5222\Soldiers.pif C:\Users\Admin\AppData\Local\Temp\5222\RegAsm.exe
PID 2332 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\5222\Soldiers.pif C:\Users\Admin\AppData\Local\Temp\5222\RegAsm.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\2e48ee0fb3ddd63efeecd900a9d2bde365e2fe1fcbb3c43c882362ae935c5066.exe

"C:\Users\Admin\AppData\Local\Temp\2e48ee0fb3ddd63efeecd900a9d2bde365e2fe1fcbb3c43c882362ae935c5066.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c move Newsletters Newsletters.bat & Newsletters.bat

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 5222

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Reaching + Finest + Environmental + Tons + Symbols + Rice 5222\Soldiers.pif

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Triangle + Ave + Tray 5222\o

C:\Users\Admin\AppData\Local\Temp\5222\Soldiers.pif

5222\Soldiers.pif 5222\o

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Windows\SysWOW64\cmd.exe

cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FinestitchR.url" & echo URL="C:\Users\Admin\AppData\Local\StitchCraft Studios Co\FinestitchR.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FinestitchR.url" & exit

C:\Users\Admin\AppData\Local\Temp\5222\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\5222\RegAsm.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 WsMSIOffeNnJ.WsMSIOffeNnJ udp
US 8.8.8.8:53 fttuvgt.ddnsfree.com udp
PL 195.3.223.146:6667 fttuvgt.ddnsfree.com tcp
PL 195.3.223.146:6668 fttuvgt.ddnsfree.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Newsletters

MD5 1c4cabf20ffeef1a7d9e71d77d5c62fa
SHA1 b6cfa0efd9b12a9b5f929ce3a41dab8dbb454656
SHA256 8145332923bbb85ae2517c87b587b2de275219badf769fbc4064e3f76d1b26c0
SHA512 39abf36ba0d2cc633abe7525e267b09418bd13aac906c24c00c106f0358671b1fc75cff6a26e6a9a3ec01249fc140441431ef18d2585c00e78f9973504f22a0b

C:\Users\Admin\AppData\Local\Temp\Reaching

MD5 c3a422b148a736804f525f481f289d2d
SHA1 2cead45c5bdcc21213701bc92f45d2ab3e9e7258
SHA256 520b4a0ca94396abb97ea723ed7d6dfa7880cce4013d2f998b3c83090295d254
SHA512 ddf1ba3d23f9b5363f3b1817e705ae4da6cddc3218c6778896eca9ec30ed0d0daf66cc502d133a56c4f880efeea026b0d513024e82d825684701e12a7339bb50

C:\Users\Admin\AppData\Local\Temp\Finest

MD5 190d5cc5f06756ecfd8284f7ca962cba
SHA1 0192bc94f63a4d999848d18b5b3400f53bc266ea
SHA256 c848899356852d7cdd43ce525b0f464db427252ad07c539c064cb89a7bdbc5a2
SHA512 e83ece7b2de4d376e08fb41e08139fe2793f705af86a0ebe379396712fd005e6961e8b7eb2d3b8b8c9711ee515d73a4870968038090885e4795c8f6b39e5f0ad

C:\Users\Admin\AppData\Local\Temp\Environmental

MD5 4a094b9a89ae4c55768e8e012ee4d023
SHA1 9d625903d40e8563a91171db01549302acb26091
SHA256 8948e23d1611624abd88ef91d7ab119efe22896b8d12370ab2989d10f5fd8185
SHA512 c40ad8c7294cbd4e3bd26229d4b2054b131a912005a0221c442c3f12d6cfebe1541738a8f4d1439071fd15c794b4cbc1b5ba0fd2a64adcd7d35615523bb590bc

C:\Users\Admin\AppData\Local\Temp\Tons

MD5 639ac7a58107cc48b3d0f9ea512c4fae
SHA1 a34aede82b0042f6e87902fbdd8e4a3ead6746f8
SHA256 72d8b933bbe09704f7f5200ba648fbc12a26b0cf7b232c2f7172c1dcf6b5abef
SHA512 794349c95e93f6fd5227ddce23bba317d8862c7d7ba4ac6c84adf59a127f39943a3c55e4949664197e7970b2d48d9afbe1b0fdde55562ffdacc5b2821621c85c

C:\Users\Admin\AppData\Local\Temp\Symbols

MD5 ced8fcd39719d599d0f4d9561e6fe507
SHA1 59eb5f73d676efae575623e546978d42decf6260
SHA256 1927ede910ccaee4f846eb85401f63dc5860f5db5a66562b54853e59e437dd1e
SHA512 a7bb599680bdb57e8a4c559a21403737e75d206798cebd53d0dd3939ef00445d8009c404772e23015919ba90ba522b87ef3cf44a7df6682fb2b622b2b67edfe0

C:\Users\Admin\AppData\Local\Temp\Rice

MD5 0b0c7642bf84588d7fb643e251001b81
SHA1 4a7435708db3e0eea8d3e5ab9e78cdcfafdec4cd
SHA256 047ee02962359b321112610fd3fa7ab416b028b9a2bee3cd7343de7641136aec
SHA512 09b1800306461fe1fa1df0dc3a7a2b91de4a44dff950bec7eaef0de7b9c4f5c46d087f09f67ba4d819d5fd9ca1a6c44d8fa3d26ca20d80b672423c7bdc5b3dae

C:\Users\Admin\AppData\Local\Temp\Triangle

MD5 530605e3eccc1595d537b0baeabf2b36
SHA1 6a52cb76c3b5a615895f85e565cb219d5da56416
SHA256 86151ad1b478399281ea7d5de476f6e3709fa17383d44e607ef62df9fefe8ec1
SHA512 e397c19f63350bf6066f702cb7e9140effd235656d3f7c02bd8fdc11f4bdd36c1947a2109e845118b3cc9224e4c50dc1fb3a3cd3762348ee1d4006e368f52614

C:\Users\Admin\AppData\Local\Temp\Ave

MD5 2af9a11316c5ec31d8429dd37e50b06b
SHA1 cee13a90c0ba136825716f2dd1d517ec55bc3777
SHA256 a49d011010b21fbe725d1f635e279285580a7d35e0eaf6d53ba8fc1d3bc8d8f0
SHA512 2e05fbbd670b291b4fdb5f41b27c120f16b3a49ad61eed467efdb9178345c2b6889a5ed18728c123e1a5c7d29d26fa3ad98c50565bc4a88b6868708931a09831

C:\Users\Admin\AppData\Local\Temp\Tray

MD5 83838b9779309c6deff2ecd321607cea
SHA1 09e321410d80ea507e8426de23967db9d9478e72
SHA256 6718bc24cfddc6f194e5fe687fdeae9a189aaec7908a1545863cb1b43fdbf30c
SHA512 5076d2808b31f63dc03f686b3434e210ee598b633df1b1f151d0a7c5e2fc3074209174451a5493fd232d52fdbf35a6459f29a45411144153464cf87ef558fc58

\Users\Admin\AppData\Local\Temp\5222\Soldiers.pif

MD5 62d09f076e6e0240548c2f837536a46a
SHA1 26bdbc63af8abae9a8fb6ec0913a307ef6614cf2
SHA256 1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49
SHA512 32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

C:\Users\Admin\AppData\Local\Temp\5222\o

MD5 fc2e0f6ae9c49f4c1f73e1a455bda758
SHA1 00297b73b0b5152c46e8a5517c10660fa37b1724
SHA256 d2f8bad64a400060d230415a15f38449037907a6dd0e2d8e3f3b3c047a5be3f2
SHA512 c88c0329f7827ac803b15dbfd59d09965832cb76e82390b1d27f22e9114f7e4adf38493fc97f816c0e0b8bbbc0b68a5d22f74bd7d783cf9bad0485e8328df2a0

memory/2332-26-0x00000000775E0000-0x00000000776B6000-memory.dmp

\Users\Admin\AppData\Local\Temp\5222\RegAsm.exe

MD5 b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1 d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA256 6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512 b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

memory/2332-36-0x00000000000B0000-0x00000000000B1000-memory.dmp

memory/1596-37-0x0000000000090000-0x00000000000A6000-memory.dmp

memory/1596-42-0x0000000000090000-0x00000000000A6000-memory.dmp

memory/1596-40-0x0000000000090000-0x00000000000A6000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar7A17.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-02 11:27

Reported

2024-04-02 11:30

Platform

win10v2004-20240226-en

Max time kernel

91s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

AsyncRat

rat asyncrat

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 404 created 3504 N/A C:\Users\Admin\AppData\Local\Temp\5231\Soldiers.pif C:\Windows\Explorer.EXE
PID 404 created 3504 N/A C:\Users\Admin\AppData\Local\Temp\5231\Soldiers.pif C:\Windows\Explorer.EXE

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2e48ee0fb3ddd63efeecd900a9d2bde365e2fe1fcbb3c43c882362ae935c5066.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FinestitchR.url C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FinestitchR.url C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5231\Soldiers.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5231\RegAsm.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5231\RegAsm.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5231\Soldiers.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5231\Soldiers.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5231\Soldiers.pif N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5231\Soldiers.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5231\Soldiers.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5231\Soldiers.pif N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5231\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1132 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2e48ee0fb3ddd63efeecd900a9d2bde365e2fe1fcbb3c43c882362ae935c5066.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2e48ee0fb3ddd63efeecd900a9d2bde365e2fe1fcbb3c43c882362ae935c5066.exe C:\Windows\SysWOW64\cmd.exe
PID 1132 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2e48ee0fb3ddd63efeecd900a9d2bde365e2fe1fcbb3c43c882362ae935c5066.exe C:\Windows\SysWOW64\cmd.exe
PID 1772 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1772 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1772 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1772 wrote to memory of 1424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1772 wrote to memory of 1424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1772 wrote to memory of 1424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1772 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1772 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1772 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 1772 wrote to memory of 3468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1772 wrote to memory of 3468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1772 wrote to memory of 3468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1772 wrote to memory of 4760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1772 wrote to memory of 4760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1772 wrote to memory of 4760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1772 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1772 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1772 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1772 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1772 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1772 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1772 wrote to memory of 404 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\5231\Soldiers.pif
PID 1772 wrote to memory of 404 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\5231\Soldiers.pif
PID 1772 wrote to memory of 404 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\5231\Soldiers.pif
PID 1772 wrote to memory of 1428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1772 wrote to memory of 1428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1772 wrote to memory of 1428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 404 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\5231\Soldiers.pif C:\Windows\SysWOW64\cmd.exe
PID 404 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\5231\Soldiers.pif C:\Windows\SysWOW64\cmd.exe
PID 404 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\5231\Soldiers.pif C:\Windows\SysWOW64\cmd.exe
PID 404 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\5231\Soldiers.pif C:\Users\Admin\AppData\Local\Temp\5231\RegAsm.exe
PID 404 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\5231\Soldiers.pif C:\Users\Admin\AppData\Local\Temp\5231\RegAsm.exe
PID 404 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\5231\Soldiers.pif C:\Users\Admin\AppData\Local\Temp\5231\RegAsm.exe
PID 404 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\5231\Soldiers.pif C:\Users\Admin\AppData\Local\Temp\5231\RegAsm.exe
PID 404 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\5231\Soldiers.pif C:\Users\Admin\AppData\Local\Temp\5231\RegAsm.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\2e48ee0fb3ddd63efeecd900a9d2bde365e2fe1fcbb3c43c882362ae935c5066.exe

"C:\Users\Admin\AppData\Local\Temp\2e48ee0fb3ddd63efeecd900a9d2bde365e2fe1fcbb3c43c882362ae935c5066.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c move Newsletters Newsletters.bat & Newsletters.bat

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 5231

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Reaching + Finest + Environmental + Tons + Symbols + Rice 5231\Soldiers.pif

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Triangle + Ave + Tray 5231\o

C:\Users\Admin\AppData\Local\Temp\5231\Soldiers.pif

5231\Soldiers.pif 5231\o

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Windows\SysWOW64\cmd.exe

cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FinestitchR.url" & echo URL="C:\Users\Admin\AppData\Local\StitchCraft Studios Co\FinestitchR.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FinestitchR.url" & exit

C:\Users\Admin\AppData\Local\Temp\5231\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\5231\RegAsm.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 WsMSIOffeNnJ.WsMSIOffeNnJ udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 fttuvgt.ddnsfree.com udp
PL 195.3.223.146:6969 fttuvgt.ddnsfree.com tcp
US 8.8.8.8:53 146.223.3.195.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 24.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 95.16.208.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Newsletters

MD5 1c4cabf20ffeef1a7d9e71d77d5c62fa
SHA1 b6cfa0efd9b12a9b5f929ce3a41dab8dbb454656
SHA256 8145332923bbb85ae2517c87b587b2de275219badf769fbc4064e3f76d1b26c0
SHA512 39abf36ba0d2cc633abe7525e267b09418bd13aac906c24c00c106f0358671b1fc75cff6a26e6a9a3ec01249fc140441431ef18d2585c00e78f9973504f22a0b

C:\Users\Admin\AppData\Local\Temp\Reaching

MD5 c3a422b148a736804f525f481f289d2d
SHA1 2cead45c5bdcc21213701bc92f45d2ab3e9e7258
SHA256 520b4a0ca94396abb97ea723ed7d6dfa7880cce4013d2f998b3c83090295d254
SHA512 ddf1ba3d23f9b5363f3b1817e705ae4da6cddc3218c6778896eca9ec30ed0d0daf66cc502d133a56c4f880efeea026b0d513024e82d825684701e12a7339bb50

C:\Users\Admin\AppData\Local\Temp\Finest

MD5 190d5cc5f06756ecfd8284f7ca962cba
SHA1 0192bc94f63a4d999848d18b5b3400f53bc266ea
SHA256 c848899356852d7cdd43ce525b0f464db427252ad07c539c064cb89a7bdbc5a2
SHA512 e83ece7b2de4d376e08fb41e08139fe2793f705af86a0ebe379396712fd005e6961e8b7eb2d3b8b8c9711ee515d73a4870968038090885e4795c8f6b39e5f0ad

C:\Users\Admin\AppData\Local\Temp\Symbols

MD5 ced8fcd39719d599d0f4d9561e6fe507
SHA1 59eb5f73d676efae575623e546978d42decf6260
SHA256 1927ede910ccaee4f846eb85401f63dc5860f5db5a66562b54853e59e437dd1e
SHA512 a7bb599680bdb57e8a4c559a21403737e75d206798cebd53d0dd3939ef00445d8009c404772e23015919ba90ba522b87ef3cf44a7df6682fb2b622b2b67edfe0

C:\Users\Admin\AppData\Local\Temp\Environmental

MD5 4a094b9a89ae4c55768e8e012ee4d023
SHA1 9d625903d40e8563a91171db01549302acb26091
SHA256 8948e23d1611624abd88ef91d7ab119efe22896b8d12370ab2989d10f5fd8185
SHA512 c40ad8c7294cbd4e3bd26229d4b2054b131a912005a0221c442c3f12d6cfebe1541738a8f4d1439071fd15c794b4cbc1b5ba0fd2a64adcd7d35615523bb590bc

C:\Users\Admin\AppData\Local\Temp\Rice

MD5 0b0c7642bf84588d7fb643e251001b81
SHA1 4a7435708db3e0eea8d3e5ab9e78cdcfafdec4cd
SHA256 047ee02962359b321112610fd3fa7ab416b028b9a2bee3cd7343de7641136aec
SHA512 09b1800306461fe1fa1df0dc3a7a2b91de4a44dff950bec7eaef0de7b9c4f5c46d087f09f67ba4d819d5fd9ca1a6c44d8fa3d26ca20d80b672423c7bdc5b3dae

C:\Users\Admin\AppData\Local\Temp\Tons

MD5 639ac7a58107cc48b3d0f9ea512c4fae
SHA1 a34aede82b0042f6e87902fbdd8e4a3ead6746f8
SHA256 72d8b933bbe09704f7f5200ba648fbc12a26b0cf7b232c2f7172c1dcf6b5abef
SHA512 794349c95e93f6fd5227ddce23bba317d8862c7d7ba4ac6c84adf59a127f39943a3c55e4949664197e7970b2d48d9afbe1b0fdde55562ffdacc5b2821621c85c

C:\Users\Admin\AppData\Local\Temp\Triangle

MD5 530605e3eccc1595d537b0baeabf2b36
SHA1 6a52cb76c3b5a615895f85e565cb219d5da56416
SHA256 86151ad1b478399281ea7d5de476f6e3709fa17383d44e607ef62df9fefe8ec1
SHA512 e397c19f63350bf6066f702cb7e9140effd235656d3f7c02bd8fdc11f4bdd36c1947a2109e845118b3cc9224e4c50dc1fb3a3cd3762348ee1d4006e368f52614

C:\Users\Admin\AppData\Local\Temp\Tray

MD5 83838b9779309c6deff2ecd321607cea
SHA1 09e321410d80ea507e8426de23967db9d9478e72
SHA256 6718bc24cfddc6f194e5fe687fdeae9a189aaec7908a1545863cb1b43fdbf30c
SHA512 5076d2808b31f63dc03f686b3434e210ee598b633df1b1f151d0a7c5e2fc3074209174451a5493fd232d52fdbf35a6459f29a45411144153464cf87ef558fc58

C:\Users\Admin\AppData\Local\Temp\Ave

MD5 2af9a11316c5ec31d8429dd37e50b06b
SHA1 cee13a90c0ba136825716f2dd1d517ec55bc3777
SHA256 a49d011010b21fbe725d1f635e279285580a7d35e0eaf6d53ba8fc1d3bc8d8f0
SHA512 2e05fbbd670b291b4fdb5f41b27c120f16b3a49ad61eed467efdb9178345c2b6889a5ed18728c123e1a5c7d29d26fa3ad98c50565bc4a88b6868708931a09831

C:\Users\Admin\AppData\Local\Temp\5231\Soldiers.pif

MD5 62d09f076e6e0240548c2f837536a46a
SHA1 26bdbc63af8abae9a8fb6ec0913a307ef6614cf2
SHA256 1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49
SHA512 32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

C:\Users\Admin\AppData\Local\Temp\5231\o

MD5 fc2e0f6ae9c49f4c1f73e1a455bda758
SHA1 00297b73b0b5152c46e8a5517c10660fa37b1724
SHA256 d2f8bad64a400060d230415a15f38449037907a6dd0e2d8e3f3b3c047a5be3f2
SHA512 c88c0329f7827ac803b15dbfd59d09965832cb76e82390b1d27f22e9114f7e4adf38493fc97f816c0e0b8bbbc0b68a5d22f74bd7d783cf9bad0485e8328df2a0

memory/404-25-0x00000000770D1000-0x00000000771F1000-memory.dmp

memory/404-34-0x0000000000E00000-0x0000000000E01000-memory.dmp

memory/3016-35-0x0000000000B90000-0x0000000000BA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5231\RegAsm.exe

MD5 0d5df43af2916f47d00c1573797c1a13
SHA1 230ab5559e806574d26b4c20847c368ed55483b0
SHA256 c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc
SHA512 f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

memory/3016-38-0x0000000073B60000-0x0000000074310000-memory.dmp

memory/3016-39-0x00000000052C0000-0x00000000052D0000-memory.dmp

memory/3016-40-0x0000000005B20000-0x00000000060C4000-memory.dmp

memory/3016-41-0x0000000005760000-0x00000000057F2000-memory.dmp

memory/3016-42-0x0000000005750000-0x000000000575A000-memory.dmp

memory/3016-46-0x0000000006850000-0x00000000068B6000-memory.dmp

memory/3016-45-0x00000000067B0000-0x000000000684C000-memory.dmp

memory/3016-47-0x0000000073B60000-0x0000000074310000-memory.dmp

memory/3016-48-0x00000000052C0000-0x00000000052D0000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-02 11:27

Reported

2024-04-02 11:27

Platform

win7-20231129-en

Max time kernel

0s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-02 11:27

Reported

2024-04-02 11:27

Platform

win10v2004-20240226-en

Max time kernel

0s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 udp

Files

N/A