Overview

overview

10

Static

static

10

3caa5f0600...d5.exe

windows7-x64

10

3caa5f0600...d5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    129s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 15:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3caa5f06008365fbecf46198744793c36c42309b49a6324bebe8123be10f87d5.exe

  • Size

    74KB

  • MD5

    7ac0adf482250172280defec7a7054da

  • SHA1

    20a25f0da68c309d062c4628ead8b6f377ac7969

  • SHA256

    3caa5f06008365fbecf46198744793c36c42309b49a6324bebe8123be10f87d5

  • SHA512

    d03d033b931f3d39f95a1ec1cdc7d9014783f11b2438c265dd72c0bc34f9d5ced534a38c7c1c88ff930868fd9cf60521dd556b5c486c5cf364f798f39215a1aa

  • SSDEEP

    1536:WUxQcxHCapCtGPMVCe9VdQuDI6H1bf/yBZUu7QzciLVclN:WUOcxHCoeGPMVCe9VdQsH1bfqvUwQzBY

Score
10/10
asyncratdefaultdiscoveryrat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

66.235.168.242:4449

Mutex

scgofjarww

Attributes
  • delay

    1

  • install

    true

  • install_file

    Loader.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\3caa5f06008365fbecf46198744793c36c42309b49a6324bebe8123be10f87d5.exe
    "C:\Users\Admin\AppData\Local\Temp\3caa5f06008365fbecf46198744793c36c42309b49a6324bebe8123be10f87d5.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1092
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Loader" /tr '"C:\Users\Admin\AppData\Roaming\Loader.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5108
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "Loader" /tr '"C:\Users\Admin\AppData\Roaming\Loader.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:4060
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4873.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4816
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:4764
      • C:\Users\Admin\AppData\Roaming\Loader.exe
        "C:\Users\Admin\AppData\Roaming\Loader.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:4900

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp4873.tmp.bat
    Filesize

    150B

    MD5

    ef1e276ed5caa47d53622ad566202c7f

    SHA1

    7af8c2daf912f8cff0946eecd1bc6d6c1cf30d94

    SHA256

    f1eeefb0b8fc599b5c92a9d5f7323fb8e8169a0c38f4f820b30febe38565b5bf

    SHA512

    ea75a8254ef0b633fd7959c987a47c11bce7dc15bae58406ea2310eba18f8e44a17b5d79b7644dfa33221ece5913d70fa25a6ac2891cc94b7653546b2dae2fe7

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Loader.exe
    Filesize

    74KB

    MD5

    7ac0adf482250172280defec7a7054da

    SHA1

    20a25f0da68c309d062c4628ead8b6f377ac7969

    SHA256

    3caa5f06008365fbecf46198744793c36c42309b49a6324bebe8123be10f87d5

    SHA512

    d03d033b931f3d39f95a1ec1cdc7d9014783f11b2438c265dd72c0bc34f9d5ced534a38c7c1c88ff930868fd9cf60521dd556b5c486c5cf364f798f39215a1aa

    Download Submit
  • C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
    Filesize

    8B

    MD5

    cf759e4c5f14fe3eec41b87ed756cea8

    SHA1

    c27c796bb3c2fac929359563676f4ba1ffada1f5

    SHA256

    c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

    SHA512

    c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

    Download Submit
  • memory/1092-0-0x00007FF815843000-0x00007FF815845000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1092-1-0x00000000002E0000-0x00000000002F8000-memory.dmp
    Filesize

    96KB

    Download
  • memory/1092-3-0x00007FF815840000-0x00007FF816301000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/1092-8-0x00007FF815840000-0x00007FF816301000-memory.dmp
    Filesize

    10.8MB

    Download