Analysis Overview
SHA256
b5af0bc161225e2ec1e0161d4a38af0b30f13a6e9e91f4ed3bc64de4e7940281
Threat Level: Known bad
The file FluxLora.zip was found to be: Known bad.
Malicious Activity Summary
Async RAT payload
Asyncrat family
AsyncRat
Async RAT payload
Executes dropped EXE
Enumerates physical storage devices
Unsigned PE
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-20 01:52
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Asyncrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 01:52
Reported
2024-06-20 01:54
Platform
win11-20240611-en
Max time kernel
90s
Max time network
92s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\FluxusV2.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\FluxLoraV2\FluxLora.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\FluxusV2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\FluxLoraV2\FluxLora.exe
"C:\Users\Admin\AppData\Local\Temp\FluxLoraV2\FluxLora.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "FluxusV2" /tr '"C:\Users\Admin\AppData\Roaming\FluxusV2.exe"' & exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7CA2.tmp.bat""
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "FluxusV2" /tr '"C:\Users\Admin\AppData\Roaming\FluxusV2.exe"'
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Users\Admin\AppData\Roaming\FluxusV2.exe
"C:\Users\Admin\AppData\Roaming\FluxusV2.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:6700 | tcp | |
| N/A | 127.0.0.1:6700 | tcp | |
| N/A | 127.0.0.1:6700 | tcp | |
| N/A | 127.0.0.1:6700 | tcp | |
| N/A | 127.0.0.1:6700 | tcp | |
| N/A | 127.0.0.1:6700 | tcp | |
| N/A | 127.0.0.1:6700 | tcp | |
| N/A | 127.0.0.1:6700 | tcp | |
| N/A | 127.0.0.1:6700 | tcp | |
| N/A | 127.0.0.1:6700 | tcp | |
| N/A | 127.0.0.1:6700 | tcp | |
| N/A | 127.0.0.1:6700 | tcp |
Files
memory/3572-0-0x0000000074B3E000-0x0000000074B3F000-memory.dmp
memory/3572-1-0x0000000000770000-0x0000000000782000-memory.dmp
memory/3572-2-0x0000000074B30000-0x00000000752E1000-memory.dmp
memory/3572-3-0x0000000005250000-0x00000000052EC000-memory.dmp
memory/3572-8-0x0000000074B30000-0x00000000752E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp7CA2.tmp.bat
| MD5 | 8c722c691849e86d95930cb4e8cdf58b |
| SHA1 | 61ba05a53514a5f305b38551d11699ce6a8262e1 |
| SHA256 | e2041e221e9b87ec0e0f62d7014a162206a0a3d9a9f7ab019015fcc92626e91d |
| SHA512 | b29668facd35fc4e5ae018400ed0bdf25a11032fea2f2485a223df11a08527b884e562ddf70865179d771b64d7968b179498f07d990496b47b90b74fecb94c52 |
C:\Users\Admin\AppData\Roaming\FluxusV2.exe
| MD5 | ace38670c00a34a910a1c5cb502f8f03 |
| SHA1 | 3bfa515b1b4af4cca5e4d603e427fc2ebc8d5047 |
| SHA256 | 0c3aa475f5ff4c8c2c271a27582f5480a29063d97006d5440c98409b3659fcbe |
| SHA512 | ff40dccab360baff86e2545e810f6969d22587b750a646a46546e593069bf1d5633a9e20a0534437fc909bfc2d58bb32f840c23b7e879f677c9fbd18a609e0bc |
memory/572-13-0x0000000074A80000-0x0000000075231000-memory.dmp
memory/572-14-0x0000000074A80000-0x0000000075231000-memory.dmp