Analysis

  • max time kernel
    31s
  • max time network
    32s
  • platform
    windows10-1703_x64
  • resource
    win10-20240611-en
  • resource tags

    arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
  • submitted
    20-06-2024 19:55

General

  • Target

    XBinderOutput.exe

  • Size

    172KB

  • MD5

    511d2c958154e9a4534372bda7f61751

  • SHA1

    cedb2dcdfe2d4534d6eb2e66496e0873388e0678

  • SHA256

    83c05ceb7510d099c94b5553ff5e5fc17eb8c315699457ce9ae8a697bf712798

  • SHA512

    fbf05cd528e26424dfb53659ac07f7d2b8d55aa6a153b625d0f50953fef613d6d11c397a836f916a915711fbe520a4d43b6d9918cc8b04373cacb482c4e37d57

  • SSDEEP

    3072:vmCzFoOQIvXCs4fNGV881cclxWRQlKCYCtiVs5kwzxze2vb3fYH2JN:XFocCs4VMGcKOxYPiqE5vjfa

Score
10/10

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

Mutex

LmnYzRoga2CL

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

  • pastebin_config

    https://pastebin.com/raw/BSSw6HT3

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Async RAT payload 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe
    "C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4256
    • C:\Users\Admin\AppData\Local\Temp\AsyncFull.exe
      "C:\Users\Admin\AppData\Local\Temp\AsyncFull.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4204
    • C:\Users\Admin\AppData\Local\Temp\pops.exe
      "C:\Users\Admin\AppData\Local\Temp\pops.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2312

Network

MITRE ATT&CK Matrix ATT&CK v13

Discovery

System Information Discovery

1
T1082

Command and Control

Web Service

1
T1102

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\AsyncFull.exe
    Filesize

    82KB

    MD5

    fde34a227baab4069f459cac32e6109b

    SHA1

    b1f4e52cd57853e3c951d1f01699f793706ca899

    SHA256

    a5913acf5857d31f22fbbdc29a7810de97d70fb69009c4f844ff4a6af362f047

    SHA512

    b098d6dbe661128999788befb01322d845dbe52253e318db3d04a4f41ab95c2083e7698a97282b164db7c31dbb82f43f36aa4c86550120ba8b57703898679100

  • C:\Users\Admin\AppData\Local\Temp\pops.exe
    Filesize

    122KB

    MD5

    9eb31428dfab7ceb8b52c96e7480b0c4

    SHA1

    05a7e7bc4c182a3714addc8a6746b662dd500e82

    SHA256

    f2da0525ae7d061b232ace45eea6451d26c462f207ceedd171c6fd5b8ff74fb4

    SHA512

    9645c3f07de4b8899c3069078687b2370c9116c50ec9048f14ece1f8a507e7df3ce31e9dbe28fb5d01a4ea91b7d564eb0bc463d92cd9b167ed171a1b9b59670e

  • memory/2312-15-0x00007FFF44690000-0x00007FFF4507C000-memory.dmp
    Filesize

    9.9MB

  • memory/2312-23-0x00007FFF44690000-0x00007FFF4507C000-memory.dmp
    Filesize

    9.9MB

  • memory/2312-17-0x0000000001680000-0x000000000168C000-memory.dmp
    Filesize

    48KB

  • memory/2312-13-0x0000000000D40000-0x0000000000D66000-memory.dmp
    Filesize

    152KB

  • memory/4204-19-0x00000000053E0000-0x00000000053FE000-memory.dmp
    Filesize

    120KB

  • memory/4204-27-0x00000000062D0000-0x000000000636C000-memory.dmp
    Filesize

    624KB

  • memory/4204-16-0x00000000734DE000-0x00000000734DF000-memory.dmp
    Filesize

    4KB

  • memory/4204-18-0x0000000000C30000-0x0000000000C4A000-memory.dmp
    Filesize

    104KB

  • memory/4204-31-0x00000000734D0000-0x0000000073BBE000-memory.dmp
    Filesize

    6.9MB

  • memory/4204-20-0x0000000002DA0000-0x0000000002DA6000-memory.dmp
    Filesize

    24KB

  • memory/4204-21-0x0000000004F50000-0x0000000004F62000-memory.dmp
    Filesize

    72KB

  • memory/4204-22-0x00000000734D0000-0x0000000073BBE000-memory.dmp
    Filesize

    6.9MB

  • memory/4204-30-0x00000000734DE000-0x00000000734DF000-memory.dmp
    Filesize

    4KB

  • memory/4204-29-0x0000000006370000-0x00000000063D6000-memory.dmp
    Filesize

    408KB

  • memory/4204-28-0x0000000008160000-0x000000000865E000-memory.dmp
    Filesize

    5.0MB

  • memory/4256-14-0x00007FFF44690000-0x00007FFF4507C000-memory.dmp
    Filesize

    9.9MB

  • memory/4256-24-0x00007FFF44690000-0x00007FFF4507C000-memory.dmp
    Filesize

    9.9MB

  • memory/4256-1-0x00000000003F0000-0x0000000000422000-memory.dmp
    Filesize

    200KB

  • memory/4256-0-0x00007FFF44693000-0x00007FFF44694000-memory.dmp
    Filesize

    4KB