Malware Analysis Report

2024-09-22 06:58

Sample ID 240620-ynad7sverb
Target XBinderOutput.exe
SHA256 83c05ceb7510d099c94b5553ff5e5fc17eb8c315699457ce9ae8a697bf712798
Tags
asyncrat default rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

83c05ceb7510d099c94b5553ff5e5fc17eb8c315699457ce9ae8a697bf712798

Threat Level: Known bad

The file XBinderOutput.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat default rat

AsyncRat

Async RAT payload

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-20 19:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 19:55

Reported

2024-06-20 19:56

Platform

win10-20240611-en

Max time kernel

31s

Max time network

32s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AsyncFull.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pops.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\pops.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pops.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\pops.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AsyncFull.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AsyncFull.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe

"C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe"

C:\Users\Admin\AppData\Local\Temp\AsyncFull.exe

"C:\Users\Admin\AppData\Local\Temp\AsyncFull.exe"

C:\Users\Admin\AppData\Local\Temp\pops.exe

"C:\Users\Admin\AppData\Local\Temp\pops.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 163.252.19.2.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 minutes-nirvana.gl.at.ply.gg udp
US 147.185.221.20:33475 minutes-nirvana.gl.at.ply.gg tcp
US 8.8.8.8:53 235.3.20.104.in-addr.arpa udp
US 8.8.8.8:53 20.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 74.90.14.23.in-addr.arpa udp

Files

memory/4256-0-0x00007FFF44693000-0x00007FFF44694000-memory.dmp

memory/4256-1-0x00000000003F0000-0x0000000000422000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AsyncFull.exe

MD5 fde34a227baab4069f459cac32e6109b
SHA1 b1f4e52cd57853e3c951d1f01699f793706ca899
SHA256 a5913acf5857d31f22fbbdc29a7810de97d70fb69009c4f844ff4a6af362f047
SHA512 b098d6dbe661128999788befb01322d845dbe52253e318db3d04a4f41ab95c2083e7698a97282b164db7c31dbb82f43f36aa4c86550120ba8b57703898679100

C:\Users\Admin\AppData\Local\Temp\pops.exe

MD5 9eb31428dfab7ceb8b52c96e7480b0c4
SHA1 05a7e7bc4c182a3714addc8a6746b662dd500e82
SHA256 f2da0525ae7d061b232ace45eea6451d26c462f207ceedd171c6fd5b8ff74fb4
SHA512 9645c3f07de4b8899c3069078687b2370c9116c50ec9048f14ece1f8a507e7df3ce31e9dbe28fb5d01a4ea91b7d564eb0bc463d92cd9b167ed171a1b9b59670e

memory/4256-14-0x00007FFF44690000-0x00007FFF4507C000-memory.dmp

memory/2312-13-0x0000000000D40000-0x0000000000D66000-memory.dmp

memory/2312-15-0x00007FFF44690000-0x00007FFF4507C000-memory.dmp

memory/2312-17-0x0000000001680000-0x000000000168C000-memory.dmp

memory/4204-16-0x00000000734DE000-0x00000000734DF000-memory.dmp

memory/4204-18-0x0000000000C30000-0x0000000000C4A000-memory.dmp

memory/4204-19-0x00000000053E0000-0x00000000053FE000-memory.dmp

memory/4204-20-0x0000000002DA0000-0x0000000002DA6000-memory.dmp

memory/4204-21-0x0000000004F50000-0x0000000004F62000-memory.dmp

memory/4204-22-0x00000000734D0000-0x0000000073BBE000-memory.dmp

memory/2312-23-0x00007FFF44690000-0x00007FFF4507C000-memory.dmp

memory/4256-24-0x00007FFF44690000-0x00007FFF4507C000-memory.dmp

memory/4204-27-0x00000000062D0000-0x000000000636C000-memory.dmp

memory/4204-28-0x0000000008160000-0x000000000865E000-memory.dmp

memory/4204-29-0x0000000006370000-0x00000000063D6000-memory.dmp

memory/4204-30-0x00000000734DE000-0x00000000734DF000-memory.dmp

memory/4204-31-0x00000000734D0000-0x0000000073BBE000-memory.dmp