Analysis Overview
SHA256
83c05ceb7510d099c94b5553ff5e5fc17eb8c315699457ce9ae8a697bf712798
Threat Level: Known bad
The file XBinderOutput.exe was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Async RAT payload
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-20 19:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 19:55
Reported
2024-06-20 19:56
Platform
win10-20240611-en
Max time kernel
31s
Max time network
32s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AsyncFull.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pops.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pops.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pops.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\pops.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AsyncFull.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AsyncFull.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4256 wrote to memory of 4204 | N/A | C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe | C:\Users\Admin\AppData\Local\Temp\AsyncFull.exe |
| PID 4256 wrote to memory of 4204 | N/A | C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe | C:\Users\Admin\AppData\Local\Temp\AsyncFull.exe |
| PID 4256 wrote to memory of 4204 | N/A | C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe | C:\Users\Admin\AppData\Local\Temp\AsyncFull.exe |
| PID 4256 wrote to memory of 2312 | N/A | C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe | C:\Users\Admin\AppData\Local\Temp\pops.exe |
| PID 4256 wrote to memory of 2312 | N/A | C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe | C:\Users\Admin\AppData\Local\Temp\pops.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe
"C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe"
C:\Users\Admin\AppData\Local\Temp\AsyncFull.exe
"C:\Users\Admin\AppData\Local\Temp\AsyncFull.exe"
C:\Users\Admin\AppData\Local\Temp\pops.exe
"C:\Users\Admin\AppData\Local\Temp\pops.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 163.252.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | minutes-nirvana.gl.at.ply.gg | udp |
| US | 147.185.221.20:33475 | minutes-nirvana.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 235.3.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.90.14.23.in-addr.arpa | udp |
Files
memory/4256-0-0x00007FFF44693000-0x00007FFF44694000-memory.dmp
memory/4256-1-0x00000000003F0000-0x0000000000422000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AsyncFull.exe
| MD5 | fde34a227baab4069f459cac32e6109b |
| SHA1 | b1f4e52cd57853e3c951d1f01699f793706ca899 |
| SHA256 | a5913acf5857d31f22fbbdc29a7810de97d70fb69009c4f844ff4a6af362f047 |
| SHA512 | b098d6dbe661128999788befb01322d845dbe52253e318db3d04a4f41ab95c2083e7698a97282b164db7c31dbb82f43f36aa4c86550120ba8b57703898679100 |
C:\Users\Admin\AppData\Local\Temp\pops.exe
| MD5 | 9eb31428dfab7ceb8b52c96e7480b0c4 |
| SHA1 | 05a7e7bc4c182a3714addc8a6746b662dd500e82 |
| SHA256 | f2da0525ae7d061b232ace45eea6451d26c462f207ceedd171c6fd5b8ff74fb4 |
| SHA512 | 9645c3f07de4b8899c3069078687b2370c9116c50ec9048f14ece1f8a507e7df3ce31e9dbe28fb5d01a4ea91b7d564eb0bc463d92cd9b167ed171a1b9b59670e |
memory/4256-14-0x00007FFF44690000-0x00007FFF4507C000-memory.dmp
memory/2312-13-0x0000000000D40000-0x0000000000D66000-memory.dmp
memory/2312-15-0x00007FFF44690000-0x00007FFF4507C000-memory.dmp
memory/2312-17-0x0000000001680000-0x000000000168C000-memory.dmp
memory/4204-16-0x00000000734DE000-0x00000000734DF000-memory.dmp
memory/4204-18-0x0000000000C30000-0x0000000000C4A000-memory.dmp
memory/4204-19-0x00000000053E0000-0x00000000053FE000-memory.dmp
memory/4204-20-0x0000000002DA0000-0x0000000002DA6000-memory.dmp
memory/4204-21-0x0000000004F50000-0x0000000004F62000-memory.dmp
memory/4204-22-0x00000000734D0000-0x0000000073BBE000-memory.dmp
memory/2312-23-0x00007FFF44690000-0x00007FFF4507C000-memory.dmp
memory/4256-24-0x00007FFF44690000-0x00007FFF4507C000-memory.dmp
memory/4204-27-0x00000000062D0000-0x000000000636C000-memory.dmp
memory/4204-28-0x0000000008160000-0x000000000865E000-memory.dmp
memory/4204-29-0x0000000006370000-0x00000000063D6000-memory.dmp
memory/4204-30-0x00000000734DE000-0x00000000734DF000-memory.dmp
memory/4204-31-0x00000000734D0000-0x0000000073BBE000-memory.dmp