Analysis
-
max time kernel
1790s -
max time network
1799s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
28-06-2024 21:53
General
-
Target
SMS-Bomber.exe
-
Size
47KB
-
MD5
4a56c6e517888a3524999e18e6d7740b
-
SHA1
3781d9472264ca9af471cdc80ffc87c34134c112
-
SHA256
44ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706
-
SHA512
0b7c6c0f82b19b20632d8a8d8c93a772f175acc0bf1c9ff1a57f5e731f739806b98663f824a7ec07843cad2fe69376bba57967587a86e5dfe4dc890df334ba4e
-
SSDEEP
768:Euzkx3FTkYwt9y4gWUOlKnjamo2q8ayby6FXbWPI8rQ9Hyfw+0bF3HFZBzUccTUW:EuS3FTHHe2Gy+6Z78rQ9HGWbF3T9U5+Q
Malware Config
Extracted
asyncrat
0.5.8
Default
0UfuvIZfaBv8
-
delay
3
-
install
true
-
install_file
api.exe
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/aDAYnLv4
Signatures
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\api.exe family_asyncrat -
Executes dropped EXE 1 IoCs
Processes:
api.exepid process 2732 api.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs
Processes:
flow ioc 56 pastebin.com 53 pastebin.com 90 pastebin.com 111 pastebin.com 121 pastebin.com 129 pastebin.com 12 pastebin.com 29 pastebin.com 39 pastebin.com 117 pastebin.com 64 pastebin.com 70 pastebin.com 67 pastebin.com 74 pastebin.com 95 pastebin.com 1 pastebin.com 85 pastebin.com 112 pastebin.com 108 pastebin.com 8 pastebin.com 11 pastebin.com 62 pastebin.com 65 pastebin.com 71 pastebin.com 5 pastebin.com 30 pastebin.com 87 pastebin.com 25 pastebin.com 69 pastebin.com 15 pastebin.com 22 pastebin.com 31 pastebin.com 100 pastebin.com 114 pastebin.com 119 pastebin.com 14 pastebin.com 52 pastebin.com 58 pastebin.com 66 pastebin.com 76 pastebin.com 35 pastebin.com 75 pastebin.com 84 pastebin.com 13 pastebin.com 17 pastebin.com 44 pastebin.com 45 pastebin.com 46 pastebin.com 105 pastebin.com 128 pastebin.com 23 pastebin.com 41 pastebin.com 113 pastebin.com 133 pastebin.com 18 pastebin.com 61 pastebin.com 89 pastebin.com 94 pastebin.com 132 pastebin.com 38 pastebin.com 47 pastebin.com 55 pastebin.com 77 pastebin.com 96 pastebin.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4528 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
SMS-Bomber.exepid process 2632 SMS-Bomber.exe 2632 SMS-Bomber.exe 2632 SMS-Bomber.exe 2632 SMS-Bomber.exe 2632 SMS-Bomber.exe 2632 SMS-Bomber.exe 2632 SMS-Bomber.exe 2632 SMS-Bomber.exe 2632 SMS-Bomber.exe 2632 SMS-Bomber.exe 2632 SMS-Bomber.exe 2632 SMS-Bomber.exe 2632 SMS-Bomber.exe 2632 SMS-Bomber.exe 2632 SMS-Bomber.exe 2632 SMS-Bomber.exe 2632 SMS-Bomber.exe 2632 SMS-Bomber.exe 2632 SMS-Bomber.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SMS-Bomber.exeapi.exedescription pid process Token: SeDebugPrivilege 2632 SMS-Bomber.exe Token: SeDebugPrivilege 2732 api.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
SMS-Bomber.execmd.execmd.exedescription pid process target process PID 2632 wrote to memory of 4988 2632 SMS-Bomber.exe cmd.exe PID 2632 wrote to memory of 4988 2632 SMS-Bomber.exe cmd.exe PID 2632 wrote to memory of 4988 2632 SMS-Bomber.exe cmd.exe PID 2632 wrote to memory of 1780 2632 SMS-Bomber.exe cmd.exe PID 2632 wrote to memory of 1780 2632 SMS-Bomber.exe cmd.exe PID 2632 wrote to memory of 1780 2632 SMS-Bomber.exe cmd.exe PID 4988 wrote to memory of 5068 4988 cmd.exe schtasks.exe PID 4988 wrote to memory of 5068 4988 cmd.exe schtasks.exe PID 4988 wrote to memory of 5068 4988 cmd.exe schtasks.exe PID 1780 wrote to memory of 4528 1780 cmd.exe timeout.exe PID 1780 wrote to memory of 4528 1780 cmd.exe timeout.exe PID 1780 wrote to memory of 4528 1780 cmd.exe timeout.exe PID 1780 wrote to memory of 2732 1780 cmd.exe api.exe PID 1780 wrote to memory of 2732 1780 cmd.exe api.exe PID 1780 wrote to memory of 2732 1780 cmd.exe api.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SMS-Bomber.exe"C:\Users\Admin\AppData\Local\Temp\SMS-Bomber.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "api" /tr '"C:\Users\Admin\AppData\Roaming\api.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "api" /tr '"C:\Users\Admin\AppData\Roaming\api.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:5068 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4B9F.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:4528 -
C:\Users\Admin\AppData\Roaming\api.exe"C:\Users\Admin\AppData\Roaming\api.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2732
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
147B
MD5d3083d7da0e60c90af5ed5f108e7624b
SHA1e8e89fef2a09a12cf0ae5569786e2025cf61fb1b
SHA256f957ee2d070b5fd1184d4bcaa333424a162d6606cafa18fc99af36f22d124fb4
SHA5127ce6e6e78d31ce1c38e3ed43709760a0f5e350efc1dc96210e8c7cacb95032f7a9464e345b4ac41c553e034ae299ab471d761fdef3ee8c4aa4361925160dd40b
-
Filesize
47KB
MD54a56c6e517888a3524999e18e6d7740b
SHA13781d9472264ca9af471cdc80ffc87c34134c112
SHA25644ae9b54c322a598bf0b04a591d69216718a606f4aa01ab72307eed94aec1706
SHA5120b7c6c0f82b19b20632d8a8d8c93a772f175acc0bf1c9ff1a57f5e731f739806b98663f824a7ec07843cad2fe69376bba57967587a86e5dfe4dc890df334ba4e