Analysis
-
max time kernel
139s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 01:40
Behavioral task
behavioral1
Sample
ad2c029407cebf926900436721a48f42afb91768b15c7d2e3e584cb766661bd2.exe
Resource
win7-20240419-en
General
-
Target
ad2c029407cebf926900436721a48f42afb91768b15c7d2e3e584cb766661bd2.exe
-
Size
62KB
-
MD5
03f5e6705fc4facf9bd54ec5b4fe75a3
-
SHA1
c11f97aae39b7b7949dc1d4f1ae60b7be26702ed
-
SHA256
ad2c029407cebf926900436721a48f42afb91768b15c7d2e3e584cb766661bd2
-
SHA512
188fab951618a9bf702094749a86553965451ac07ffd8df7aa4b00b10b6a0825743de48c956100b4051e1f16cc6a8b2be6338e5a6c4e87aff3eda60562f97823
-
SSDEEP
1536:2206UX9kGYrsVqfhuD2a/d97IURE8vU6a5NEG75bfAg6SoKlX4a8rBTRVx:2206UX9kSE8vU6a5iG75bfRXlITJvx
Malware Config
Extracted
asyncrat
AWS | 3Losh
newjop
backwork07.ddns.net:6666
AsyncMutex_raTMpP7xS21cDAE8
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4172-1-0x0000000000B80000-0x0000000000B96000-memory.dmp INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4172-11-0x0000000007200000-0x000000000726C000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables manipulated with Fody 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4172-11-0x0000000007200000-0x000000000726C000-memory.dmp INDICATOR_EXE_Packed_Fody -
Detects file containing reversed ASEP Autorun registry keys 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4172-1-0x0000000000B80000-0x0000000000B96000-memory.dmp INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
ad2c029407cebf926900436721a48f42afb91768b15c7d2e3e584cb766661bd2.exepid process 4172 ad2c029407cebf926900436721a48f42afb91768b15c7d2e3e584cb766661bd2.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ad2c029407cebf926900436721a48f42afb91768b15c7d2e3e584cb766661bd2.exedescription pid process Token: SeDebugPrivilege 4172 ad2c029407cebf926900436721a48f42afb91768b15c7d2e3e584cb766661bd2.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ad2c029407cebf926900436721a48f42afb91768b15c7d2e3e584cb766661bd2.exepid process 4172 ad2c029407cebf926900436721a48f42afb91768b15c7d2e3e584cb766661bd2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad2c029407cebf926900436721a48f42afb91768b15c7d2e3e584cb766661bd2.exe"C:\Users\Admin\AppData\Local\Temp\ad2c029407cebf926900436721a48f42afb91768b15c7d2e3e584cb766661bd2.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4172