Analysis Overview
SHA256
ad2c029407cebf926900436721a48f42afb91768b15c7d2e3e584cb766661bd2
Threat Level: Known bad
The file ad2c029407cebf926900436721a48f42afb91768b15c7d2e3e584cb766661bd2.exe was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Detects file containing reversed ASEP Autorun registry keys
Asyncrat family
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Async RAT payload
Detects file containing reversed ASEP Autorun registry keys
Detects executables manipulated with Fody
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Reads user/profile data of web browsers
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-28 01:40
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Asyncrat family
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects file containing reversed ASEP Autorun registry keys
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-28 01:40
Reported
2024-06-28 01:42
Platform
win7-20240419-en
Max time kernel
118s
Max time network
150s
Command Line
Signatures
AsyncRat
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables manipulated with Fody
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects file containing reversed ASEP Autorun registry keys
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad2c029407cebf926900436721a48f42afb91768b15c7d2e3e584cb766661bd2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ad2c029407cebf926900436721a48f42afb91768b15c7d2e3e584cb766661bd2.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad2c029407cebf926900436721a48f42afb91768b15c7d2e3e584cb766661bd2.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ad2c029407cebf926900436721a48f42afb91768b15c7d2e3e584cb766661bd2.exe
"C:\Users\Admin\AppData\Local\Temp\ad2c029407cebf926900436721a48f42afb91768b15c7d2e3e584cb766661bd2.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | backwork07.ddns.net | udp |
| US | 172.93.111.165:6666 | backwork07.ddns.net | tcp |
| US | 172.93.111.165:6666 | backwork07.ddns.net | tcp |
| US | 172.93.111.165:6666 | backwork07.ddns.net | tcp |
Files
memory/2208-0-0x0000000074A1E000-0x0000000074A1F000-memory.dmp
memory/2208-1-0x0000000000230000-0x0000000000246000-memory.dmp
memory/2208-2-0x0000000074A10000-0x00000000750FE000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar43BB.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
memory/2208-40-0x0000000074A1E000-0x0000000074A1F000-memory.dmp
memory/2208-41-0x0000000074A10000-0x00000000750FE000-memory.dmp
memory/2208-42-0x0000000006950000-0x00000000069BC000-memory.dmp
memory/2208-63-0x00000000006A0000-0x00000000006AA000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-28 01:40
Reported
2024-06-28 01:42
Platform
win10v2004-20240611-en
Max time kernel
139s
Max time network
150s
Command Line
Signatures
AsyncRat
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables manipulated with Fody
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects file containing reversed ASEP Autorun registry keys
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad2c029407cebf926900436721a48f42afb91768b15c7d2e3e584cb766661bd2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ad2c029407cebf926900436721a48f42afb91768b15c7d2e3e584cb766661bd2.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad2c029407cebf926900436721a48f42afb91768b15c7d2e3e584cb766661bd2.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ad2c029407cebf926900436721a48f42afb91768b15c7d2e3e584cb766661bd2.exe
"C:\Users\Admin\AppData\Local\Temp\ad2c029407cebf926900436721a48f42afb91768b15c7d2e3e584cb766661bd2.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | backwork07.ddns.net | udp |
| US | 172.93.111.165:6666 | backwork07.ddns.net | tcp |
| US | 8.8.8.8:53 | 165.111.93.172.in-addr.arpa | udp |
| US | 20.189.173.13:443 | tcp | |
| US | 172.93.111.165:6666 | backwork07.ddns.net | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 172.93.111.165:6666 | backwork07.ddns.net | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| BE | 23.41.178.65:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 65.178.41.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/4172-0-0x00000000747EE000-0x00000000747EF000-memory.dmp
memory/4172-1-0x0000000000B80000-0x0000000000B96000-memory.dmp
memory/4172-2-0x00000000747E0000-0x0000000074F90000-memory.dmp
memory/4172-3-0x0000000005D50000-0x00000000062F4000-memory.dmp
memory/4172-4-0x0000000005980000-0x0000000005A12000-memory.dmp
memory/4172-5-0x0000000005930000-0x000000000593A000-memory.dmp
memory/4172-6-0x00000000064E0000-0x000000000657C000-memory.dmp
memory/4172-7-0x0000000006580000-0x00000000065E6000-memory.dmp
memory/4172-8-0x00000000747EE000-0x00000000747EF000-memory.dmp
memory/4172-9-0x00000000747E0000-0x0000000074F90000-memory.dmp
memory/4172-10-0x0000000007280000-0x00000000072F6000-memory.dmp
memory/4172-11-0x0000000007200000-0x000000000726C000-memory.dmp
memory/4172-12-0x0000000007540000-0x000000000755E000-memory.dmp
memory/4172-13-0x0000000007610000-0x000000000761A000-memory.dmp