Malware Analysis Report

2024-10-19 06:56

Sample ID 240628-b3k3xsxajk
Target ad2c029407cebf926900436721a48f42afb91768b15c7d2e3e584cb766661bd2.exe
SHA256 ad2c029407cebf926900436721a48f42afb91768b15c7d2e3e584cb766661bd2
Tags
rat newjop asyncrat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ad2c029407cebf926900436721a48f42afb91768b15c7d2e3e584cb766661bd2

Threat Level: Known bad

The file ad2c029407cebf926900436721a48f42afb91768b15c7d2e3e584cb766661bd2.exe was found to be: Known bad.

Malicious Activity Summary

rat newjop asyncrat spyware stealer

AsyncRat

Detects file containing reversed ASEP Autorun registry keys

Asyncrat family

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Async RAT payload

Detects file containing reversed ASEP Autorun registry keys

Detects executables manipulated with Fody

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Reads user/profile data of web browsers

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-28 01:40

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A

Detects file containing reversed ASEP Autorun registry keys

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-28 01:40

Reported

2024-06-28 01:42

Platform

win7-20240419-en

Max time kernel

118s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ad2c029407cebf926900436721a48f42afb91768b15c7d2e3e584cb766661bd2.exe"

Signatures

AsyncRat

rat asyncrat

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables manipulated with Fody

Description Indicator Process Target
N/A N/A N/A N/A

Detects file containing reversed ASEP Autorun registry keys

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad2c029407cebf926900436721a48f42afb91768b15c7d2e3e584cb766661bd2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ad2c029407cebf926900436721a48f42afb91768b15c7d2e3e584cb766661bd2.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad2c029407cebf926900436721a48f42afb91768b15c7d2e3e584cb766661bd2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ad2c029407cebf926900436721a48f42afb91768b15c7d2e3e584cb766661bd2.exe

"C:\Users\Admin\AppData\Local\Temp\ad2c029407cebf926900436721a48f42afb91768b15c7d2e3e584cb766661bd2.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 backwork07.ddns.net udp
US 172.93.111.165:6666 backwork07.ddns.net tcp
US 172.93.111.165:6666 backwork07.ddns.net tcp
US 172.93.111.165:6666 backwork07.ddns.net tcp

Files

memory/2208-0-0x0000000074A1E000-0x0000000074A1F000-memory.dmp

memory/2208-1-0x0000000000230000-0x0000000000246000-memory.dmp

memory/2208-2-0x0000000074A10000-0x00000000750FE000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar43BB.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/2208-40-0x0000000074A1E000-0x0000000074A1F000-memory.dmp

memory/2208-41-0x0000000074A10000-0x00000000750FE000-memory.dmp

memory/2208-42-0x0000000006950000-0x00000000069BC000-memory.dmp

memory/2208-63-0x00000000006A0000-0x00000000006AA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-28 01:40

Reported

2024-06-28 01:42

Platform

win10v2004-20240611-en

Max time kernel

139s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ad2c029407cebf926900436721a48f42afb91768b15c7d2e3e584cb766661bd2.exe"

Signatures

AsyncRat

rat asyncrat

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables manipulated with Fody

Description Indicator Process Target
N/A N/A N/A N/A

Detects file containing reversed ASEP Autorun registry keys

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad2c029407cebf926900436721a48f42afb91768b15c7d2e3e584cb766661bd2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ad2c029407cebf926900436721a48f42afb91768b15c7d2e3e584cb766661bd2.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad2c029407cebf926900436721a48f42afb91768b15c7d2e3e584cb766661bd2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ad2c029407cebf926900436721a48f42afb91768b15c7d2e3e584cb766661bd2.exe

"C:\Users\Admin\AppData\Local\Temp\ad2c029407cebf926900436721a48f42afb91768b15c7d2e3e584cb766661bd2.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 backwork07.ddns.net udp
US 172.93.111.165:6666 backwork07.ddns.net tcp
US 8.8.8.8:53 165.111.93.172.in-addr.arpa udp
US 20.189.173.13:443 tcp
US 172.93.111.165:6666 backwork07.ddns.net tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 172.93.111.165:6666 backwork07.ddns.net tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
BE 23.41.178.65:443 www.bing.com tcp
US 8.8.8.8:53 65.178.41.23.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/4172-0-0x00000000747EE000-0x00000000747EF000-memory.dmp

memory/4172-1-0x0000000000B80000-0x0000000000B96000-memory.dmp

memory/4172-2-0x00000000747E0000-0x0000000074F90000-memory.dmp

memory/4172-3-0x0000000005D50000-0x00000000062F4000-memory.dmp

memory/4172-4-0x0000000005980000-0x0000000005A12000-memory.dmp

memory/4172-5-0x0000000005930000-0x000000000593A000-memory.dmp

memory/4172-6-0x00000000064E0000-0x000000000657C000-memory.dmp

memory/4172-7-0x0000000006580000-0x00000000065E6000-memory.dmp

memory/4172-8-0x00000000747EE000-0x00000000747EF000-memory.dmp

memory/4172-9-0x00000000747E0000-0x0000000074F90000-memory.dmp

memory/4172-10-0x0000000007280000-0x00000000072F6000-memory.dmp

memory/4172-11-0x0000000007200000-0x000000000726C000-memory.dmp

memory/4172-12-0x0000000007540000-0x000000000755E000-memory.dmp

memory/4172-13-0x0000000007610000-0x000000000761A000-memory.dmp