Analysis
-
max time kernel
106s -
max time network
109s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
28-06-2024 07:56
General
-
Target
Client.exe
-
Size
74KB
-
MD5
50141588d141a3e39e77b728a3102cc3
-
SHA1
100024df2be8d4ea2b9ea727c06a0558ed630b1e
-
SHA256
3f2af23e28f5eaa2e87e5b558dc35827e1ec26c9d0d801204317d4b68d8a34e2
-
SHA512
aa8a71f5be56f1f1ccbfed2703bd19faccc4bf81213cdc82d558093449664233bc1de57c7f7dbd7d05bf0c47ae33fc955fd43a2f3b9bbe531684e5d53783cf16
-
SSDEEP
1536:1ULkcxVKpC6yPMVKe9VdQuDI6H1bf/MUM4WZdXQzcGLVclN:1UocxVENyPMVKe9VdQsH1bfyhQfBY
Malware Config
Extracted
Family
asyncrat
Version
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Botnet
Default
Mutex
aztddokpdxbvrrzhk
Attributes
-
delay
1
-
install
false
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/LwwcrLg4
aes.plain
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 35 IoCs
Processes:
flow ioc 55 pastebin.com 8 pastebin.com 17 pastebin.com 39 pastebin.com 51 pastebin.com 5 pastebin.com 37 pastebin.com 49 pastebin.com 11 pastebin.com 13 pastebin.com 14 pastebin.com 22 pastebin.com 50 pastebin.com 54 pastebin.com 53 pastebin.com 58 pastebin.com 9 pastebin.com 15 pastebin.com 35 pastebin.com 40 pastebin.com 1 pastebin.com 2 pastebin.com 56 pastebin.com 48 pastebin.com 57 pastebin.com 4 pastebin.com 10 pastebin.com 34 pastebin.com 36 pastebin.com 46 pastebin.com 47 pastebin.com 6 pastebin.com 7 pastebin.com 12 pastebin.com 16 pastebin.com -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Client.exepid process 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe 1084 Client.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Client.exedescription pid process Token: SeDebugPrivilege 1084 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 1084 Client.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client.exe"C:\Users\Admin\AppData\Local\Temp\Client.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1084
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:3088