Overview

overview

10

Static

static

10

Builder.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    1194s
  • max time network
    1171s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-07-2024 16:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Builder.exe

  • Size

    273KB

  • MD5

    2a388e389df3136db839745d13a2bbd0

  • SHA1

    1ba063842110c80d2a6bdf8280ec88b426b9d4ea

  • SHA256

    a2251164857af32d0a13d3d91c9cb17af07f5858ad935c666a4787f12d585622

  • SHA512

    01715c872281fffd8587f5cdabb5a9d80c720871424a6bf50ad0e8de7aae69536d0d4ffecb611ecfb8e98190e96b8ba896c96bf2dc0ebdda511f74909b5cb559

  • SSDEEP

    3072:Ee8p6ewdOIwQx76vK/bvTv0cU+lL/dMlZZUZ0b2gTiwARE+WpC/Bz65/M6If+3JC:g6ewwIwQJ6vKX0c5MlYZ0b2zFxBt25

Score
10/10
asyncratstormkittydefaultpersistenceprivilege_escalationratspywarestealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot5602729079:AAHue5HGrezQGgwKeWyn3WQgaqOZM5nlF_c/sendMessage?chat_id=6067717150
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 9 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Builder.exe
    "C:\Users\Admin\AppData\Local\Temp\Builder.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4924
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1432
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
          PID:4092
        • C:\Windows\SysWOW64\netsh.exe
          netsh wlan show profile
          3⤵
          • Event Triggered Execution: Netsh Helper DLL
          PID:3200
        • C:\Windows\SysWOW64\findstr.exe
          findstr All
          3⤵
            PID:3976
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2324
          • C:\Windows\SysWOW64\chcp.com
            chcp 65001
            3⤵
              PID:3512
            • C:\Windows\SysWOW64\netsh.exe
              netsh wlan show networks mode=bssid
              3⤵
              • Event Triggered Execution: Netsh Helper DLL
              PID:4892

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\0dab4b5c9ecb309f1bdb975e04a5daea\Admin@DJVPRFTV_en-US\Browsers\Firefox\Bookmarks.txt
          Filesize

          105B

          MD5

          2e9d094dda5cdc3ce6519f75943a4ff4

          SHA1

          5d989b4ac8b699781681fe75ed9ef98191a5096c

          SHA256

          c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

          SHA512

          d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

          Download Submit

        • C:\Users\Admin\AppData\Local\0dab4b5c9ecb309f1bdb975e04a5daea\Admin@DJVPRFTV_en-US\System\Process.txt
          Filesize

          4KB

          MD5

          b4364ac87b70768583e8e3e03ac28e67

          SHA1

          c78330b548c252df386347b30e009b0e86c98a63

          SHA256

          af927295cb0f05b125969dedf13c491e36572f694137f72d96a57c76a236ee45

          SHA512

          b46f48eab330434014fed899b01b6c2dece388497a76610c055af83b475ab51e48dc67e7df92833b64d2ea5b97e5a9b82ace44afadf3d9bae6567f44f7f3fabd

          Download Submit

        • C:\Users\Admin\AppData\Local\9bdd551bc979c694722c0c964dbc7678\msgid.dat
          Filesize

          1B

          MD5

          cfcd208495d565ef66e7dff9f98764da

          SHA1

          b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

          SHA256

          5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

          SHA512

          31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

          Download Submit

        • memory/4924-146-0x00000000061F0000-0x0000000006282000-memory.dmp

          Filesize

          584KB

          Download

        • memory/4924-3-0x00000000059F0000-0x0000000005A56000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4924-144-0x0000000074A60000-0x0000000075210000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4924-0-0x0000000074A6E000-0x0000000074A6F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4924-147-0x0000000006840000-0x0000000006DE4000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4924-151-0x0000000074A6E000-0x0000000074A6F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4924-152-0x0000000006420000-0x000000000642A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/4924-2-0x0000000074A60000-0x0000000075210000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4924-158-0x0000000005DB0000-0x0000000005DC2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4924-1-0x0000000000E90000-0x0000000000EDA000-memory.dmp

          Filesize

          296KB

          Download

        • memory/4924-181-0x0000000074A60000-0x0000000075210000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4924-182-0x0000000074A60000-0x0000000075210000-memory.dmp

          Filesize

          7.7MB

          Download