Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

telegram-N...OL.exe

windows7-x64

10

telegram-N...OL.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/07/2024, 01:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    telegram-Number-TOOL.exe

  • Size

    140KB

  • MD5

    acecccd9b38ba794a692a9de0856859c

  • SHA1

    07129ec32682a27d66a040e4ba3d833b9a0c35df

  • SHA256

    ca5dcc8bf1430114a69380f98308370834dc864ba041a9508eca080fa1d3fa60

  • SHA512

    f26696aa239ef96834f3d3d5173197a7cc9b190522ddbd05e09bd72dc87d7c30a9929a04f8c38f767db90a3c76aa588e5a25c435a3db3b37410d3fbf6fec812e

  • SSDEEP

    1536:nUKgcxybQCHWPMVgfa9iI2H1bC/PA/fmQzc5ugdPTLVclN:nUjcxyEkWPMVgfBH1bC6+QpsBY

Score
10/10
asyncratdefaultdiscoveryrat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

147.185.221.21:6643

147.185.221.21:5552
Mutex

wviykvrredoqeatxrwy

Attributes
  • delay

    1

  • install

    true

  • install_file

    telegram-Number-TOOL.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\telegram-Number-TOOL.exe
    "C:\Users\Admin\AppData\Local\Temp\telegram-Number-TOOL.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1864
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "telegram-Number-TOOL" /tr '"C:\Users\Admin\AppData\Roaming\telegram-Number-TOOL.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3660
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "telegram-Number-TOOL" /tr '"C:\Users\Admin\AppData\Roaming\telegram-Number-TOOL.exe"'
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2596
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFF40.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2656
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:1932
      • C:\Users\Admin\AppData\Roaming\telegram-Number-TOOL.exe
        "C:\Users\Admin\AppData\Roaming\telegram-Number-TOOL.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:612
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2208

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\telegram-Number-TOOL.exe.log
    Filesize

    1KB

    MD5

    baf55b95da4a601229647f25dad12878

    SHA1

    abc16954ebfd213733c4493fc1910164d825cac8

    SHA256

    ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

    SHA512

    24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpFF40.tmp.bat
    Filesize

    164B

    MD5

    c0dfa38af1d1ba61880f043a57000dc4

    SHA1

    929f9ac65a127b66df79bcd9309908311b16f7f9

    SHA256

    edd60a283588fe5b857ff62b7b6544b2b48aff1142d15363dded49478c2f52d3

    SHA512

    7e680db815e658bd5807fcc8ec44370811bc6eaa741c06bf048f8d04b7974579c372bd19c64031f69ff6cb7bd623def203287b0240c36edd7aac27dea8d30b57

    Download Submit

  • C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
    Filesize

    8B

    MD5

    cf759e4c5f14fe3eec41b87ed756cea8

    SHA1

    c27c796bb3c2fac929359563676f4ba1ffada1f5

    SHA256

    c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

    SHA512

    c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\telegram-Number-TOOL.exe
    Filesize

    140KB

    MD5

    acecccd9b38ba794a692a9de0856859c

    SHA1

    07129ec32682a27d66a040e4ba3d833b9a0c35df

    SHA256

    ca5dcc8bf1430114a69380f98308370834dc864ba041a9508eca080fa1d3fa60

    SHA512

    f26696aa239ef96834f3d3d5173197a7cc9b190522ddbd05e09bd72dc87d7c30a9929a04f8c38f767db90a3c76aa588e5a25c435a3db3b37410d3fbf6fec812e

    Download Submit

  • memory/612-28-0x000000001C4E0000-0x000000001C556000-memory.dmp

    Filesize

    472KB

    Download

  • memory/612-31-0x000000001B030000-0x000000001B03E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/612-30-0x000000001C480000-0x000000001C49E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/612-29-0x000000001B020000-0x000000001B02E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1864-1-0x00000000007C0000-0x00000000007E8000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1864-3-0x00007FFD14460000-0x00007FFD14F21000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1864-14-0x00007FFD14460000-0x00007FFD14F21000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1864-0-0x00007FFD14463000-0x00007FFD14465000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2208-17-0x0000020B316C0000-0x0000020B316C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2208-25-0x0000020B316C0000-0x0000020B316C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2208-24-0x0000020B316C0000-0x0000020B316C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2208-23-0x0000020B316C0000-0x0000020B316C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2208-22-0x0000020B316C0000-0x0000020B316C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2208-21-0x0000020B316C0000-0x0000020B316C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2208-26-0x0000020B316C0000-0x0000020B316C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2208-27-0x0000020B316C0000-0x0000020B316C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2208-16-0x0000020B316C0000-0x0000020B316C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2208-15-0x0000020B316C0000-0x0000020B316C1000-memory.dmp

    Filesize

    4KB

    Download