Overview

overview

10

Static

static

3

ExtremeDumper-x64.exe

windows7-x64

10

ExtremeDumper-x64.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    1025s
  • max time network
    1038s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    27-07-2024 03:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ExtremeDumper-x64.exe

  • Size

    1.7MB

  • MD5

    d80005f7cff14a06d50cb6d363fdf2e9

  • SHA1

    74ed3f842c6ae54a647c5af5fa9456e9c19b9cc5

  • SHA256

    4e6ae5fd4a54e6497b36ef81536f9c1f94f11cf13b164dec4d466feb0ea2d262

  • SHA512

    6679fe68ae7478c00a9ff4948eee7bf36ab7004ae3afd888fccba7b88df493504876afa48ed55e4163c235808c5fa67d4ef30f132bb5d88c7bc1c42196aa86ae

  • SSDEEP

    49152:peBSdEv60XsKmSE02hrzFqVRqnc2vbu3:6jv5TRM1nc2ju

Score
10/10
asyncrat1discoveryrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

1

C2

paris-itself.gl.at.ply.gg:49485

147.185.221.20:49485
Mutex

DAC4G8C1tEM2

Attributes
  • delay

    3

  • install

    true

  • install_file

    System.exe

  • install_folder

    %Temp%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ExtremeDumper-x64.exe
    "C:\Users\Admin\AppData\Local\Temp\ExtremeDumper-x64.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2176
    • C:\Users\Admin\AppData\Local\Temp\System.exe
      "C:\Users\Admin\AppData\Local\Temp\System.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2832
    • C:\Users\Admin\AppData\Local\Temp\ExtremeDumper.exe
      "C:\Users\Admin\AppData\Local\Temp\ExtremeDumper.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      PID:2656

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ExtremeDumper.exe
    Filesize

    1.7MB

    MD5

    58db100b228ff17f83726d4c2738990e

    SHA1

    d69bfa9ddb32de1999760e8b3b3236bc8934d66c

    SHA256

    f407b67a008fc2186329d5feffe830f7eead7a11f3b169d0d90099495edfcf2e

    SHA512

    e845a62e00fcb8305ab0ceececec73a2d46a490c04370742290398f5e568ba4cf43bc1caa0529405e9ee07c021a05109873271278a8c45eec67ad409dd670f51

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\System.exe
    Filesize

    48KB

    MD5

    c1319ad0a8606516a8f05b9cbb50bc6f

    SHA1

    c723b2ccf1945480c0a3adb26555b39888a960aa

    SHA256

    19d29a9df522600a3a301ebed388ae367f330d5a22b18548af3b244e26d6cc05

    SHA512

    e2e524ddeaa483d2bca5177bc87348484f27619b64f2f18edd7d9f939a22ce194b54855281096a74c08c3fc7409ca92d5e2d3e87dca28395093d36fcf0861b77

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Costura\CFA0B0B143E4C50194769B9A2552FFEF\64\extremedumper.loaderhook.dll
    Filesize

    211KB

    MD5

    2e40ed16499ba8ff681b9bfe8263cef8

    SHA1

    f89f7d11dc028bb3fa1437b0d0de1affec35f8a1

    SHA256

    3577492fff8cd1dfdfae86f74e3d77a1aa672b49d18838355ce2a5bf86363f47

    SHA512

    2f47d4a9f7ec6a7f7eaf605e571c85ba16b4421df9a15c801502af6488287f9ed6c5e7f3c2b29ae2b4f6169252d9ac9a7b91bc666557fa1501347b7de36493a1

    Download Submit

  • memory/2176-0-0x000007FEF4FE3000-0x000007FEF4FE4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2176-1-0x0000000000CB0000-0x0000000000E6C000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2176-12-0x000007FEF4FE0000-0x000007FEF59CC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2656-14-0x00000000012D0000-0x000000000147E000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2656-20-0x0000000000430000-0x0000000000456000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2656-21-0x00000000005F0000-0x0000000000600000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2832-19-0x0000000000A30000-0x0000000000A42000-memory.dmp

    Filesize

    72KB

    Download