Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
27-07-2024 15:48
Behavioral task
behavioral1
Sample
be6c2a1f8bba3d691f2622d80836db706fbb747e38640cc326b797fc00e916c7.exe
Resource
win7-20240704-en
4 signatures
150 seconds
General
-
Target
be6c2a1f8bba3d691f2622d80836db706fbb747e38640cc326b797fc00e916c7.exe
-
Size
74KB
-
MD5
eff57bbdb0bd6825a3a3476e2fcc86be
-
SHA1
70a1c8488735dc31f4fcc635deb8220012f50f67
-
SHA256
be6c2a1f8bba3d691f2622d80836db706fbb747e38640cc326b797fc00e916c7
-
SHA512
02b2cb1a9f65813c5ac4f3977e289413c0c0011b036e2d344a4fe7adec960c7709ac083fee9e2239a06ac9ccb6b3e8db28fe577998f861b278bac28e6817e157
-
SSDEEP
1536:EUEkcx4VHsC0SPMV7e9VdQuDI6H1bf/Y2Qzc2LVclN:EUxcx4GfSPMV7e9VdQsH1bfnQPBY
Malware Config
Extracted
Family
asyncrat
Version
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Botnet
Default
C2
50.18.145.13:14445
Mutex
ixnmfejwycgpnjpuex
Attributes
-
delay
1
-
install
false
-
install_folder
%AppData%
aes.plain
1
ErT5O92jH7eBiIDvK6c1VIemiD2Fz51C
Signatures
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 216 be6c2a1f8bba3d691f2622d80836db706fbb747e38640cc326b797fc00e916c7.exe 216 be6c2a1f8bba3d691f2622d80836db706fbb747e38640cc326b797fc00e916c7.exe 216 be6c2a1f8bba3d691f2622d80836db706fbb747e38640cc326b797fc00e916c7.exe 216 be6c2a1f8bba3d691f2622d80836db706fbb747e38640cc326b797fc00e916c7.exe 216 be6c2a1f8bba3d691f2622d80836db706fbb747e38640cc326b797fc00e916c7.exe 216 be6c2a1f8bba3d691f2622d80836db706fbb747e38640cc326b797fc00e916c7.exe 216 be6c2a1f8bba3d691f2622d80836db706fbb747e38640cc326b797fc00e916c7.exe 216 be6c2a1f8bba3d691f2622d80836db706fbb747e38640cc326b797fc00e916c7.exe 216 be6c2a1f8bba3d691f2622d80836db706fbb747e38640cc326b797fc00e916c7.exe 216 be6c2a1f8bba3d691f2622d80836db706fbb747e38640cc326b797fc00e916c7.exe 216 be6c2a1f8bba3d691f2622d80836db706fbb747e38640cc326b797fc00e916c7.exe 216 be6c2a1f8bba3d691f2622d80836db706fbb747e38640cc326b797fc00e916c7.exe 216 be6c2a1f8bba3d691f2622d80836db706fbb747e38640cc326b797fc00e916c7.exe 216 be6c2a1f8bba3d691f2622d80836db706fbb747e38640cc326b797fc00e916c7.exe 216 be6c2a1f8bba3d691f2622d80836db706fbb747e38640cc326b797fc00e916c7.exe 216 be6c2a1f8bba3d691f2622d80836db706fbb747e38640cc326b797fc00e916c7.exe 216 be6c2a1f8bba3d691f2622d80836db706fbb747e38640cc326b797fc00e916c7.exe 216 be6c2a1f8bba3d691f2622d80836db706fbb747e38640cc326b797fc00e916c7.exe 216 be6c2a1f8bba3d691f2622d80836db706fbb747e38640cc326b797fc00e916c7.exe 216 be6c2a1f8bba3d691f2622d80836db706fbb747e38640cc326b797fc00e916c7.exe 216 be6c2a1f8bba3d691f2622d80836db706fbb747e38640cc326b797fc00e916c7.exe 216 be6c2a1f8bba3d691f2622d80836db706fbb747e38640cc326b797fc00e916c7.exe 216 be6c2a1f8bba3d691f2622d80836db706fbb747e38640cc326b797fc00e916c7.exe 216 be6c2a1f8bba3d691f2622d80836db706fbb747e38640cc326b797fc00e916c7.exe 216 be6c2a1f8bba3d691f2622d80836db706fbb747e38640cc326b797fc00e916c7.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 216 be6c2a1f8bba3d691f2622d80836db706fbb747e38640cc326b797fc00e916c7.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 216 be6c2a1f8bba3d691f2622d80836db706fbb747e38640cc326b797fc00e916c7.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\be6c2a1f8bba3d691f2622d80836db706fbb747e38640cc326b797fc00e916c7.exe"C:\Users\Admin\AppData\Local\Temp\be6c2a1f8bba3d691f2622d80836db706fbb747e38640cc326b797fc00e916c7.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:216
Network
-
Remote address:8.8.8.8:53Request149.220.183.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request69.31.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request55.36.223.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request58.55.71.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request103.169.127.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request15.164.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request147.142.123.92.in-addr.arpaIN PTRResponse147.142.123.92.in-addr.arpaIN PTRa92-123-142-147deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEax-0001.ax-msedge.netax-0001.ax-msedge.netIN A150.171.28.10ax-0001.ax-msedge.netIN A150.171.27.10
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301534_15LL3F24A66A7QZTI&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.28.10:443RequestGET /th?id=OADD2.10239317301534_15LL3F24A66A7QZTI&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 931905
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D94192D1D3384B41B0AB4789497B50D2 Ref B: LON04EDGE1114 Ref C: 2024-07-27T16:02:06Z
date: Sat, 27 Jul 2024 16:02:06 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239339388067_10M827BSAV5684WY4&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.28.10:443RequestGET /th?id=OADD2.10239339388067_10M827BSAV5684WY4&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 504771
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 962E10137FBD49EEB54F2845B8B965D7 Ref B: LON04EDGE1114 Ref C: 2024-07-27T16:02:06Z
date: Sat, 27 Jul 2024 16:02:06 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340418549_1ZU8FEFK0ERHP4923&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.28.10:443RequestGET /th?id=OADD2.10239340418549_1ZU8FEFK0ERHP4923&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 746576
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 188E0270687243F888795073199A642C Ref B: LON04EDGE1114 Ref C: 2024-07-27T16:02:06Z
date: Sat, 27 Jul 2024 16:02:06 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239339388066_1AA9APVCK1AKO8GXG&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.28.10:443RequestGET /th?id=OADD2.10239339388066_1AA9APVCK1AKO8GXG&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 974623
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 9C1B72333D1D48BC9587566C4BF38CD3 Ref B: LON04EDGE1114 Ref C: 2024-07-27T16:02:06Z
date: Sat, 27 Jul 2024 16:02:06 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301101_17QUECVB8G2ENL5IH&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.28.10:443RequestGET /th?id=OADD2.10239317301101_17QUECVB8G2ENL5IH&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 462432
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: B8FDF4BD738F4A899299667AD8D1841C Ref B: LON04EDGE1114 Ref C: 2024-07-27T16:02:07Z
date: Sat, 27 Jul 2024 16:02:07 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340418550_1B8YD3DMBL24NYO16&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.28.10:443RequestGET /th?id=OADD2.10239340418550_1B8YD3DMBL24NYO16&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 657438
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: A24F5B5BD4614800BAEEE695AA9433DC Ref B: LON04EDGE1114 Ref C: 2024-07-27T16:02:08Z
date: Sat, 27 Jul 2024 16:02:07 GMT
-
Remote address:8.8.8.8:53Request13.227.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
150.171.28.10:443https://tse1.mm.bing.net/th?id=OADD2.10239340418550_1B8YD3DMBL24NYO16&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90tls, http2152.1kB 4.4MB 3256 3249
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301534_15LL3F24A66A7QZTI&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239339388067_10M827BSAV5684WY4&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340418549_1ZU8FEFK0ERHP4923&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239339388066_1AA9APVCK1AKO8GXG&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Response
200HTTP Response
200HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301101_17QUECVB8G2ENL5IH&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340418550_1B8YD3DMBL24NYO16&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200 -
1.2kB 6.8kB 15 12
-
1.4kB 6.9kB 16 13
-
1.4kB 6.9kB 16 13
-
1.5kB 6.9kB 16 13
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 160 B 5 4
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
260 B 200 B 5 5
-
156 B 80 B 3 2
-
73 B 147 B 1 1
DNS Request
149.220.183.52.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
69.31.126.40.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
55.36.223.20.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
58.55.71.13.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
103.169.127.40.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
15.164.165.52.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
147.142.123.92.in-addr.arpa
-
62 B 170 B 1 1
DNS Request
tse1.mm.bing.net
DNS Response
150.171.28.10150.171.27.10
-
72 B 158 B 1 1
DNS Request
13.227.111.52.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa