Analysis
-
max time kernel
295s -
max time network
203s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
-
submitted
02-08-2024 08:43
General
-
Target
Builder.exe
-
Size
7.1MB
-
MD5
479c20170f53c96f24c77610b86fa352
-
SHA1
99c1c05a229e9b2e6f812f0fa7db4ac78c9cae1e
-
SHA256
df814ecf5dd2f631b9b728148c00ba2973b6efbb06364c5a4f0883ddad2549ea
-
SHA512
1c6a7e336f64283dfd2ebb3c259f84bd87f32d7d70d8783e11b45878677c3e95b45c9e7f73ae2c77d3860f95bf6cb85bf85e4fe3ca1d311f9cf153d642f27d61
-
SSDEEP
196608:Zmx49UBA1HeT39Iig/f1ncKOVVtk7HdGtQbNPUQ:0aT1+TtIio0VQ9G6r
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot6758433214:AAHsOKdFy4qDz6vRHO6UQUpRG85G-wZvC1Y/sendMessage?chat_id=6234857847
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
-
Async RAT payload 1 IoCs
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 4 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 7 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Builder.exe"C:\Users\Admin\AppData\Local\Temp\Builder.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Builder.exe"C:\Users\Admin\AppData\Local\Temp\Builder.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\\Builder.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Builder.exeC:\\Builder.exe4⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All5⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650016⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile6⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Wi-Fi Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr All6⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650016⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid6⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
175KB
MD5f0cfc7f8ad2f1decd4a35d98b6328b9a
SHA149bb49729ffa4fe2d9e7430338361d0be1478e49
SHA2569d9e37366bb8cf978f78b94e97fd457b6751baeae703252c7fde6cf852306856
SHA512916cc4b6d88e4d0c1c528c31f65ba4697a54780f56b1fb33c4946c260b401405bc94628bc91791f298db69f79b4044b95bcb4f75289e0357e1a664bfc98e7d42
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
116KB
MD5be8dbe2dc77ebe7f88f910c61aec691a
SHA1a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA2564d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA5120da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655
-
Filesize
83KB
MD55bebc32957922fe20e927d5c4637f100
SHA1a94ea93ee3c3d154f4f90b5c2fe072cc273376b3
SHA2563ed0e5058d370fb14aa5469d81f96c5685559c054917c7280dd4125f21d25f62
SHA512afbe80a73ee9bd63d9ffa4628273019400a75f75454667440f43beb253091584bf9128cbb78ae7b659ce67a5faefdba726edb37987a4fe92f082d009d523d5d6
-
Filesize
251KB
MD5492c0c36d8ed1b6ca2117869a09214da
SHA1b741cae3e2c9954e726890292fa35034509ef0f6
SHA256b8221d1c9e2c892dd6227a6042d1e49200cd5cb82adbd998e4a77f4ee0e9abf1
SHA512b8f1c64ad94db0252d96082e73a8632412d1d73fb8095541ee423df6f00bc417a2b42c76f15d7e014e27baae0ef50311c3f768b1560db005a522373f442e4be0
-
Filesize
64KB
MD5da02cefd8151ecb83f697e3bd5280775
SHA11c5d0437eb7e87842fde55241a5f0ca7f0fc25e7
SHA256fd77a5756a17ec0788989f73222b0e7334dd4494b8c8647b43fe554cf3cfb354
SHA512a13bc5c481730f48808905f872d92cb8729cc52cfb4d5345153ce361e7d6586603a58b964a1ebfd77dd6222b074e5dcca176eaaefecc39f75496b1f8387a2283
-
Filesize
156KB
MD5195defe58a7549117e06a57029079702
SHA13795b02803ca37f399d8883d30c0aa38ad77b5f2
SHA2567bf9ff61babebd90c499a8ed9b62141f947f90d87e0bbd41a12e99d20e06954a
SHA512c47a9b1066dd9744c51ed80215bd9645aab6cc9d6a3f9df99f618e3dd784f6c7ce6f53eabe222cf134ee649250834193d5973e6e88f8a93151886537c62e2e2b
-
Filesize
81KB
MD5dd8ff2a3946b8e77264e3f0011d27704
SHA1a2d84cfc4d6410b80eea4b25e8efc08498f78990
SHA256b102522c23dac2332511eb3502466caf842d6bcd092fbc276b7b55e9cc01b085
SHA512958224a974a3449bcfb97faab70c0a5b594fa130adc0c83b4e15bdd7aab366b58d94a4a9016cb662329ea47558645acd0e0cc6df54f12a81ac13a6ec0c895cd8
-
Filesize
1.3MB
MD555df3c98d18ec80bc37a6682ba0abcbb
SHA1e3bf60cfecfee2473d4e0b07057af3c27afa6567
SHA256d8de678c0ac0cecb7be261bda75511c47e6a565f0c6260eacf240c7c5039753b
SHA51226368c9187155ee83c450bfc792938a2908c473ba60330ce95bcc3f780390043879bbff3949bd4a25b38343eac3c5c9ba709267959109c9c99a229809c97f3bd
-
Filesize
5.0MB
MD5e547cf6d296a88f5b1c352c116df7c0c
SHA1cafa14e0367f7c13ad140fd556f10f320a039783
SHA25605fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de
SHA5129f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d
-
Filesize
175KB
MD55b068d0a62619c9dbefda88cfb4a85e0
SHA1b9fc2b451046f5496d80f59bb09089a1cf28c580
SHA25649d2aa8a7cb811a0f3d4c00ed909a25bcdbb6a585af75f34fe2b92da1ac6a234
SHA5126e6e949ae2691103cdcf79d57551714f9506c768f427d722115157efaa5e5a812e992f43ef1627e2316c0218142179100444df4e514195151fde52e407edaa23
-
Filesize
6.6MB
MD5d521654d889666a0bc753320f071ef60
SHA15fd9b90c5d0527e53c199f94bad540c1e0985db6
SHA25621700f0bad5769a1b61ea408dc0a140ffd0a356a774c6eb0cc70e574b929d2e2
SHA5127a726835423a36de80fb29ef65dfe7150bd1567cac6f3569e24d9fe091496c807556d0150456429a3d1a6fd2ed0b8ae3128ea3b8674c97f42ce7c897719d2cd3
-
Filesize
30KB
MD5d0cc9fc9a0650ba00bd206720223493b
SHA1295bc204e489572b74cc11801ed8590f808e1618
SHA256411d6f538bdbaf60f1a1798fa8aa7ed3a4e8fcc99c9f9f10d21270d2f3742019
SHA512d3ebcb91d1b8aa247d50c2c4b2ba1bf3102317c593cbf6c63883e8bf9d6e50c0a40f149654797abc5b4f17aee282ddd972a8cd9189bfcd5b9cec5ab9c341e20b
-
Filesize
1.1MB
MD5cc8142bedafdfaa50b26c6d07755c7a6
SHA10fcab5816eaf7b138f22c29c6d5b5f59551b39fe
SHA256bc2cf23b7b7491edcf03103b78dbaf42afd84a60ea71e764af9a1ddd0fe84268
SHA512c3b0c1dbe5bf159ab7706f314a75a856a08ebb889f53fe22ab3ec92b35b5e211edab3934df3da64ebea76f38eb9bfc9504db8d7546a36bc3cabe40c5599a9cbd
-
Filesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
Filesize
4KB
MD5d16cf459bc9ac355a7ac3d23374b0454
SHA10a7fb6f4704535f443e07659b33ac52647ebd6ed
SHA256bc990c4ddc6d0c0605cd04b5664d6887a5f95f32921ac35c2e9ce79ae0de0a17
SHA5120d7f2ad3cec255ddc488399ff1f15475ef9809a9e2a33b8607cfb45745dc466bd47602eb2afa195dd067edd8318c7020fd4a10a2d92365ade6ec01af6743b5bc
-
Filesize
200KB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
7.7MB