Overview

overview

10

Static

static

7

MailAcessC...ky.exe

windows7-x64

10

MailAcessC...ky.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-08-2024 09:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MailAcessCheckerbyxRisky.exe

  • Size

    10.4MB

  • MD5

    0bfe538046352ebb0d7b5fcd50a287ad

  • SHA1

    e76a0b5d42648df99604079af74931a333703ef3

  • SHA256

    a32ad92bc669d691f17c943761f30ebbdc17e85054595c648d78c1015ffcebb9

  • SHA512

    e938f69267ed773f26ec8b7d47d98b127c6f659ef04fde925484a1e755e20b435d61a2d3822274e23db48caaa1574c51ce3cb5c87c8c24109998bb0e0a58bfd2

  • SSDEEP

    196608:+6JnRoCYJnksvvcHbMdYWSm2iLRoyru5Q2ZGe/QDbA0SnTbja57K4q6:FPoVJnpqi+6XySReIqHjaQ4q

Score
10/10
asyncratdiscoveryevasionratthemidatrojan

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Mutex

AsyncMutex_7SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    ContainerRuntime.exe

  • install_folder

    %AppData%

  • pastebin_config

    https://pastebin.com/raw/Kb8rTgY7

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MailAcessCheckerbyxRisky.exe
    "C:\Users\Admin\AppData\Local\Temp\MailAcessCheckerbyxRisky.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:544
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1036
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "ContainerRuntime" /tr '"C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"' & exit
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3260
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "ContainerRuntime" /tr '"C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"'
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:2452
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCD52.tmp.bat""
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1612
        • C:\Windows\SysWOW64\timeout.exe
          timeout 3
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:368
        • C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe
          "C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:4212
    • C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
      "C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:532

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe
    Filesize

    4.7MB

    MD5

    9f2beaa5ed3beba79c3e6b5f7a4b1246

    SHA1

    9e14e25d4045c45d2e856a73b300b3bdd008bce9

    SHA256

    4d97ed38044fe00d35f57d87102c56d07f411f081353b3ec77c22001aee65045

    SHA512

    560a1b877056176cc1e8c651da83ef4fd93e3029fb1ec8f8327ee04a971152e4d53f749d392830fbf31046ceb4d2527cc31632a677e7d95ab8b59250566926cf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MailKit.dll
    Filesize

    787KB

    MD5

    ba0255f547fab7eed60863ad27d24c97

    SHA1

    a5d095ac3d746eb400a314317a88c215d78cc304

    SHA256

    5fd7f167bdf289ae48b9f0f68e63c07370427d4eb8436005a5859b5bba3a7d2b

    SHA512

    e672daa19be91d84e5f2e0124b0508faeb241c91c6515f687a55b20d8febb2e2360e695aaf2e1d252e9ed0d494f71087315199f7b43eb6fa13949484ee177ea0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MetroSuite 2.0.dll
    Filesize

    305KB

    MD5

    0d30a398cec0ff006b6ea2b52d11e744

    SHA1

    4ceebd9c6180a321c4d4f3cfb5cfc3952bf72b45

    SHA256

    8604bf2a1fe2e94dc1ea1fbd0cf54e77303493b93994df48479dc683580aa654

    SHA512

    8e06ff131a81e73b1ff5de78262701a11ecc2bcdaf41011f4e96f11c5372742478e70b6a0901b61953c21c95725532af8d785654405ec5066ad157e2143467cc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MimeKit.dll
    Filesize

    971KB

    MD5

    695ef3be6c2169067e0f1d9f7d99bc27

    SHA1

    24185ff27f8a64fb71abf29b8f1338492cd7c0c6

    SHA256

    78d4f282269afba07ba89d1434dc1c3f9c48097fc252e93cf94e493ac8c109fd

    SHA512

    b3c7d1cee7f6ae16d66caf1d39113c0b5fe1b7ac4fb813134450679c82a2d306293799efc66c4d2ffed703dbc3921136f3cb393c2c4452791c8681129c74ed36

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
    Filesize

    61KB

    MD5

    89ae031a0e2f7f28576a63d3c100dcaf

    SHA1

    6b26dfe7e76fbc96109a4d0773593443277978df

    SHA256

    acaa87f43a617016d09caeb26c1e30d9e9fd069fcbe2165723f80a0056aaf6bf

    SHA512

    aea507c78832cca5bf4b7c16ac5ba9b4b87028d2a99fbd1ca535a6336952516ab74571475f2a074b89b9c12754a2979803a3aba74c7a326f2c70a8431a7010d6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpCD52.tmp.bat
    Filesize

    160B

    MD5

    662f549a2613b1104c6b676881bded43

    SHA1

    348ec40317cbf78889d85aeed63267dc884dbf60

    SHA256

    e96e77f386fbc99aeb48b4bfcbdbcc93eaea8acfe16820b3cf91deff5d156ac2

    SHA512

    73498d327c55b90fd5c9502c72e3c888098fe2afaff578467645fd4ab9ab97dbc26c90b826ca675a388db482e9350f5d14ca7473cae9a8f5ca31bd38a22dec47

    Download Submit

  • memory/532-59-0x0000000006750000-0x0000000006CF4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/532-61-0x0000000006090000-0x000000000609A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/532-50-0x0000000005AD0000-0x0000000005B9C000-memory.dmp

    Filesize

    816KB

    Download

  • memory/532-60-0x0000000006240000-0x00000000062D2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/532-54-0x00000000060A0000-0x000000000619A000-memory.dmp

    Filesize

    1000KB

    Download

  • memory/532-62-0x0000000006D60000-0x0000000006DB6000-memory.dmp

    Filesize

    344KB

    Download

  • memory/532-58-0x0000000006000000-0x0000000006054000-memory.dmp

    Filesize

    336KB

    Download

  • memory/532-63-0x0000000077310000-0x0000000077400000-memory.dmp

    Filesize

    960KB

    Download

  • memory/532-73-0x0000000077310000-0x0000000077400000-memory.dmp

    Filesize

    960KB

    Download

  • memory/532-46-0x0000000000D50000-0x000000000120E000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/532-74-0x0000000077310000-0x0000000077400000-memory.dmp

    Filesize

    960KB

    Download

  • memory/544-11-0x0000000000820000-0x00000000017D8000-memory.dmp

    Filesize

    15.7MB

    Download

  • memory/544-5-0x0000000077310000-0x0000000077400000-memory.dmp

    Filesize

    960KB

    Download

  • memory/544-44-0x0000000000820000-0x00000000017D8000-memory.dmp

    Filesize

    15.7MB

    Download

  • memory/544-1-0x0000000077330000-0x0000000077331000-memory.dmp

    Filesize

    4KB

    Download

  • memory/544-4-0x0000000077310000-0x0000000077400000-memory.dmp

    Filesize

    960KB

    Download

  • memory/544-12-0x0000000005E40000-0x0000000005EDC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/544-0-0x0000000000820000-0x00000000017D8000-memory.dmp

    Filesize

    15.7MB

    Download

  • memory/544-10-0x0000000000820000-0x00000000017D8000-memory.dmp

    Filesize

    15.7MB

    Download

  • memory/544-2-0x0000000077310000-0x0000000077400000-memory.dmp

    Filesize

    960KB

    Download

  • memory/544-6-0x0000000077310000-0x0000000077400000-memory.dmp

    Filesize

    960KB

    Download

  • memory/544-45-0x0000000077310000-0x0000000077400000-memory.dmp

    Filesize

    960KB

    Download

  • memory/544-3-0x0000000077310000-0x0000000077400000-memory.dmp

    Filesize

    960KB

    Download

  • memory/1036-68-0x0000000077310000-0x0000000077400000-memory.dmp

    Filesize

    960KB

    Download

  • memory/1036-24-0x00000000005E0000-0x00000000005F6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1036-25-0x0000000077310000-0x0000000077400000-memory.dmp

    Filesize

    960KB

    Download