Analysis
-
max time kernel
153s -
max time network
209s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
-
submitted
05-08-2024 08:49
General
-
Target
Infected.exe
-
Size
63KB
-
MD5
6ebf955e667eca74175c3542178de4d6
-
SHA1
ede474b8c1b9101424415e3b58087f1460024c31
-
SHA256
3a280f118c4f7ac82065573f90304f21133cdb63ca937538fb204044b5a5af97
-
SHA512
7c42c092074dcf9b664c1b0bf08d67e19880bb61bbc99411bebdabc5ff30494f6e7a9921c09434c7ad5abf1846d3779ad126c69e49841f6600f68d97b9f460fb
-
SSDEEP
768:Cil3pYNlrm78RIC8A+XjqazcBRL5JTk1+T4KSBGHmDbD/ph0oXlE24NEMSuLbpqM:jyr0AdSJYUbdh9+vYuLbpqKmY7
Malware Config
Extracted
asyncrat
testing
147.185.221.21:35374
-
delay
1
-
install
true
-
install_file
sigma.exe
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Async RAT payload 1 IoCs
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 63 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Infected.exe"C:\Users\Admin\AppData\Local\Temp\Infected.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "sigma" /tr '"C:\Users\Admin\AppData\Roaming\sigma.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "sigma" /tr '"C:\Users\Admin\AppData\Roaming\sigma.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9059.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Roaming\sigma.exe"C:\Users\Admin\AppData\Roaming\sigma.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All4⤵
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650015⤵
-
-
C:\Windows\system32\netsh.exenetsh wlan show profile5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
-
-
C:\Windows\system32\findstr.exefindstr All5⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650015⤵
-
-
C:\Windows\system32\netsh.exenetsh wlan show networks mode=bssid5⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All4⤵
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650015⤵
-
-
C:\Windows\system32\netsh.exenetsh wlan show profile5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
-
-
C:\Windows\system32\findstr.exefindstr All5⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650015⤵
-
-
C:\Windows\system32\netsh.exenetsh wlan show networks mode=bssid5⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
114KB
MD50314b66f9eb938be8129e7b72a6dfe4d
SHA1f524526636d7e3df1c2d6fc4d3a530ec2b40f5a6
SHA25696f64dc6baf4363b64cf944be7e45a0400e535951510200007a4bdd68d1788d8
SHA512ce7622f34a755687816868f1d26c069cefc69b2a630f333d3c49203e4aa285a312e693c4875f8ce709778ffb2e7f9376269f795063f665f18efaf7550e956194
-
Filesize
160KB
MD5f310cf1ff562ae14449e0167a3e1fe46
SHA185c58afa9049467031c6c2b17f5c12ca73bb2788
SHA256e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855
SHA5121196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad
-
Filesize
5.0MB
MD57367c79c5371210ee11b636ad2dfe9c8
SHA1918a195fe480bbaf1d3f06af151874641ef6ff48
SHA256e4fbfcb98867e877047f75335865537d4872fd839c5187b7f392a6b9fbc19fb6
SHA5120965ce063c23c42226d7e8d8202279260ea2e3853e996351286c8505f5ca17c17f68e281a10ef6cef4ab30d1ac01984a7b6980630eace5b5262ee8cfec6b35c9
-
Filesize
149B
MD52d147e1bacfeb1848355453c182c35de
SHA1fd90d443f28b72e86033b33904cf93d5e6635b2f
SHA256725a1f2672016290d4204161d184c235e5753bb91eb300fbe48199cfd0728725
SHA512dc30b6be2beffb2681f5378a7554b3fc1604be8b3825e2dd272e8427296f77fbe3c987f4220487f2b8ebe2d82eb4482a7265fed11b5c83be7c5e4f090968369f
-
Filesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
Filesize
25B
MD5966247eb3ee749e21597d73c4176bd52
SHA11e9e63c2872cef8f015d4b888eb9f81b00a35c79
SHA2568ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e
SHA512bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa
-
Filesize
24B
MD568c93da4981d591704cea7b71cebfb97
SHA1fd0f8d97463cd33892cc828b4ad04e03fc014fa6
SHA256889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483
SHA51263455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402
-
Filesize
82KB
MD540655b22f374e2475cebc8491b5c06f6
SHA1937df2fe7c04c497750ed4f1057ad4007cf2239b
SHA256e8f4017f7dabcafd28ef5d2880dc8c3c5db4e8ec6b973c57743a57e21199fb83
SHA51250b91e696a6dce1f4bc00500f3c16e4ca96164da003f7e03a91729798277ddfd6d47782c53be691d296a8d265eecd01cd5fd9c8a19e29342999c4f3bd0bf197b
-
Filesize
3KB
MD5d893e8d9d5e0b1530750989e0a4b79fc
SHA17505cb91c35a346eeda2c009fa9c9817a1cbc641
SHA256a34bf837c946db579e5af53489b8c0195edec82a425c4774f3a564e97f38d344
SHA5120c443f9a63891a312272f620cc69e48e426adcf98039e0dad872d45bfea8b1eaf438207d05c59a8f41a304290754e398000ba4ec045b970adbbb6e03703bca4b
-
Filesize
4KB
MD5cf1bfe5715b08d1d646524fc14a538ac
SHA18c84dc3673998f6c01629c11688936a565548dd5
SHA25614ea90e28330d73797717262effba300842031541f18c69fedab05361f43818a
SHA51272b8c18fe5fee9d3c9145e626241a6503590f2dea7dbbded6e771f573a9e681f4ffb2e4c6efd9e77117639957092b9dc4e287bdbe040575b437041a2b1b3651e
-
Filesize
1KB
MD5ca05517fe444232bd0b89e65b0205356
SHA1671d0233d3cd3b0b7d3aaee99174a9b11604cf7b
SHA256f169d3aecc9a06832836c3e1ac8a69111e4fbdb43d1d9bed6d8559edf121db3f
SHA5125aa7f1ad1fd82aea4e439831b268566633a36ae6050f692eeab52ba9cbc08b02848dfc4bf332c141592bdfd4c59788e9bd92fad2a912ddc2045048dbe81c82e9
-
Filesize
668B
MD506b339e306e360cbe2232417a87e5a2b
SHA13aa69154a16511c4a549e80fe6dad2889f308e09
SHA256eb7354253ed99f44feba8b560cf1b50d8ac4743d3c14f8ca13094debca348af6
SHA512e3532ea99d93ef6fc7fafce034754371fb4f4540c0dbf810024e72fe7d109365705a35ca1aff74ebaaac33eb76aaa6bf3508333991b4b5c25c783f8238996e24
-
Filesize
765B
MD5510861d348bd0e7b7f1c71df3ceb41d3
SHA160859653ef296022d0ecb3e488b9c6ad2a4fc833
SHA256ae9de62bffdc50c2106ecf6e63649b01f0d59f17eb2a03165712e1aab0878197
SHA51273e8175e890184359471f1329ba75521cb157366d910c31c37f7c8630b6d2eb62236a5e794d7e25a0a0475eb5d28e0d77c17cfe637c34fd59ff908de28d22df2
-
Filesize
3KB
MD58ad2bf69ec9e5392c834157030f3f312
SHA194873166615db06a6a46169dcbf267afa19b520c
SHA25602381c5a655fc88560f3d716e18b4625b02541e58d5c660ca27ab5e2349a8805
SHA51258aeec4578b01911a491cebb5459fbb3ddd8b8d864ed26e170162f8817e020903af9b2b82b3770e892be5a9c7c04aa7a34bc03d84af84e08b50344c82d934909
-
Filesize
4KB
MD56931c229b5cb1fcf9358e1fe8dd0ad39
SHA15ca0c5dfad81945a875e8199bed56eb5b4321454
SHA256be79f442079c1eb6cee31f8812bc3711a60b9309052ece1f4263deb09e89aeec
SHA512befa289e02f1474c7eddb5e932d5ea7b4b97da2dcd5315e1d0c50b310a1c3a90dbc1500a80cf525af84c378d0348a613b7f84288f2834a3546ef10236cc9e3ec
-
Filesize
29B
MD571eb5479298c7afc6d126fa04d2a9bde
SHA1a9b3d5505cf9f84bb6c2be2acece53cb40075113
SHA256f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3
SHA5127c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd
-
Filesize
63KB
MD56ebf955e667eca74175c3542178de4d6
SHA1ede474b8c1b9101424415e3b58087f1460024c31
SHA2563a280f118c4f7ac82065573f90304f21133cdb63ca937538fb204044b5a5af97
SHA5127c42c092074dcf9b664c1b0bf08d67e19880bb61bbc99411bebdabc5ff30494f6e7a9921c09434c7ad5abf1846d3779ad126c69e49841f6600f68d97b9f460fb
-
Filesize
472KB
-
Filesize
40KB
-
Filesize
488KB
-
Filesize
1.5MB
-
Filesize
120KB
-
Filesize
200KB
-
Filesize
424KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
88KB
-
Filesize
8KB
