Overview

overview

10

Static

static

3

Fructose Checker.exe

windows7-x64

10

Fructose Checker.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    21s
  • max time network
    22s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/08/2024, 23:15 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Fructose Checker.exe

  • Size

    9.7MB

  • MD5

    c9f3e6d590c86065a93b9a93efab2363

  • SHA1

    035c94447fb233dc962bb9a578b2a01b9a312e8e

  • SHA256

    49e31f8fbab7da57b575da0fcab3cc4f412c922c4af95416e68134de3d743844

  • SHA512

    a3a951fa341b8fda94fea428ace54b119966c1243b3e6ac419323e8bb17aa1251944d4a8d6783ffd15bf4cf246dd57e00afaa49311f73d655b0ad6b63224327d

  • SSDEEP

    196608:FtW1v4s39/4BsNYFRetQ+Ym9nLIUMBuiyObFrEUndTfyHdy2Cao7/NEeLurDRc:FmAsN/4GNY4QgLIZyMFVdfyMLJ7BLcDC

Score
10/10
asyncratdefaultdiscoveryrat

Malware Config

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

Default

C2

googl3d.ddnsking.com:8808

googl3d.ddnsking.com:8080

googl3d.ddnsking.com:7707
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    Runtime.exe

  • install_folder

    %AppData%

aes.plain
1
pca3mLc1d8rR5FfZlO2wQCYen0wHZEg2

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Fructose Checker.exe
    "C:\Users\Admin\AppData\Local\Temp\Fructose Checker.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3596
    • C:\Users\Admin\AppData\Local\Temp\Fructose Check.exe
      "C:\Users\Admin\AppData\Local\Temp\Fructose Check.exe"
      2⤵
      • Executes dropped EXE
      PID:1740
    • C:\Users\Admin\AppData\Local\Temp\Runtime.exe
      "C:\Users\Admin\AppData\Local\Temp\Runtime.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1752
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Runtime" /tr '"C:\Users\Admin\AppData\Roaming\Runtime.exe"' & exit
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4000
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "Runtime" /tr '"C:\Users\Admin\AppData\Roaming\Runtime.exe"'
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:1392
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE07D.tmp.bat""
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2076
        • C:\Windows\SysWOW64\timeout.exe
          timeout 3
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:388
        • C:\Users\Admin\AppData\Roaming\Runtime.exe
          "C:\Users\Admin\AppData\Roaming\Runtime.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:3624

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    232.168.11.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.168.11.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    81.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    81.144.22.2.in-addr.arpa
    IN PTR
    Response
    81.144.22.2.in-addr.arpa
    IN PTR
    a2-22-144-81deploystaticakamaitechnologiescom
  • flag-us
    DNS
    81.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    81.144.22.2.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.dual-a-0034.a-msedge.net
    g-bing-com.dual-a-0034.a-msedge.net
    IN CNAME
    dual-a-0034.a-msedge.net
    dual-a-0034.a-msedge.net
    IN A
    204.79.197.237
    dual-a-0034.a-msedge.net
    IN A
    13.107.21.237
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=703d26f40c7b47baa6f0f5e34e7feeba&localId=w:F595C12A-38F0-79CD-7666-DE379BE74C7C&deviceId=6966569430194623&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=703d26f40c7b47baa6f0f5e34e7feeba&localId=w:F595C12A-38F0-79CD-7666-DE379BE74C7C&deviceId=6966569430194623&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=007D71BDC9D267643C076563C8696612; domain=.bing.com; expires=Thu, 11-Sep-2025 23:16:32 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 0F62825BAC3E448184F87B9BD88F40F0 Ref B: LON04EDGE0920 Ref C: 2024-08-17T23:16:32Z
    date: Sat, 17 Aug 2024 23:16:32 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=703d26f40c7b47baa6f0f5e34e7feeba&localId=w:F595C12A-38F0-79CD-7666-DE379BE74C7C&deviceId=6966569430194623&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=703d26f40c7b47baa6f0f5e34e7feeba&localId=w:F595C12A-38F0-79CD-7666-DE379BE74C7C&deviceId=6966569430194623&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=007D71BDC9D267643C076563C8696612
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=IWKhPy4o6Nmh1tJcDnjpRaKdZk1p4jLOemgjErV1VXo; domain=.bing.com; expires=Thu, 11-Sep-2025 23:16:32 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 1E60AD74D42D4784AEAA81FF46158332 Ref B: LON04EDGE0920 Ref C: 2024-08-17T23:16:32Z
    date: Sat, 17 Aug 2024 23:16:32 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=703d26f40c7b47baa6f0f5e34e7feeba&localId=w:F595C12A-38F0-79CD-7666-DE379BE74C7C&deviceId=6966569430194623&anid=
    Remote address:
    204.79.197.237:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=703d26f40c7b47baa6f0f5e34e7feeba&localId=w:F595C12A-38F0-79CD-7666-DE379BE74C7C&deviceId=6966569430194623&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=007D71BDC9D267643C076563C8696612; MSPTC=IWKhPy4o6Nmh1tJcDnjpRaKdZk1p4jLOemgjErV1VXo
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 1566545793E8418C8002442DB3CA8239 Ref B: LON04EDGE0920 Ref C: 2024-08-17T23:16:32Z
    date: Sat, 17 Aug 2024 23:16:32 GMT
  • flag-us
    DNS
    64.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    64.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    237.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    237.197.79.204.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    googl3d.ddnsking.com
    Runtime.exe
    Remote address:
    8.8.8.8:53
    Request
    googl3d.ddnsking.com
    IN A
    Response
  • flag-us
    DNS
    googl3d.ddnsking.com
    Runtime.exe
    Remote address:
    8.8.8.8:53
    Request
    googl3d.ddnsking.com
    IN A
  • 204.79.197.237:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=703d26f40c7b47baa6f0f5e34e7feeba&localId=w:F595C12A-38F0-79CD-7666-DE379BE74C7C&deviceId=6966569430194623&anid=
    tls, http2
    2.0kB
     9.3kB
     21
    19

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=703d26f40c7b47baa6f0f5e34e7feeba&localId=w:F595C12A-38F0-79CD-7666-DE379BE74C7C&deviceId=6966569430194623&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=703d26f40c7b47baa6f0f5e34e7feeba&localId=w:F595C12A-38F0-79CD-7666-DE379BE74C7C&deviceId=6966569430194623&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=703d26f40c7b47baa6f0f5e34e7feeba&localId=w:F595C12A-38F0-79CD-7666-DE379BE74C7C&deviceId=6966569430194623&anid=

    HTTP Response

    204
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    232.168.11.51.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    232.168.11.51.in-addr.arpa

  • 8.8.8.8:53
    81.144.22.2.in-addr.arpa
    dns
    140 B
     133 B
     2
    1

    DNS Request

    81.144.22.2.in-addr.arpa

    DNS Request

    81.144.22.2.in-addr.arpa

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
     151 B
     1
    1

    DNS Request

    g.bing.com

    DNS Response

    204.79.197.237
    13.107.21.237

  • 8.8.8.8:53
    64.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    64.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    237.197.79.204.in-addr.arpa
    dns
    73 B
     143 B
     1
    1

    DNS Request

    237.197.79.204.in-addr.arpa

  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    googl3d.ddnsking.com
    dns
    Runtime.exe
    66 B
     123 B
     1
    1

    DNS Request

    googl3d.ddnsking.com

  • 8.8.8.8:53
    googl3d.ddnsking.com
    dns
    Runtime.exe
    66 B
     1

    DNS Request

    googl3d.ddnsking.com

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Runtime.exe.log
    Filesize

    522B

    MD5

    acc9090417037dfa2a55b46ed86e32b8

    SHA1

    53fa6fb25fb3e88c24d2027aca6ae492b2800a4d

    SHA256

    2412679218bb0a7d05ceee32869bbb223619bde9966c4c460a68304a3367724b

    SHA512

    d51f7085ec147c708f446b9fb6923cd2fb64596d354ed929e125b30ace57c8cb3217589447a36960e5d3aea87a4e48aaa82c7509eced6d6c2cecd71fcfe3697b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Fructose Check.exe
    Filesize

    22.4MB

    MD5

    1d00ccd2db1741957e59c130987c9a86

    SHA1

    11e8f9a13f84bdf5b9039a4b74835209ed4ad46e

    SHA256

    c08a5d04b4a42324a1d3bf8308f65f9dbb893a09f5f82134753dfb1cc307834f

    SHA512

    2ce4589ff25a17c8efd2026f4d0ba85beed3f8d75732c9c7a9113e3ff1d3fe158f3d280e1f6bce6bd93a02520d6abde2a2c67a648195006a8168ff998041e135

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Runtime.exe
    Filesize

    66KB

    MD5

    0433c7ab3456438e9f6ef3a02a78af76

    SHA1

    d179cd62d961db78f88d048bf7ced9c6dc46782a

    SHA256

    06b7a3e877810de0c28466b68e81066bb76b22db9541be32864c1dae5873f0b0

    SHA512

    214a7641d8a929f5a7bdbe47ad46fe4674e34d5f5fbf44c156f472aca4e1b091e447a18c4891f1289a0f08f2e3e3c1b85c990f412a42d0d8f5f331d300338cbc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpE07D.tmp.bat
    Filesize

    151B

    MD5

    f8de202b18998b5b05d2a963963dac39

    SHA1

    6890780eab88b63574f4f36da0464facd684806a

    SHA256

    dccce237153e715b85262722e0e76efba3b4c90b4ceecdfde50179f349560864

    SHA512

    f18968e8afaa24549a7b75b13f39f83669b570eb863ae40ed4091be25f7535c4bb93c633d2ab8ab50c83af9d9a197763078f04aa6c558b0943d0910243ed5c4e

    Download Submit

  • memory/1752-33-0x0000000004D60000-0x0000000004DFC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1752-29-0x000000007457E000-0x000000007457F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1752-30-0x00000000003A0000-0x00000000003B6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1752-32-0x0000000074570000-0x0000000074D20000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1752-38-0x0000000074570000-0x0000000074D20000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3596-27-0x00007FFC8FB60000-0x00007FFC90621000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3596-2-0x00007FFC8FB60000-0x00007FFC90621000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3596-0-0x00007FFC8FB63000-0x00007FFC8FB65000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3596-1-0x00000000004E0000-0x0000000000E98000-memory.dmp

    Filesize

    9.7MB

    Download

  • memory/3624-44-0x0000000005710000-0x0000000005CB4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3624-45-0x0000000005260000-0x00000000052F2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3624-46-0x0000000004F20000-0x0000000004F2A000-memory.dmp

    Filesize

    40KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.