Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28-10-2024 19:43
Static task
static1
Behavioral task
behavioral1
Sample
Rose_1_1_4_2.zip
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Rose_1_1_4_2.zip
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Rose_1_1_4_2/RoseMenu.dll
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
Rose_1_1_4_2/RoseMenu.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
Rose_1_1_4_2/Rose_İnjector.exe
Resource
win7-20240903-en
General
-
Target
Rose_1_1_4_2/Rose_İnjector.exe
-
Size
108KB
-
MD5
17f7206a7e2535c2757a2e28af6c13c8
-
SHA1
5cea3e60c35b8da9e1520832071ca52b98991797
-
SHA256
8f1d00324051a90eb2ca14d2d68946b78d89e36ed3ce9082af05da5b38c04457
-
SHA512
15c3ea73fd01290171448f0e0dea4a3b2919448c35116d9bcce99f6e81be063ba6fccef7ec1b71fcce3056c15f0099130d21edd5372fb7f46cfcae5f7c2dec39
-
SSDEEP
1536:eztgRnOxvwiHj+4c4ajjlKINra4Op/XiCwVjq0CHKX9xB:ez6O2iqKCjjm1/Xi34HKX9L
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
sazan
rdzbojdvoiqafvcuqj
-
delay
1
-
install
false
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.ai/raw/it4zrvblz1
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Client.exe family_asyncrat -
Executes dropped EXE 2 IoCs
Processes:
Client.exeRose_Injector.exepid process 2288 Client.exe 1672 Rose_Injector.exe -
Loads dropped DLL 1 IoCs
Processes:
Rose_İnjector.exepid process 1016 Rose_İnjector.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 50 IoCs
Processes:
Rose_Injector.exeClient.exepid process 1672 Rose_Injector.exe 1672 Rose_Injector.exe 2288 Client.exe 2288 Client.exe 2288 Client.exe 2288 Client.exe 2288 Client.exe 2288 Client.exe 2288 Client.exe 2288 Client.exe 2288 Client.exe 2288 Client.exe 2288 Client.exe 2288 Client.exe 2288 Client.exe 2288 Client.exe 2288 Client.exe 2288 Client.exe 2288 Client.exe 2288 Client.exe 2288 Client.exe 2288 Client.exe 2288 Client.exe 2288 Client.exe 2288 Client.exe 2288 Client.exe 2288 Client.exe 2288 Client.exe 2288 Client.exe 2288 Client.exe 2288 Client.exe 2288 Client.exe 2288 Client.exe 2288 Client.exe 2288 Client.exe 2288 Client.exe 2288 Client.exe 2288 Client.exe 2288 Client.exe 2288 Client.exe 2288 Client.exe 2288 Client.exe 2288 Client.exe 2288 Client.exe 2288 Client.exe 2288 Client.exe 2288 Client.exe 2288 Client.exe 2288 Client.exe 2288 Client.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Rose_Injector.exeClient.exedescription pid process Token: SeDebugPrivilege 1672 Rose_Injector.exe Token: SeDebugPrivilege 2288 Client.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Client.exepid process 2288 Client.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Rose_İnjector.exedescription pid process target process PID 1016 wrote to memory of 2288 1016 Rose_İnjector.exe Client.exe PID 1016 wrote to memory of 2288 1016 Rose_İnjector.exe Client.exe PID 1016 wrote to memory of 2288 1016 Rose_İnjector.exe Client.exe PID 1016 wrote to memory of 1672 1016 Rose_İnjector.exe Rose_Injector.exe PID 1016 wrote to memory of 1672 1016 Rose_İnjector.exe Rose_Injector.exe PID 1016 wrote to memory of 1672 1016 Rose_İnjector.exe Rose_Injector.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Rose_1_1_4_2\Rose_İnjector.exe"C:\Users\Admin\AppData\Local\Temp\Rose_1_1_4_2\Rose_İnjector.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Users\Admin\AppData\Roaming\Client.exe"C:\Users\Admin\AppData\Roaming\Client.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2288 -
C:\Users\Admin\AppData\Roaming\Rose_Injector.exe"C:\Users\Admin\AppData\Roaming\Rose_Injector.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1672
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74KB
MD51e62f2d4b2155fe336bc8f449100554a
SHA12506734f15d2b69270be7c922f008e7de9d839dd
SHA25616a3ba1c991f0d2c666e7f41528ccf65c477c094a8ff75b924289f564bf11498
SHA512a14d75b76935b73af946f81370aa7c6874240dd907336bfdb09a70e8e088a8c6e1341fb8da7277477fb1328251ea1a52a9e8c1126d3c4b59b8dcf99191266ebf
-
Filesize
27KB
MD58be0e3590df0a1337f9fb82630852376
SHA16f0d6bc2ba3ab5cbbff94a944dd24c0eda0771d5
SHA25636a340af2f3f63c9be3546704985accb516135860a575ef6c655819d7998ed39
SHA51248714538160ddeddd9ff1834056daaef50f261401bd19e44b60af628f46ebc741c32dcc73ccbb546b325da79fd336cbfa79f31215008bf3578ea070ff8156d16