Overview

overview

10

Static

static

10

Infected.exe

windows10-2004-x64

10

Infected.exe

windows11-21h2-x64

10

Resubmissions

22-11-2024 05:56

241122-gnhl5svqcv 10

22-11-2024 05:53

241122-glkcysvqbs 10

Analysis

  • max time kernel
    106s
  • max time network
    104s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-11-2024 05:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Infected.exe

  • Size

    63KB

  • MD5

    c8b877cb0d39bd95d7069f5b4c23612a

  • SHA1

    5fb64bfb87b525c12d424baeb3128ddcde85a4de

  • SHA256

    a2026da11259eef54d6162eafef538d915895fcd42d42dae5d0c65c975c07145

  • SHA512

    0b1fb239a7eaad73e9d965e5ffa9b8ad0ebf44e5e799ffb0570eafa4c4895d936619321bf577d89ff6c31b338854d667fafc8317bfea40c7f9a7d6fe397bcab0

  • SSDEEP

    768:tYtz5i7QHEU78j8C8A+Xi+azcBRL5JTk1+T4KSBGHmDbD/ph0oXcpBSuZCdpqKYC:tGIgE8ddSJYUbdh9XuZCdpqKmY7

Score
10/10
asyncratdefaultratspywarestealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

consumer-cms.gl.at.ply.gg:2155

Attributes
  • delay

    1

  • install

    true

  • install_file

    SteamWebHelper.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Infected.exe
    "C:\Users\Admin\AppData\Local\Temp\Infected.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2640
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "SteamWebHelper" /tr '"C:\Users\Admin\AppData\Roaming\SteamWebHelper.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2940
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "SteamWebHelper" /tr '"C:\Users\Admin\AppData\Roaming\SteamWebHelper.exe"'
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:184
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9182.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2740
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:228
      • C:\Users\Admin\AppData\Roaming\SteamWebHelper.exe
        "C:\Users\Admin\AppData\Roaming\SteamWebHelper.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3500
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "SteamWebHelper"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2196
          • C:\Windows\system32\schtasks.exe
            schtasks /delete /f /tn "SteamWebHelper"
            5⤵
              PID:1968
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1BAC.tmp.bat""
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1368
            • C:\Windows\system32\timeout.exe
              timeout 3
              5⤵
              • Delays execution with timeout.exe
              PID:4648

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp1BAC.tmp.bat
      Filesize

      163B

      MD5

      d097643a3709bec458b77adf8a821f23

      SHA1

      49bfb42a061cf26dc6faa299f07aa4214c24f3db

      SHA256

      7941ab053d3073a87644431c41e5d0053a959a6c0e3112b33546fef5cfc4d5e6

      SHA512

      e4520f8d2b6cbf0845705df54e7b5fd2e6cb562d9ff3f555af4feaa8b84300061910ffe967952792bdebda2d8813aeefe4837e3670e603ccdf0455b7d1d45800

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp9182.tmp.bat
      Filesize

      158B

      MD5

      58f60d5cd21b7bc8194e3a6d36dd0001

      SHA1

      d378cffa27e70b9a76676904d1cd097d3528f7dc

      SHA256

      e39a2d9c2c34367702d8f357551f67b5b574ec2f0a1896dd6031bf446e8c6fb5

      SHA512

      e2d24f737395cf19dacda22b87902b26d6881a2ab93a8b1e3f86b6888ec840cab80a9f378a90e192fa1164b3607aedda5c5eecd658a13cc58ab07c8cba0965ea

      Download Submit

    • C:\Users\Admin\AppData\Roaming\SteamWebHelper.exe
      Filesize

      63KB

      MD5

      c8b877cb0d39bd95d7069f5b4c23612a

      SHA1

      5fb64bfb87b525c12d424baeb3128ddcde85a4de

      SHA256

      a2026da11259eef54d6162eafef538d915895fcd42d42dae5d0c65c975c07145

      SHA512

      0b1fb239a7eaad73e9d965e5ffa9b8ad0ebf44e5e799ffb0570eafa4c4895d936619321bf577d89ff6c31b338854d667fafc8317bfea40c7f9a7d6fe397bcab0

      Download Submit

    • memory/2640-7-0x00007FFD78110000-0x00007FFD78BD1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2640-8-0x00007FFD78110000-0x00007FFD78BD1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2640-1-0x0000000000BB0000-0x0000000000BC6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2640-2-0x00007FFD78110000-0x00007FFD78BD1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2640-0-0x00007FFD78113000-0x00007FFD78115000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3500-15-0x000000001CFB0000-0x000000001D026000-memory.dmp

      Filesize

      472KB

      Download

    • memory/3500-16-0x000000001ACD0000-0x000000001AD02000-memory.dmp

      Filesize

      200KB

      Download

    • memory/3500-17-0x000000001AD00000-0x000000001AD1E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3500-18-0x000000001E5C0000-0x000000001E614000-memory.dmp

      Filesize

      336KB

      Download

    • memory/3500-19-0x000000001E5B0000-0x000000001E5C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3500-20-0x0000000000930000-0x0000000000994000-memory.dmp

      Filesize

      400KB

      Download