Overview

overview

10

Static

static

3

XBinderOutput.exe

windows7-x64

10

XBinderOutput.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2024 17:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XBinderOutput.exe

  • Size

    64KB

  • MD5

    7ca5852a9d6d8c6d86ed1d0c0814a9f6

  • SHA1

    692ef8e9600163e66508dd27cbbded5be2f9dda5

  • SHA256

    92ec5fd1a2c0aa1c565b93b5c2f8d9e472346014a0927182865b7c830aa3c7cd

  • SHA512

    3fb5c4a95b6c1fb4db20810d824192aa8b4dc35535151eaad02a60e0a24df38e452d52a8912fb8d114d7d0d58456763cf3eb739086fdb72f838f235e88f877b8

  • SSDEEP

    1536:YzUmkjlbRxKrE99uExdTlM28i5pzDwl2qay:e50lb7KrE93Mw7wl2S

Score
10/10
asyncratdefaultdiscoveryrat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

one-accordance.gl.at.ply.gg:9590

Attributes
  • delay

    1

  • install

    true

  • install_file

    Windows Defender.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

66.66.146.74:9511

Mutex

nwJFeGdDXcL2

Attributes
  • delay

    3

  • install

    true

  • install_file

    System32.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 2 IoCs
    rat
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 3 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe
    "C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:700
    • C:\Users\Admin\AppData\Local\Temp\Loader.exe
      "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:224
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Defender" /tr '"C:\Users\Admin\AppData\Roaming\Windows Defender.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:388
        • C:\Windows\system32\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "Windows Defender" /tr '"C:\Users\Admin\AppData\Roaming\Windows Defender.exe"'
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:2980
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8DE8.tmp.bat""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5080
        • C:\Windows\system32\timeout.exe
          timeout 3
          4⤵
          • Delays execution with timeout.exe
          PID:4464
        • C:\Users\Admin\AppData\Roaming\Windows Defender.exe
          "C:\Users\Admin\AppData\Roaming\Windows Defender.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2960
    • C:\Users\Admin\AppData\Local\Temp\Start.exe
      "C:\Users\Admin\AppData\Local\Temp\Start.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2104
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "System32" /tr '"C:\Users\Admin\AppData\Roaming\System32.exe"' & exit
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4136
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "System32" /tr '"C:\Users\Admin\AppData\Roaming\System32.exe"'
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:4104
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9829.tmp.bat""
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4556
        • C:\Windows\SysWOW64\timeout.exe
          timeout 3
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:552
        • C:\Users\Admin\AppData\Roaming\System32.exe
          "C:\Users\Admin\AppData\Roaming\System32.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4640
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "System32"
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:628
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /delete /f /tn "System32"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2240
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCBA8.tmp.bat""
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4256
            • C:\Windows\SysWOW64\timeout.exe
              timeout 3
              6⤵
              • System Location Discovery: System Language Discovery
              • Delays execution with timeout.exe
              PID:4860

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
    Filesize

    63KB

    MD5

    aba726ec9183c855cfa084ee66f49f7f

    SHA1

    f12f9cf0920b0d3a76bb16027539ba0c13da035d

    SHA256

    fb680425e6edc0fa4d2fe526cd78d6ec69683fcafe57744993c8b7192b2c0a71

    SHA512

    a03a1c596e9570c6766d051d76e1a14894852cfa3889dd567f9e187be1055a49479355b8ed3a876a2934308aac945b232c1b206664614b66791ed0cc1f0b5c1f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Start.exe
    Filesize

    45KB

    MD5

    b733e729705bf66c1e5c66d97e247701

    SHA1

    25eec814abdf1fc6afe621e16aa89c4eb42616b9

    SHA256

    9081f9cf986ed111d976a07ee26fc2b1b9992301344197d6d3f83fe0d2616023

    SHA512

    09b59b8942c1409a03ca4e7f77c6007160af4d557386b766516dba392750869c017d0fd5d6fbbfcbb3e559a70ad42adcb498595df186be180cfc04e921d74320

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp8DE8.tmp.bat
    Filesize

    160B

    MD5

    abad90da2679fe64f05dfae23928c56d

    SHA1

    0eebe95fbf61584b67b537646a013ed6a5d0545d

    SHA256

    aa958828000af00f7a1b5eddfa768124c4e2abd7946378cd4eefc84153a585dd

    SHA512

    9b239ceea31da4f6a652b894bb79200f291dbd356cd6d96659fbc76e73ec6ffd21befe4998e8cea23955055aeaa8a84f15911b07ca6a23ddb0474aff19d728a9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp9829.tmp.bat
    Filesize

    152B

    MD5

    c26334459fabc4583558a82915575a4e

    SHA1

    0679a788f459a2fe3fc62ba54827f48e8a838a01

    SHA256

    f5e6f824c9041458aca8cbd02b9cf288ae216967423dcb843030435f8945b432

    SHA512

    e51a589fc8d575e5dde777850a094f936a65bf79c05298bb35ab38f8448d4dc44780abc49b27ffdaef558e47c45052c545bf666cba9ee7b11615aa8c5d1a0081

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpCBA8.tmp.bat
    Filesize

    157B

    MD5

    d8452555ba11b232716a0bd3d7325014

    SHA1

    9f6f0e8dee0719c7b50fa5553453b4ae64bc599b

    SHA256

    8e86df5d9d97af4aca8824cd48c3b4643dc00fe1e493fa804cf85fac291b5c02

    SHA512

    b5124d4cee302fee549aa04b65cb7b783cc521c7f0a4c485560b9e195ada61933c6532fe6259269687cbff57839789f2e140b88feac8f084cf690670d0078e5f

    Download Submit

  • memory/224-24-0x00000000002D0000-0x00000000002E6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/224-33-0x00007FFBC4240000-0x00007FFBC4D01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/224-26-0x00007FFBC4240000-0x00007FFBC4D01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/700-1-0x0000000000D40000-0x0000000000D56000-memory.dmp

    Filesize

    88KB

    Download

  • memory/700-0-0x00007FFBC4243000-0x00007FFBC4245000-memory.dmp

    Filesize

    8KB

    Download

  • memory/700-10-0x00007FFBC4240000-0x00007FFBC4D01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/700-45-0x00007FFBC4240000-0x00007FFBC4D01000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2104-27-0x0000000074B4E000-0x0000000074B4F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2104-28-0x0000000000300000-0x0000000000312000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2104-35-0x0000000004BB0000-0x0000000004C4C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2960-62-0x000000001B650000-0x000000001B66E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2960-61-0x000000001B620000-0x000000001B654000-memory.dmp

    Filesize

    208KB

    Download

  • memory/2960-60-0x000000001D300000-0x000000001D376000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4640-51-0x0000000005AC0000-0x0000000006064000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4640-55-0x0000000006520000-0x000000000653E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4640-54-0x00000000010B0000-0x0000000001114000-memory.dmp

    Filesize

    400KB

    Download

  • memory/4640-53-0x0000000001130000-0x00000000011A6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4640-52-0x0000000005510000-0x0000000005576000-memory.dmp

    Filesize

    408KB

    Download