Overview

overview

10

Static

static

10

Apsgmjd_Be...bf.exe

windows7-x64

10

Apsgmjd_Be...bf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-12-2024 06:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Apsgmjd_Belphegor_obf.exe

  • Size

    188KB

  • MD5

    a37ccab1ff586abb6e43113ab8a2b10d

  • SHA1

    b9b97fc3bdcf3eb35ad68130a34ecaceef936bac

  • SHA256

    46af4880547cfe5d6c873f86f7b172640ddffd445794dcbc213ebb399e38a226

  • SHA512

    733115ebe0a453b6aef0e73677525c5f2e3aec1bb1327794db20d2403fdf62fac5ef4ba6d951d03904e877de6475032840eb0b4272a62e8a97d818cbbb2a8aeb

  • SSDEEP

    3072:7BhYrfk5BR4ko5ZTFW9bwFaqiUrD7Lz6U+x+:ckl5QNFW9b2aqDnJ+

Score
10/10
asyncratdiscoverypersistencerat

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Apsgmjd_Belphegor_obf.exe
    "C:\Users\Admin\AppData\Local\Temp\Apsgmjd_Belphegor_obf.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1860
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCB84.tmp.bat""
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2952
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:4828

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpCB84.tmp.bat
    Filesize

    173B

    MD5

    d9737a05f76a1371e17dd8fc7e7a3024

    SHA1

    5930c2fb2d0a92ee0918d1b70a6e03d36f6ef7a0

    SHA256

    eb0da6c145b2b741895eea917206e33cd24a812dce18dfcbfc1d121cca3d8478

    SHA512

    2de72048b72f8a75f4d0259f8952cb105105c9eceea16bf71d8810fadf93e437bdbeb5af8d1f08a3ace1fb6e2534933b91f4a1e0b4d2b80004d210443f3fd6c4

    Download Submit

  • memory/1860-10-0x0000000006B30000-0x0000000006B96000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1860-11-0x0000000074BBE000-0x0000000074BBF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1860-3-0x0000000005680000-0x0000000005C24000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1860-4-0x0000000074BB0000-0x0000000075360000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1860-5-0x00000000063A0000-0x0000000006432000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1860-6-0x0000000006340000-0x000000000634A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1860-2-0x0000000002A70000-0x0000000002AA2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1860-0-0x0000000074BBE000-0x0000000074BBF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1860-9-0x0000000006A90000-0x0000000006B2C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1860-12-0x0000000074BB0000-0x0000000075360000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1860-13-0x0000000000F80000-0x0000000000FF6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/1860-14-0x0000000000F10000-0x0000000000F7C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/1860-15-0x0000000001050000-0x000000000106E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1860-1-0x0000000000790000-0x00000000007C6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1860-20-0x0000000074BB0000-0x0000000075360000-memory.dmp

    Filesize

    7.7MB

    Download