Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    17-12-2024 08:46

General

  • Target

    e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe

  • Size

    1.2MB

  • MD5

    0528074646c46eb6ffb9e48903a32f28

  • SHA1

    9061cccc3f59146237e6deb056fc05ea4a1b5c6b

  • SHA256

    e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f

  • SHA512

    47f77fa8a67956d8106afac860efde3b7775598464f7f3cdb4c3f4c98b9fe95f85f49abf1ec44d2e2fa6ccd84df3f7f91a07900e0906f2777ae89cbbd340f677

  • SSDEEP

    24576:srORE29TTVx8aBRd1h1orq+GWE0Jc5bDTj1Vyv9TvaFjUSbRUu5+Jitsa+AxSpo:s2EYTb8atv1orq+pEiSDTj1VyvBaFRbF

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

104.244.72.108:9999

Mutex

ncfsoe5550321hojhanhrzxqoijhkjhgjkhgf

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

quasar

Version

1.3.0.0

Botnet

CPU

C2

ejss.duckdns.org:2020

Mutex

QSR_MUTEX_sgY7Anj7tlDvpiNxYU

Attributes
  • encryption_key

    H7ySIe3YXqpHozYioZRn

  • install_name

    BlustacksHelp.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    BlustacksHelp

  • subdirectory

    BlustacksHelp

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Asyncrat family
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 2 IoCs
  • VenomRAT 2 IoCs

    Detects VenomRAT.

  • Venomrat family
  • Async RAT payload 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 29 IoCs
  • Suspicious use of SendNotifyMessage 29 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe
    "C:\Users\Admin\AppData\Local\Temp\e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe"
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2884
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 1 /RL HIGHEST /tn BlustacksHelper /tr %appdata%\Logistic\System.exe /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2924
      • C:\Windows\system32\schtasks.exe
        schtasks /create /sc minute /mo 1 /RL HIGHEST /tn BlustacksHelper /tr C:\Users\Admin\AppData\Roaming\Logistic\System.exe /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2260
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 1 /RL HIGHEST /tn Blustacks /tr %appdata%\Logistic\svhost.exe /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2812
      • C:\Windows\system32\schtasks.exe
        schtasks /create /sc minute /mo 1 /RL HIGHEST /tn Blustacks /tr C:\Users\Admin\AppData\Roaming\Logistic\svhost.exe /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2212
    • C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
      PowerShell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath $env:appdata
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2796
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {D6BF1054-2716-4786-B190-A132E265A86A} S-1-5-21-2039016743-699959520-214465309-1000:PIDEURYY\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:932
    • C:\Users\Admin\AppData\Roaming\Logistic\svhost.exe
      C:\Users\Admin\AppData\Roaming\Logistic\svhost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:380
    • C:\Users\Admin\AppData\Roaming\Logistic\System.exe
      C:\Users\Admin\AppData\Roaming\Logistic\System.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1788

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Logistic\System.exe

    Filesize

    348KB

    MD5

    30f290b9b4219713e4b49a726019fe68

    SHA1

    2fdb773ad1436b964d712ece9147c1b2f9973ad8

    SHA256

    55cf1e6f2e5c517b59374ab01d7ace7f55a8944ecd3da5d0504704b796865ef9

    SHA512

    54bf270b2075fbbc039b431e8802ea4cae4131880f9b95d4737cbde2e63c302f7e5f60a9aa92ff8b10b2a20e8f777aaad626587efbde4621530a9f66501e0aa9

  • C:\Users\Admin\AppData\Roaming\Logistic\svhost.exe

    Filesize

    74KB

    MD5

    248232d65b1270519512905808e12d44

    SHA1

    dede341cac2a986edda5a3a08e5f5a5ea37811a1

    SHA256

    dfcc60537938dac1dee3d4b4163ca33c61a9e3bae98fe63cf2b1addbd3aa4e5a

    SHA512

    9440c013516e9a2c298b2cff2069f68a1d21c6d18bf7780bea2c0bf047a6f3b413cd279f341373d93ee09e9b6b06f825d7f6d123a6e4c07e55c11e4f677af4f0

  • memory/380-23-0x0000000001060000-0x0000000001078000-memory.dmp

    Filesize

    96KB

  • memory/1788-22-0x0000000000BD0000-0x0000000000C2E000-memory.dmp

    Filesize

    376KB

  • memory/2796-4-0x0000000002D40000-0x0000000002DC0000-memory.dmp

    Filesize

    512KB

  • memory/2796-5-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

    Filesize

    2.9MB

  • memory/2796-6-0x0000000001E90000-0x0000000001E98000-memory.dmp

    Filesize

    32KB