Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
17-12-2024 08:46
Static task
static1
Behavioral task
behavioral1
Sample
e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe
Resource
win7-20241010-en
General
-
Target
e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe
-
Size
1.2MB
-
MD5
0528074646c46eb6ffb9e48903a32f28
-
SHA1
9061cccc3f59146237e6deb056fc05ea4a1b5c6b
-
SHA256
e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f
-
SHA512
47f77fa8a67956d8106afac860efde3b7775598464f7f3cdb4c3f4c98b9fe95f85f49abf1ec44d2e2fa6ccd84df3f7f91a07900e0906f2777ae89cbbd340f677
-
SSDEEP
24576:srORE29TTVx8aBRd1h1orq+GWE0Jc5bDTj1Vyv9TvaFjUSbRUu5+Jitsa+AxSpo:s2EYTb8atv1orq+pEiSDTj1VyvBaFRbF
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
104.244.72.108:9999
ncfsoe5550321hojhanhrzxqoijhkjhgjkhgf
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
quasar
1.3.0.0
CPU
ejss.duckdns.org:2020
QSR_MUTEX_sgY7Anj7tlDvpiNxYU
-
encryption_key
H7ySIe3YXqpHozYioZRn
-
install_name
BlustacksHelp.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
BlustacksHelp
-
subdirectory
BlustacksHelp
Signatures
-
Asyncrat family
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral1/files/0x0009000000016846-19.dat family_quasar behavioral1/memory/1788-22-0x0000000000BD0000-0x0000000000C2E000-memory.dmp family_quasar -
resource yara_rule behavioral1/files/0x0007000000016c3a-18.dat VenomRAT behavioral1/memory/380-23-0x0000000001060000-0x0000000001078000-memory.dmp VenomRAT -
Venomrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x0007000000016c3a-18.dat family_asyncrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2796 PowerShell.exe 2796 PowerShell.exe -
Executes dropped EXE 2 IoCs
pid Process 380 svhost.exe 1788 System.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 ip-api.com -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language System.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2260 schtasks.exe 2212 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 2796 PowerShell.exe 380 svhost.exe 380 svhost.exe 380 svhost.exe 380 svhost.exe 380 svhost.exe 380 svhost.exe 380 svhost.exe 380 svhost.exe 380 svhost.exe 380 svhost.exe 380 svhost.exe 380 svhost.exe 380 svhost.exe 380 svhost.exe 380 svhost.exe 380 svhost.exe 380 svhost.exe 380 svhost.exe 380 svhost.exe 380 svhost.exe 380 svhost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2796 PowerShell.exe Token: SeDebugPrivilege 380 svhost.exe Token: SeDebugPrivilege 1788 System.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
pid Process 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe -
Suspicious use of SendNotifyMessage 29 IoCs
pid Process 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 380 svhost.exe 1788 System.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2884 wrote to memory of 2924 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 30 PID 2884 wrote to memory of 2924 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 30 PID 2884 wrote to memory of 2924 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 30 PID 2924 wrote to memory of 2260 2924 cmd.exe 32 PID 2924 wrote to memory of 2260 2924 cmd.exe 32 PID 2924 wrote to memory of 2260 2924 cmd.exe 32 PID 2884 wrote to memory of 2812 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 33 PID 2884 wrote to memory of 2812 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 33 PID 2884 wrote to memory of 2812 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 33 PID 2812 wrote to memory of 2212 2812 cmd.exe 35 PID 2812 wrote to memory of 2212 2812 cmd.exe 35 PID 2812 wrote to memory of 2212 2812 cmd.exe 35 PID 2884 wrote to memory of 2796 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 36 PID 2884 wrote to memory of 2796 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 36 PID 2884 wrote to memory of 2796 2884 e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe 36 PID 932 wrote to memory of 380 932 taskeng.exe 40 PID 932 wrote to memory of 380 932 taskeng.exe 40 PID 932 wrote to memory of 380 932 taskeng.exe 40 PID 932 wrote to memory of 1788 932 taskeng.exe 41 PID 932 wrote to memory of 1788 932 taskeng.exe 41 PID 932 wrote to memory of 1788 932 taskeng.exe 41 PID 932 wrote to memory of 1788 932 taskeng.exe 41 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe"C:\Users\Admin\AppData\Local\Temp\e46e2b8d41f84a8091f80ba7d7fbf66104f4ef2c4b53be13307dc8aa6facf02f.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 1 /RL HIGHEST /tn BlustacksHelper /tr %appdata%\Logistic\System.exe /f2⤵
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 1 /RL HIGHEST /tn BlustacksHelper /tr C:\Users\Admin\AppData\Roaming\Logistic\System.exe /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 1 /RL HIGHEST /tn Blustacks /tr %appdata%\Logistic\svhost.exe /f2⤵
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 1 /RL HIGHEST /tn Blustacks /tr C:\Users\Admin\AppData\Roaming\Logistic\svhost.exe /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2212
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exePowerShell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath $env:appdata2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {D6BF1054-2716-4786-B190-A132E265A86A} S-1-5-21-2039016743-699959520-214465309-1000:PIDEURYY\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Users\Admin\AppData\Roaming\Logistic\svhost.exeC:\Users\Admin\AppData\Roaming\Logistic\svhost.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:380
-
-
C:\Users\Admin\AppData\Roaming\Logistic\System.exeC:\Users\Admin\AppData\Roaming\Logistic\System.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1788
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
348KB
MD530f290b9b4219713e4b49a726019fe68
SHA12fdb773ad1436b964d712ece9147c1b2f9973ad8
SHA25655cf1e6f2e5c517b59374ab01d7ace7f55a8944ecd3da5d0504704b796865ef9
SHA51254bf270b2075fbbc039b431e8802ea4cae4131880f9b95d4737cbde2e63c302f7e5f60a9aa92ff8b10b2a20e8f777aaad626587efbde4621530a9f66501e0aa9
-
Filesize
74KB
MD5248232d65b1270519512905808e12d44
SHA1dede341cac2a986edda5a3a08e5f5a5ea37811a1
SHA256dfcc60537938dac1dee3d4b4163ca33c61a9e3bae98fe63cf2b1addbd3aa4e5a
SHA5129440c013516e9a2c298b2cff2069f68a1d21c6d18bf7780bea2c0bf047a6f3b413cd279f341373d93ee09e9b6b06f825d7f6d123a6e4c07e55c11e4f677af4f0