Analysis
-
max time kernel
132s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 10:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
xxxx.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
General
-
Target
xxxx.exe
-
Size
122KB
-
MD5
31fa485283c090077fb15a0831fd89f7
-
SHA1
5be3539600b869f25da4295c7cc350a4ade483d6
-
SHA256
32268f4d7203997102b3e92c592dc498e407f0d8786a1107d633d9495fc9f2b0
-
SHA512
305d538bbe84191779ce6315bff8193ce0b202c5ed664127713c207549297485ee416aee984d39eae436d5482310581bb8db584ce6f84145fc6f32e7098b6f27
-
SSDEEP
3072:xBuOLHvgPzYnl8YZ0vOeXws/v7ZEguR7fIZr+Crqxstpn6V13Yd:XHZeYZ0v3wsaPQCIz6V
Malware Config
Extracted
Family
asyncrat
Version
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Botnet
Default
C2
62.113.117.95:4449
Mutex
hwelcvbupaqfzors
Attributes
-
delay
10
-
install
false
-
install_folder
%AppData%
aes.plain
Signatures
-
Asyncrat family
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2720 set thread context of 2696 2720 xxxx.exe 32 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xxxx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2696 RegAsm.exe 2696 RegAsm.exe 2696 RegAsm.exe 2696 RegAsm.exe 2696 RegAsm.exe 2696 RegAsm.exe 2696 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2696 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2696 RegAsm.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2720 wrote to memory of 2696 2720 xxxx.exe 32 PID 2720 wrote to memory of 2696 2720 xxxx.exe 32 PID 2720 wrote to memory of 2696 2720 xxxx.exe 32 PID 2720 wrote to memory of 2696 2720 xxxx.exe 32 PID 2720 wrote to memory of 2696 2720 xxxx.exe 32 PID 2720 wrote to memory of 2696 2720 xxxx.exe 32 PID 2720 wrote to memory of 2696 2720 xxxx.exe 32 PID 2720 wrote to memory of 2696 2720 xxxx.exe 32 PID 2720 wrote to memory of 2696 2720 xxxx.exe 32 PID 2720 wrote to memory of 2696 2720 xxxx.exe 32 PID 2720 wrote to memory of 2696 2720 xxxx.exe 32 PID 2720 wrote to memory of 2696 2720 xxxx.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\xxxx.exe"C:\Users\Admin\AppData\Local\Temp\xxxx.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2696
-