Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-12-2024 03:47

General

  • Target

    b63bf28780e02bf0bb1bb59dec135e6263f4c582724c95eee0519b279022f31c.exe

  • Size

    810KB

  • MD5

    87c051a77edc0cc77a4d791ef72367d1

  • SHA1

    5d5bab642235f0af7d9afe3cacec5ae2a4cfc8e5

  • SHA256

    b63bf28780e02bf0bb1bb59dec135e6263f4c582724c95eee0519b279022f31c

  • SHA512

    259a3f823d5051fcc9e87ceacf25557ab17f5d26ff4f0c17801d9ef83a23d2a51261a73e5ba9c3caf1ca2feb18a569458f17a2a5d56b542b86d6a124a42d4c2c

  • SSDEEP

    12288:FCxMe2dk7YgL+OsQdFGHjaRYf9bquEZ68ufU3wqB2ydPsW/w0bvf:FsMe2KYIDpSO5vZ68FwqB2aPsW3

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.2

Botnet

Default

C2

47.238.55.14:4449

Mutex

rqwcncaesrdtlckoweu

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Asyncrat family
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 39 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3436
      • C:\Users\Admin\AppData\Local\Temp\b63bf28780e02bf0bb1bb59dec135e6263f4c582724c95eee0519b279022f31c.exe
        "C:\Users\Admin\AppData\Local\Temp\b63bf28780e02bf0bb1bb59dec135e6263f4c582724c95eee0519b279022f31c.exe"
        2⤵
        • Checks computer location settings
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4444
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c move Hammer Hammer.bat & Hammer.bat
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1700
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:4596
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "wrsa opssvc"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3424
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:3488
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2640
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c md 724598
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1108
          • C:\Windows\SysWOW64\findstr.exe
            findstr /V "WowLiberalCalOfficer" Weight
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1680
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c copy /b ..\Explorer + ..\West + ..\Agencies + ..\Situated y
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1168
          • C:\Users\Admin\AppData\Local\Temp\724598\Thermal.pif
            Thermal.pif y
            4⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:1280
            • C:\Users\Admin\AppData\Local\Temp\724598\RegAsm.exe
              C:\Users\Admin\AppData\Local\Temp\724598\RegAsm.exe
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:1764
          • C:\Windows\SysWOW64\choice.exe
            choice /d y /t 5
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3752
      • C:\Windows\SysWOW64\cmd.exe
        cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HermesKey.url" & echo URL="C:\Users\Admin\AppData\Local\GuardKey Solutions\HermesKey.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HermesKey.url" & exit
        2⤵
        • Drops startup file
        • System Location Discovery: System Language Discovery
        PID:1968

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\724598\RegAsm.exe

      Filesize

      63KB

      MD5

      0d5df43af2916f47d00c1573797c1a13

      SHA1

      230ab5559e806574d26b4c20847c368ed55483b0

      SHA256

      c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

      SHA512

      f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

    • C:\Users\Admin\AppData\Local\Temp\724598\Thermal.pif

      Filesize

      872KB

      MD5

      18ce19b57f43ce0a5af149c96aecc685

      SHA1

      1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

      SHA256

      d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

      SHA512

      a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

    • C:\Users\Admin\AppData\Local\Temp\724598\y

      Filesize

      254KB

      MD5

      a65498ab3a69a64ead790db5bb2f48aa

      SHA1

      eb8cd723dab355ff507b356b9286f09b9ffcd968

      SHA256

      9ad27753646f1eec5009be7ed43bcdfc4e9ab8dffc6fe3ff4adc558a1f32f5cd

      SHA512

      9cfcb7873c3bad12109a85516eaf62393aa905b5a7fa93e8bc808ef0911070ea89f0e41953e67b45b74409bf0ac046fd7f4a12ab612edf7bf01a46c459ba1cef

    • C:\Users\Admin\AppData\Local\Temp\Agencies

      Filesize

      90KB

      MD5

      975bfc19287c2c5b74a1b228f30f14b0

      SHA1

      8f5feec00b337529a7e193f452c45f6063ad37a1

      SHA256

      91e28eface5e10865887b9a13420b1bfd3a8673255785e3bfc65745da63d1322

      SHA512

      18d8c41ebcba5667cb3ac3fa1270d78cad2fd9e8fc69dd32969b693fedc6354e3de12f74830e68b55c6aa7c5a0fbb388599f827cb94d71732231f4ebbf580f85

    • C:\Users\Admin\AppData\Local\Temp\Explorer

      Filesize

      58KB

      MD5

      01d7374bf51507454392d1081d9b309e

      SHA1

      034378159b5f4b6089a95064aec9ff210da7c3df

      SHA256

      eecdd8dfd2dd6d9d1c55077ee6515a9c59d3046112d014b7a5e87fdabb8157a2

      SHA512

      de64b35bfd2c279a77d552f7c518421bffcf2f5d14e78fa3f80e21b97aeb5dc287340452d61ca19c9aa5ce426c61ec6605786727d844282aa5457a1d8c4f94f4

    • C:\Users\Admin\AppData\Local\Temp\Hammer

      Filesize

      17KB

      MD5

      f15a876fe95af76d09e4f26593b4502e

      SHA1

      53d14a9f7b44de6fd9aba018e0f4738175a4e3a0

      SHA256

      4ddf695422db24b6917750a923db6d55e9973a4463cf3b60f0c732d34f7728d1

      SHA512

      cbc944366518fea910cc685c6ac99caafa20ffd91ba8572b5e33feeb9529cea6684e83365c5851d6798bcd3dc265e9157ae80e60f56f061c2b78e6c935e48741

    • C:\Users\Admin\AppData\Local\Temp\Ought

      Filesize

      865KB

      MD5

      260377b64080b872ffd57234ff7d097e

      SHA1

      f9ea953f328a1ec1cac31ac05a6353ae27519238

      SHA256

      29826de3343c0a6f753f3cdcc551e755e12059e79b0658be1048e5f893e1c0d3

      SHA512

      a01a781d352ac7cb98fd17f91db6114147188519819106d27a183f8bc114713de8d0e78524dcab8833187e365f2207da5e4cd77fc8d787f63b48a04bf17b6de5

    • C:\Users\Admin\AppData\Local\Temp\Situated

      Filesize

      10KB

      MD5

      b5a2ce2534752d3a6033f59c8436d7b6

      SHA1

      8e184055af6e0f7dcd83d832bd565e784a7b8e80

      SHA256

      c142ebc3005012c982b366c6e4b03db5b477c721eed245592a6f2c585ec314c3

      SHA512

      c2f5480e23fcd32ac7111fc9e507b7660ee551477a1dc18f188bd5796bf29bc93cc10926908f9f6483e906bfc07dde07be7223bc0b4b4c5dbc0fa1c0f2d43f2c

    • C:\Users\Admin\AppData\Local\Temp\Weight

      Filesize

      7KB

      MD5

      4192ba712a2fdc09914b07d144f06e20

      SHA1

      0a3320eea12b490fd589b9f2cb878579108be555

      SHA256

      265661fdddd79aefcfba0fc456cf864c05439b8281da8345d200283f5664a229

      SHA512

      543248b976f061c835329adbccbb249922ebeb671bb158d7a0e70284e0fe9d723c18e8a2e4f198202cfa20dc3d0f341efd4e78c64f4d5e56e8d2a08745417948

    • C:\Users\Admin\AppData\Local\Temp\West

      Filesize

      96KB

      MD5

      b7c64d91870c30f6d27b86c9294ca361

      SHA1

      41ea994169f7bea9752f6bd40d9833d6577ede49

      SHA256

      91a57858547382fa34e5aad2a6c8546c4eaeaa32b515693e42e84ad190149a6a

      SHA512

      d6d3625a28a8ab2aad5e5e80cb10798d3602e0e189d521e4fecbee4f4015f07e7d2c6f9cdbec4c9efcc5c903c3ebaaf9b6abbf30d615748316992a5c398bc1b6

    • memory/1764-29-0x00000000007A0000-0x00000000007B8000-memory.dmp

      Filesize

      96KB

    • memory/1764-32-0x00000000054E0000-0x0000000005A84000-memory.dmp

      Filesize

      5.6MB

    • memory/1764-34-0x00000000051D0000-0x0000000005262000-memory.dmp

      Filesize

      584KB

    • memory/1764-35-0x00000000051B0000-0x00000000051BA000-memory.dmp

      Filesize

      40KB