Overview

overview

10

Static

static

3

mexican.exe

windows7-x64

6

mexican.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    16s
  • max time network
    19s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-12-2024 21:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    mexican.exe

  • Size

    3.6MB

  • MD5

    b9ce72d9fa47b960c5912662ba09b4c7

  • SHA1

    5147cd82eff424a9ba48f64d873b7200d546bdb8

  • SHA256

    2f05e23edec61e746e86cd46e79d6af02ec93705f755a1f9683e953cd9406890

  • SHA512

    8a59922d3c8acbc2224e66444c1e852392f378f0d288747f848169e07b1f23bf86d6bba10831421f5c3e81d8c74b791bd306cce8f545eca52b0e397694587e7a

  • SSDEEP

    98304:QkqXf0FlL9nrYAWAZi6sfLxkuahjCOeX9YG9see5GnRyCAm0makxH13U:QkSIlLtzWAXAkuujCPX9YG9he5GnQCAB

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

51.89.44.68:8848

Mutex

etb3t1tr5n

Attributes
  • delay

    1

  • install

    true

  • install_file

    svchost.exe

  • install_folder

    %Temp%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\mexican.exe
    "C:\Users\Admin\AppData\Local\Temp\mexican.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4564
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2168
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:696

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log
    Filesize

    2KB

    MD5

    aa7b2102d46639b4606613e181691050

    SHA1

    26224d458d3296424fe216a74952a76314e757e5

    SHA256

    5bffcb32f9774b81f5b656dd385f2cd6d3b147aff8ea4e40f0957e311d76a9a9

    SHA512

    ab06f184a1489cb5d993685e105d92b4907234269184e0cf425f9138deaeae3403ad00099f992e61b304449c97e36fac04aa16fac098806437438f72fa07217d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\svchost.exe
    Filesize

    63KB

    MD5

    67ca41c73d556cc4cfc67fc5b425bbbd

    SHA1

    ada7f812cd581c493630eca83bf38c0f8b32b186

    SHA256

    23d2e491a8c7f2f7f344764e6879d9566c9a3e55a3788038e48b346c068dde5b

    SHA512

    0dceb6468147cd2497adf31843389a78460ed5abe2c5a13488fc55a2d202ee6ce0271821d3cf12bc1f09a4d6b79a737ea3bccfc2bb87f89b3fff6410fa85ec02

    Download Submit

  • memory/2168-23-0x0000000000AA0000-0x0000000000AB6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2168-24-0x00007FFAC2650000-0x00007FFAC3111000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2168-50-0x00007FFAC2650000-0x00007FFAC3111000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4564-0-0x00007FFAC2653000-0x00007FFAC2655000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4564-1-0x00000204C8D50000-0x00000204C90EA000-memory.dmp

    Filesize

    3.6MB

    Download

  • memory/4564-2-0x00007FFAC2650000-0x00007FFAC3111000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4564-51-0x00007FFAC2653000-0x00007FFAC2655000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4564-52-0x00007FFAC2650000-0x00007FFAC3111000-memory.dmp

    Filesize

    10.8MB

    Download