Overview

overview

10

Static

static

3

spoofer.exe

windows7-x64

6

spoofer.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-12-2024 20:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    spoofer.exe

  • Size

    3.6MB

  • MD5

    9316ff653c4cb2798b93c8933f43e61b

  • SHA1

    6c260ac0087aabb66b893afc3ef0955b982aea77

  • SHA256

    297e4ac9c22cf38b58241d60e16e4395ade705ca15769b796e9dbfcb5ac12aec

  • SHA512

    03ba1ab43684307f1b9aada2e7330bf65ca664f100610d69891bff2b3bbd5198cbc4da00967993bf8891cde79ab4128737b944ac97e9a14de3109e3262919bc0

  • SSDEEP

    98304:QkqXf0FlL9nrYAWAZi6sfLxkuahjCOeX9YG9see5GnRyCAm0makxH13U:QkSIlLtzWAXAkuujCPX9YG9he5GnQCAB

Score
10/10
asyncratdefaultcollectiondiscoverypersistenceprivilege_escalationratspywarestealer

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

51.89.44.68:8848

Mutex

etb3t1tr5n

Attributes
  • delay

    1

  • install

    true

  • install_file

    svchost.exe

  • install_folder

    %Temp%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\spoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\spoofer.exe"
    1⤵
    • Checks computer location settings
    • Accesses Microsoft Outlook profiles
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:5004
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4040
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:412
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      2⤵
      • System Network Configuration Discovery: Wi-Fi Discovery
      • Suspicious use of WriteProcessMemory
      PID:2388
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:2804
        • C:\Windows\system32\netsh.exe
          netsh wlan show profile
          3⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Network Configuration Discovery: Wi-Fi Discovery
          PID:3064
        • C:\Windows\system32\findstr.exe
          findstr All
          3⤵
            PID:628
        • C:\Windows\SYSTEM32\cmd.exe
          "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3952
          • C:\Windows\system32\chcp.com
            chcp 65001
            3⤵
              PID:4756
            • C:\Windows\system32\netsh.exe
              netsh wlan show networks mode=bssid
              3⤵
              • Event Triggered Execution: Netsh Helper DLL
              PID:4444
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            "C:\Users\Admin\AppData\Roaming\svchost.exe"
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:1404
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            "C:\Users\Admin\AppData\Roaming\svchost.exe"
            2⤵
            • Executes dropped EXE
            PID:4484
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            "C:\Users\Admin\AppData\Roaming\svchost.exe"
            2⤵
            • Executes dropped EXE
            PID:1208
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ff169d22-512f-41d6-94a6-af9779a1323b.bat"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1524
            • C:\Windows\system32\chcp.com
              chcp 65001
              3⤵
                PID:1656
              • C:\Windows\system32\taskkill.exe
                taskkill /F /PID 5004
                3⤵
                • Kills process with taskkill
                PID:2644
              • C:\Windows\system32\timeout.exe
                timeout /T 2 /NOBREAK
                3⤵
                • Delays execution with timeout.exe
                PID:1064
          • C:\Windows\system32\msiexec.exe
            C:\Windows\system32\msiexec.exe /V
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1920

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\213d6d4f1e47b492e1ab2f328257e777\Admin@GUMLNLFE_en-US\Browsers\Firefox\Bookmarks.txt
            Filesize

            220B

            MD5

            2ab1fd921b6c195114e506007ba9fe05

            SHA1

            90033c6ee56461ca959482c9692cf6cfb6c5c6af

            SHA256

            c79cfdd6d0757eb52fbb021e7f0da1a2a8f1dd81dcd3a4e62239778545a09ecc

            SHA512

            4f0570d7c7762ecb4dcf3171ae67da3c56aa044419695e5a05f318e550f1a910a616f5691b15abfe831b654718ec97a534914bd172aa7a963609ebd8e1fae0a5

            Download Submit

          • C:\Users\Admin\AppData\Local\213d6d4f1e47b492e1ab2f328257e777\Admin@GUMLNLFE_en-US\System\Apps.txt
            Filesize

            6KB

            MD5

            f75c73cddaa9cb3033d3b94806405c45

            SHA1

            19264b9b165b466314462a5f2ea83fece47f063e

            SHA256

            6cf0aa89e5b94a81ab781e87fda4014c92f02c7f48aca6c1f1c264fe9ec9274a

            SHA512

            1b1582ef7cb0f1c47e5566046323185ebcb9c2d4d4f23c2b82ad73ec2f80dc8de60d7b87cb052be0520487b0d753ffce11a88821c24fe58034322841cf796180

            Download Submit

          • C:\Users\Admin\AppData\Local\213d6d4f1e47b492e1ab2f328257e777\Admin@GUMLNLFE_en-US\System\Process.txt
            Filesize

            1KB

            MD5

            47e1acfcba1b9d080ed314b9dbca528d

            SHA1

            8f5b822013d0afe4ab36d730374d9db86e8eb8dc

            SHA256

            0bf42416c65f1c3d6411fabf1e22efb8293bf7c13f1513613b61ef1afbc6371d

            SHA512

            57c4c30ac5aa58db539e2cbe12c10f1f51a265b6c1614d99223191accc90fa4fe3d1fbabe72373859d93bf7d25395f4883aab3f6879783c5c6984744206be01e

            Download Submit

          • C:\Users\Admin\AppData\Local\213d6d4f1e47b492e1ab2f328257e777\Admin@GUMLNLFE_en-US\System\Process.txt
            Filesize

            2KB

            MD5

            cf950dd91d0da2ef683f25047c73de3b

            SHA1

            658b23cfc46437d78c63186c2942d0f28e18a493

            SHA256

            b48e5d98e0105517c71a348326bd84776974e47511524284df481865ff95b4e9

            SHA512

            45cc2759bcbd800d9be3972560cf918ce0dc76d2c3fe67fe41fd0de57d942aac81c8540e357bfe7d4787e452feaa4203b858c53197d917e50576a2ab269eb642

            Download Submit

          • C:\Users\Admin\AppData\Local\213d6d4f1e47b492e1ab2f328257e777\Admin@GUMLNLFE_en-US\System\Process.txt
            Filesize

            3KB

            MD5

            ede5dc11e60743070760a8d2604556fc

            SHA1

            c4743582fa134387460963dec864a472a8cc6201

            SHA256

            e2d09e91648653efd0eb06a2db070bb1d4ef10a6190df63b2927aae6cc77499d

            SHA512

            d056763e1247bb094032ba785f57d6398cf3edfbb36143acd7fd668e1f4b399cf976cde6e88cd999a34b3b67802aeb7f1b067aba73e7a6d89de7009e49dc1f5f

            Download Submit

          • C:\Users\Admin\AppData\Local\213d6d4f1e47b492e1ab2f328257e777\Admin@GUMLNLFE_en-US\System\Process.txt
            Filesize

            4KB

            MD5

            5fd6e2f84c5048f4b7b330a1fe10c1eb

            SHA1

            7c3d67acce4071ea9274e286f6dec9683a7c8b85

            SHA256

            fc43141e7831c3ed652be4bd77e78d30e4e4a89c8276275036e12649feb1361b

            SHA512

            d2e2ba85d2a6a17f9982ac7d0b8a17529f100023ef0f991f15587723ba76dcb8201e4898f1fd711bb819b569f609fc06b39822e8f036f51af3a78860dfde8e2f

            Download Submit

          • C:\Users\Admin\AppData\Local\213d6d4f1e47b492e1ab2f328257e777\Admin@GUMLNLFE_en-US\System\Process.txt
            Filesize

            396B

            MD5

            40b65c6b42a153d60cc0401d009a209b

            SHA1

            d21c0d10ffbfaa05ddc61209e65445d611f10a8a

            SHA256

            a8b6b0b66b750642a564ee6b26c493906283cd0885d89754b6817e23c88c167a

            SHA512

            8b08f8d9c36d2e64b3b96a85c631bd1720523c5394da2d58ceb9381f84ceb172d970a6f23d4235957ad3183566bde2d80a828fb13927fd559260c06005b703d8

            Download Submit

          • C:\Users\Admin\AppData\Local\213d6d4f1e47b492e1ab2f328257e777\msgid.dat
            Filesize

            1B

            MD5

            1679091c5a880faf6fb5e6087eb1b2dc

            SHA1

            c1dfd96eea8cc2b62785275bca38ac261256e278

            SHA256

            e7f6c011776e8db7cd330b54174fd76f7d0216b612387a5ffcfb81e6f0919683

            SHA512

            3c9ad55147a7144f6067327c3b82ea70e7c5426add9ceea4d07dc2902239bf9e049b88625eb65d014a7718f79354608cab0921782c643f0208983fffa3582e40

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log
            Filesize

            5KB

            MD5

            325a969f4027f6bc8b9a41cbf122408b

            SHA1

            3fa4a9defd2936328cc0d09e9b0771c8a6285cd7

            SHA256

            f3138a763705fc84ef667f0db32ad6a9faf3dd857288555c0ded59b28dbabaea

            SHA512

            102e7b4fcf0129d67ec1a14e3046c0a33546ce49c7dd90726e23bca54c7d26dc15acccb3fa9dfb7086b2896cf66495b14c49ae0b042b4edfae4707618d6de01e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log
            Filesize

            2KB

            MD5

            bf5999ec62f8b84ce2cedd7ab06997a4

            SHA1

            0959ca6fbe3eb48486a775360f1b559bf5da117f

            SHA256

            d3721f17796dc2e9394f0ddfcdfa22d4dae1e18e756c1a1dd33504e610039b03

            SHA512

            20ba0c5c2cf1d5c6f8c17c4f6017594276a120b7f80e8477b6f54f5c55428b415f9ad4afcca2308f21b216e09676580f999e9327f83fa5145f6b35a16770f9bb

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\ff169d22-512f-41d6-94a6-af9779a1323b.bat
            Filesize

            152B

            MD5

            9ef0cd379a5fbf0f075257f25e3d7c59

            SHA1

            c57d8a572b620d25c77bb5f0a59ed4c65e96dfee

            SHA256

            4555165107eb4703c7844756b69447a6e3c9655cd525f6a565ea0645f5104c27

            SHA512

            b3097628699f0737de3c12629a1a7a8bbfc66057c7de599d52687ccf346c46705841e30b68a804a84c2562e4085f739a0840c44822e5a4f6c1ac0650426dda71

            Download Submit

          • C:\Users\Admin\AppData\Roaming\svchost.exe
            Filesize

            63KB

            MD5

            67ca41c73d556cc4cfc67fc5b425bbbd

            SHA1

            ada7f812cd581c493630eca83bf38c0f8b32b186

            SHA256

            23d2e491a8c7f2f7f344764e6879d9566c9a3e55a3788038e48b346c068dde5b

            SHA512

            0dceb6468147cd2497adf31843389a78460ed5abe2c5a13488fc55a2d202ee6ce0271821d3cf12bc1f09a4d6b79a737ea3bccfc2bb87f89b3fff6410fa85ec02

            Download Submit

          • memory/4040-23-0x00000000002F0000-0x0000000000306000-memory.dmp

            Filesize

            88KB

            Download

          • memory/4040-50-0x00007FF8E8380000-0x00007FF8E8E41000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4040-24-0x00007FF8E8380000-0x00007FF8E8E41000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/5004-335-0x000001CA46E50000-0x000001CA46E6A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/5004-1-0x000001CA2ADD0000-0x000001CA2B16A000-memory.dmp

            Filesize

            3.6MB

            Download

          • memory/5004-334-0x000001CA46E10000-0x000001CA46E54000-memory.dmp

            Filesize

            272KB

            Download

          • memory/5004-52-0x00007FF8E8380000-0x00007FF8E8E41000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/5004-2-0x00007FF8E8380000-0x00007FF8E8E41000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/5004-422-0x000001CA46E70000-0x000001CA46F22000-memory.dmp

            Filesize

            712KB

            Download

          • memory/5004-423-0x000001CA46F50000-0x000001CA46F72000-memory.dmp

            Filesize

            136KB

            Download

          • memory/5004-425-0x000001CA46F80000-0x000001CA47020000-memory.dmp

            Filesize

            640KB

            Download

          • memory/5004-0-0x00007FF8E8383000-0x00007FF8E8385000-memory.dmp

            Filesize

            8KB

            Download

          • memory/5004-51-0x00007FF8E8383000-0x00007FF8E8385000-memory.dmp

            Filesize

            8KB

            Download

          • memory/5004-464-0x00007FF8E8380000-0x00007FF8E8E41000-memory.dmp

            Filesize

            10.8MB

            Download