Overview

overview

10

Static

static

3

spoofer.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    19s
  • max time network
    19s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    28-12-2024 20:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    spoofer.exe

  • Size

    3.6MB

  • MD5

    9316ff653c4cb2798b93c8933f43e61b

  • SHA1

    6c260ac0087aabb66b893afc3ef0955b982aea77

  • SHA256

    297e4ac9c22cf38b58241d60e16e4395ade705ca15769b796e9dbfcb5ac12aec

  • SHA512

    03ba1ab43684307f1b9aada2e7330bf65ca664f100610d69891bff2b3bbd5198cbc4da00967993bf8891cde79ab4128737b944ac97e9a14de3109e3262919bc0

  • SSDEEP

    98304:QkqXf0FlL9nrYAWAZi6sfLxkuahjCOeX9YG9see5GnRyCAm0makxH13U:QkSIlLtzWAXAkuujCPX9YG9he5GnQCAB

Score
10/10
asyncratdefaultcollectiondiscoverypersistenceprivilege_escalationratspywarestealer

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

51.89.44.68:8848

Mutex

etb3t1tr5n

Attributes
  • delay

    1

  • install

    true

  • install_file

    svchost.exe

  • install_folder

    %Temp%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\spoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\spoofer.exe"
    1⤵
    • Accesses Microsoft Outlook profiles
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:3536
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:904
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1788
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      2⤵
      • System Network Configuration Discovery: Wi-Fi Discovery
      • Suspicious use of WriteProcessMemory
      PID:3496
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:824
        • C:\Windows\system32\netsh.exe
          netsh wlan show profile
          3⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Network Configuration Discovery: Wi-Fi Discovery
          PID:3392
        • C:\Windows\system32\findstr.exe
          findstr All
          3⤵
            PID:3160
        • C:\Windows\SYSTEM32\cmd.exe
          "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3788
          • C:\Windows\system32\chcp.com
            chcp 65001
            3⤵
              PID:2788
            • C:\Windows\system32\netsh.exe
              netsh wlan show networks mode=bssid
              3⤵
              • Event Triggered Execution: Netsh Helper DLL
              PID:3584
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            "C:\Users\Admin\AppData\Roaming\svchost.exe"
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:1920
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            "C:\Users\Admin\AppData\Roaming\svchost.exe"
            2⤵
            • Executes dropped EXE
            PID:5024
        • C:\Windows\system32\msiexec.exe
          C:\Windows\system32\msiexec.exe /V
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2396

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\46460c22d53637bdb02def3ec774ba7d\Admin@OZYSBZXK_en-US\Browsers\Firefox\Bookmarks.txt
          Filesize

          220B

          MD5

          2ab1fd921b6c195114e506007ba9fe05

          SHA1

          90033c6ee56461ca959482c9692cf6cfb6c5c6af

          SHA256

          c79cfdd6d0757eb52fbb021e7f0da1a2a8f1dd81dcd3a4e62239778545a09ecc

          SHA512

          4f0570d7c7762ecb4dcf3171ae67da3c56aa044419695e5a05f318e550f1a910a616f5691b15abfe831b654718ec97a534914bd172aa7a963609ebd8e1fae0a5

          Download Submit

        • C:\Users\Admin\AppData\Local\46460c22d53637bdb02def3ec774ba7d\Admin@OZYSBZXK_en-US\System\Apps.txt
          Filesize

          846B

          MD5

          4c8acda400a3c05af3e945d587e3521b

          SHA1

          361186ddcad581c4ca93fb2f125060bd84fb6706

          SHA256

          25602715fdacf7ce49fa31ce54c1981ecf11b23e4943a590b2123d885b6053e7

          SHA512

          f51dfc7304e019f338dc791ecd5702e860fd80ea7d4024560102e4eb037a3e4f69450e98f8616c4a6893f4cc7c8478e57fa2fb0259461fa808c3196623375bb5

          Download Submit

        • C:\Users\Admin\AppData\Local\46460c22d53637bdb02def3ec774ba7d\Admin@OZYSBZXK_en-US\System\Apps.txt
          Filesize

          6KB

          MD5

          f75c73cddaa9cb3033d3b94806405c45

          SHA1

          19264b9b165b466314462a5f2ea83fece47f063e

          SHA256

          6cf0aa89e5b94a81ab781e87fda4014c92f02c7f48aca6c1f1c264fe9ec9274a

          SHA512

          1b1582ef7cb0f1c47e5566046323185ebcb9c2d4d4f23c2b82ad73ec2f80dc8de60d7b87cb052be0520487b0d753ffce11a88821c24fe58034322841cf796180

          Download Submit

        • C:\Users\Admin\AppData\Local\46460c22d53637bdb02def3ec774ba7d\Admin@OZYSBZXK_en-US\System\Process.txt
          Filesize

          1KB

          MD5

          f8fafb637fb33f0ccf4f73e1f1efa741

          SHA1

          64c9a212517c866fb77c0a72b4e66de0e0bfb085

          SHA256

          5e9846ba1158255c3cea2f02388d7c5c14e0ad9db21d4dd18530c497ebbca677

          SHA512

          b164e21d7483e5482558fd8bb93d618895df52c1359ba3595c4d173e51462fad5aec9b3fb96845562237a325ff76f5c3797c9e1e63aec8425ee058613e81a926

          Download Submit

        • C:\Users\Admin\AppData\Local\46460c22d53637bdb02def3ec774ba7d\Admin@OZYSBZXK_en-US\System\Process.txt
          Filesize

          2KB

          MD5

          267a8cb7d5ecfdb2da22718b7a285603

          SHA1

          c7c300c32480ff69d57f4ec79e1b90bc6268e627

          SHA256

          3f554c091c72f04ec31eaef84315d10936fa95623d2aa44a76889a1891e87533

          SHA512

          bb91a882282034d2743f70099df62bfe5acd6052d51426d3f2a8927a868f462ae10a6d9ec0648685e1ce818b6996f67aa86f5d0d4a9cb52a745acf27070bd8a8

          Download Submit

        • C:\Users\Admin\AppData\Local\46460c22d53637bdb02def3ec774ba7d\Admin@OZYSBZXK_en-US\System\Process.txt
          Filesize

          2KB

          MD5

          316b156059a3ed7815b3c28499189e15

          SHA1

          a26a9bc16be36a0e51c3be7584a693ea532f3cac

          SHA256

          d0001030c33a45b677ddef339d351dcae4e66d9c1cae4837dfd9b28b4e098059

          SHA512

          7cd1bd7f38a8320406c7f6702cb1c206eca1b5a443ca916f299f9bc0c1c095befdf2e7305d9bc38ef68030e87cc6ec747489e96eb1a3a1259617be912c50c09d

          Download Submit

        • C:\Users\Admin\AppData\Local\46460c22d53637bdb02def3ec774ba7d\Admin@OZYSBZXK_en-US\System\Process.txt
          Filesize

          3KB

          MD5

          c70ac2dc963982da0be838343ef1595c

          SHA1

          a61ab8f9ce9d8fd189ceeaf15dc57a61df2b8ca5

          SHA256

          333b65fc18ce22bc3dca696c69ac42effede0b836e388a003f27fa7978657269

          SHA512

          5fded840cbfb448c29f4060682854d20991d97904994c586a08908990fe99a16867745270beade555ad8a89bc55cbb8f95286219c462c06b6bfe5eff3c14639e

          Download Submit

        • C:\Users\Admin\AppData\Local\46460c22d53637bdb02def3ec774ba7d\Admin@OZYSBZXK_en-US\System\Process.txt
          Filesize

          3KB

          MD5

          9e662d1d6bb627e1fb5e06c70a8cddc8

          SHA1

          354876c7163b48e9d7bae943365169712fcc5c41

          SHA256

          1b72725b4aeaac3e8ae59cb119dba69a35f6d2a732d3cfdcb06129aec5ae8820

          SHA512

          63fc776c79a7e74d1e400b3f2025a08b111747f15a7628fac64a0c7b76ae4a880616070173cb749b0c7223de680d6a9f5734ad2415b1c226ed1efab14bfb9e87

          Download Submit

        • C:\Users\Admin\AppData\Local\46460c22d53637bdb02def3ec774ba7d\Admin@OZYSBZXK_en-US\System\Process.txt
          Filesize

          4KB

          MD5

          88be349b7d985c39870882ec284e7bf1

          SHA1

          25bbae5c853343869383471872aaeece2fe15e78

          SHA256

          af04450f460645a0ad0c5b408ad0b20f5db908c85a6010c3ccca385c902b24e4

          SHA512

          63517670ab5518d397daed4a0e9e1f568346aea0b36c24bb2934a14428aeb97ff0a24350d356307d4c1795fed585949147fb5a4c6d0501d0a706f0b4921cb128

          Download Submit

        • C:\Users\Admin\AppData\Local\46460c22d53637bdb02def3ec774ba7d\Admin@OZYSBZXK_en-US\System\Process.txt
          Filesize

          312B

          MD5

          bf328edefc160227354056952c964215

          SHA1

          6bfd95819c1866f91d1e2127412bac348de030e7

          SHA256

          a7cbb2179be49a5f3e0f8fd6f604364f6237033462b2c6dd8a6a955bd9168371

          SHA512

          35069a1fac74ce4e14d257a4ad5bf28eea4031bbec7b35f8d0a933ad30df889c1b04ca913dd5c6a38870343e3048849456aa43e055a27e0907e5209b189daf50

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log
          Filesize

          5KB

          MD5

          de46fa99849fe1d1cb0a5e10b2431d5c

          SHA1

          7a1403a69db1aebe70a11d2dd87949f40e09aeb0

          SHA256

          9a29ed994d34e43bc2911144ba863e8385fff94c573e7e34ca65a3f444df2a49

          SHA512

          60dac0309d1ee20e44bfbac0ebc630235caaefd807f4e59e5763ad04ad842e9e01133101b9c3006c41b4bb241cb9a81d5ac592448d1daa19ca933b131f0d73c7

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log
          Filesize

          2KB

          MD5

          aaaca8769fcc57147a3cc6347d63e2c7

          SHA1

          679888e05400b132b09e8b32f87f642d25b80d69

          SHA256

          063042e3c7e3e979e5a17ef6c29127b170cc434896d32b7f3b688530da5f8b43

          SHA512

          91592d590ff57cd843d30da7c32126f511bccae1c1e9bff6ded52145ca634205d7f29a7f02e83000c7a78d6518c76685f0e355c8fcde4f7b6242d0316af0c898

          Download Submit

        • C:\Users\Admin\AppData\Roaming\svchost.exe
          Filesize

          63KB

          MD5

          67ca41c73d556cc4cfc67fc5b425bbbd

          SHA1

          ada7f812cd581c493630eca83bf38c0f8b32b186

          SHA256

          23d2e491a8c7f2f7f344764e6879d9566c9a3e55a3788038e48b346c068dde5b

          SHA512

          0dceb6468147cd2497adf31843389a78460ed5abe2c5a13488fc55a2d202ee6ce0271821d3cf12bc1f09a4d6b79a737ea3bccfc2bb87f89b3fff6410fa85ec02

          Download Submit

        • memory/904-32-0x0000000000870000-0x0000000000886000-memory.dmp

          Filesize

          88KB

          Download

        • memory/904-50-0x00007FF905B90000-0x00007FF906652000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/904-33-0x00007FF905B90000-0x00007FF906652000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3536-2-0x00007FF905B90000-0x00007FF906652000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3536-64-0x00007FF905B90000-0x00007FF906652000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3536-0-0x00007FF905B93000-0x00007FF905B95000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3536-51-0x00007FF905B93000-0x00007FF905B95000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3536-1-0x000002CD5D410000-0x000002CD5D7AA000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/3536-315-0x000002CD78710000-0x000002CD78754000-memory.dmp

          Filesize

          272KB

          Download

        • memory/3536-316-0x000002CD78770000-0x000002CD7878A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/3536-385-0x000002CD78790000-0x000002CD78842000-memory.dmp

          Filesize

          712KB

          Download

        • memory/3536-386-0x000002CD78870000-0x000002CD78892000-memory.dmp

          Filesize

          136KB

          Download

        • memory/3536-387-0x00007FF905B90000-0x00007FF906652000-memory.dmp

          Filesize

          10.8MB

          Download