Overview

overview

10

Static

static

3

build.exe

windows7-x64

6

build.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-12-2024 13:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    build.exe

  • Size

    3.6MB

  • MD5

    2005c36df30a92d045d80c76be86d157

  • SHA1

    5e821a88c68ca7fc61e7fd88a6127d35c7af3d7f

  • SHA256

    b94561e6149960253a8ff55a26fa68c7794b8fced2deade95d6b2e95b5d932af

  • SHA512

    ad2c3667101e450566e8b0f7ee3a05c022bed6b1c64007f5c3f21c8bc6e062910c32c93e5b616188fec9d1c625a9a148b42b911d362f6ffd45f2953db38c1275

  • SSDEEP

    98304:2kqXf0FlL9nrYAWAZi6sfLxkuahjCOeX9YG9see5GnRyCAm0makxH13C:2kSIlLtzWAXAkuujCPX9YG9he5GnQCAL

Score
10/10
asyncratdefaultcollectiondiscoverypersistenceprivilege_escalationratspywarestealer

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

51.89.44.68:8848

Mutex

etb3t1tr5n

Attributes
  • delay

    1

  • install

    true

  • install_file

    svchost.exe

  • install_folder

    %Temp%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\build.exe
    "C:\Users\Admin\AppData\Local\Temp\build.exe"
    1⤵
    • Checks computer location settings
    • Accesses Microsoft Outlook profiles
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:2064
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4104
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:868
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      2⤵
      • System Network Configuration Discovery: Wi-Fi Discovery
      • Suspicious use of WriteProcessMemory
      PID:5056
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:3396
        • C:\Windows\system32\netsh.exe
          netsh wlan show profile
          3⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Network Configuration Discovery: Wi-Fi Discovery
          PID:2080
        • C:\Windows\system32\findstr.exe
          findstr All
          3⤵
            PID:408
        • C:\Windows\SYSTEM32\cmd.exe
          "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4360
          • C:\Windows\system32\chcp.com
            chcp 65001
            3⤵
              PID:3412
            • C:\Windows\system32\netsh.exe
              netsh wlan show networks mode=bssid
              3⤵
              • Event Triggered Execution: Netsh Helper DLL
              PID:2760
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            "C:\Users\Admin\AppData\Roaming\svchost.exe"
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2220
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            "C:\Users\Admin\AppData\Roaming\svchost.exe"
            2⤵
            • Executes dropped EXE
            PID:2440
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            "C:\Users\Admin\AppData\Roaming\svchost.exe"
            2⤵
            • Executes dropped EXE
            PID:3828
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5f4b9b9f-c4dc-4f9b-b002-11f83a557911.bat"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4032
            • C:\Windows\system32\chcp.com
              chcp 65001
              3⤵
                PID:2276
              • C:\Windows\system32\taskkill.exe
                taskkill /F /PID 2064
                3⤵
                • Kills process with taskkill
                PID:4176
              • C:\Windows\system32\timeout.exe
                timeout /T 2 /NOBREAK
                3⤵
                • Delays execution with timeout.exe
                PID:2200
          • C:\Windows\system32\msiexec.exe
            C:\Windows\system32\msiexec.exe /V
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4916

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\5f4b9b9f-c4dc-4f9b-b002-11f83a557911.bat
            Filesize

            152B

            MD5

            16855fa7c536753c0c613d6e67857c40

            SHA1

            02a46198d51941a32afb763f68921457722335e1

            SHA256

            2f52d3ef339d7c37da569457b012b2594214453b9cc64c2f88208bebb3844991

            SHA512

            df4c53ece6c68ed78d8730677ff52f9c1f56e4ef371e7b5836416eb0556a29ed2f6f1cc5e03aa2140ca300387a5d99cd984e68e3f02b4947c9ade691e2b6020c

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log
            Filesize

            5KB

            MD5

            924bdce17fd285f64caffc916f2a0b10

            SHA1

            ea119df885362be0225ced08c29319c9f53018b3

            SHA256

            ff18c159bbdec49630135978789945ff20dae413e51d5bb97fa83a7e601e68a8

            SHA512

            fa6939883ce4f3a4b1e591506001b8e42fb567be1964d1ce3282fc4b02321b455e48d45d03175db7213d259ff64ca59303976a3fd26d91da3b03073f98fd98e9

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log
            Filesize

            2KB

            MD5

            ae426f5bbc7474a4797964c3decde7b7

            SHA1

            814e1aa7d072ebc4e32196058fdbfda39c49f61c

            SHA256

            16d3547ee7bf891dd846da41c8d0bfc2f1e9f3a5645b829d96610c9114e06827

            SHA512

            5289816580bfd3ecdfe1d56f1156c689309ec431e9f8b16d18f4a25f94db92b81fad980d131380aac189a0bcddaa1b1792a9e4202127d764fc002a35d8d5394c

            Download Submit

          • C:\Users\Admin\AppData\Local\d93de6678f5a387aa5a40d3c165c8250\Admin@YLFOGIOE_en-US\Browsers\Firefox\Bookmarks.txt
            Filesize

            220B

            MD5

            2ab1fd921b6c195114e506007ba9fe05

            SHA1

            90033c6ee56461ca959482c9692cf6cfb6c5c6af

            SHA256

            c79cfdd6d0757eb52fbb021e7f0da1a2a8f1dd81dcd3a4e62239778545a09ecc

            SHA512

            4f0570d7c7762ecb4dcf3171ae67da3c56aa044419695e5a05f318e550f1a910a616f5691b15abfe831b654718ec97a534914bd172aa7a963609ebd8e1fae0a5

            Download Submit

          • C:\Users\Admin\AppData\Local\d93de6678f5a387aa5a40d3c165c8250\Admin@YLFOGIOE_en-US\System\Apps.txt
            Filesize

            1KB

            MD5

            9246cb35ce159a8ebb5009177c61a506

            SHA1

            f7d21cf266cae097c30e0072c1f2594d33a1e260

            SHA256

            164315f6765f7188a3c37ad72ba3672c87e264b526ee4e31c3726aa0b77b13bf

            SHA512

            68f27588b30d554fbf59c26d3852143f1f463143dd944096285d551ced2455035dfd6effcb9fee23e126fd3a667cf3ad9292da891e5393ced5218c0f9005fe70

            Download Submit

          • C:\Users\Admin\AppData\Local\d93de6678f5a387aa5a40d3c165c8250\Admin@YLFOGIOE_en-US\System\Apps.txt
            Filesize

            6KB

            MD5

            fb74253abbd86cc6404f902891c7d6ae

            SHA1

            a72dd2bcc491170a992b29500f42bde4a4fbe6ea

            SHA256

            132ff19a3fdeb8dff72f8dbfb77ffecb3cc1c51e9c06458b0b9535b5ea2d1faf

            SHA512

            54231526d1542877b3f9775731391e0f8a01168853936f456a54110bb5c17c14e8c287ec66210752dd581e2cbd7e3f382259613b1134e63d90c938aed8e35c62

            Download Submit

          • C:\Users\Admin\AppData\Local\d93de6678f5a387aa5a40d3c165c8250\Admin@YLFOGIOE_en-US\System\Process.txt
            Filesize

            738B

            MD5

            be5ec407f62848dcb08fee4807697424

            SHA1

            d918b81f60bd708e0489f6205b5bf7fe9d5b3d49

            SHA256

            10977026aff86260238294668c11b9b0115d7458ff35299b3cef994f7bda2187

            SHA512

            d28743b7dd10b97964d59f834f19f5b43034b6bb39377008b0b8c86d6a672239f985bad6bac62d29fb0fee842cfa0259f667f61a53d0bd6a5bc7064342ad94ff

            Download Submit

          • C:\Users\Admin\AppData\Local\d93de6678f5a387aa5a40d3c165c8250\Admin@YLFOGIOE_en-US\System\Process.txt
            Filesize

            1KB

            MD5

            e3ade7e4372d07a867753af4b9c22f51

            SHA1

            43ae9c76fc6ef5ce3d570e1ac2996c4eac1e5d4f

            SHA256

            175d2b0c2a1bbfa68b8bd7ef5fbc3e6c1450c801a7e2514dc5f9ab36d6656395

            SHA512

            4c64de35fe66ad87a55f0a200fe7cf567e844dbba4fb6f4dfdd0c3c6838b59e84c9c7ef62f937a033d998ecd4656e45c6638159e0b8290201feedb9aa3faf3e2

            Download Submit

          • C:\Users\Admin\AppData\Local\d93de6678f5a387aa5a40d3c165c8250\Admin@YLFOGIOE_en-US\System\Process.txt
            Filesize

            1KB

            MD5

            f046c8b0ae00ed9b97e83e96851e656c

            SHA1

            46c53f9f4d4bd6f13490449c575347589083870f

            SHA256

            30e8237bc8eeb7c2aeedc92d9a4272f79adbd028d30e143a6ce64a5fd34dc7f0

            SHA512

            3cb50f7776beca090a7304aad58c38c7e924ced4ef29daade29a44c0b7c8e831ef732d376ff44b106ad07e66ea708c56f831e401c1588e07554ea355df4e4faa

            Download Submit

          • C:\Users\Admin\AppData\Local\d93de6678f5a387aa5a40d3c165c8250\Admin@YLFOGIOE_en-US\System\Process.txt
            Filesize

            2KB

            MD5

            a43cbc04bd89c845d6b36ca2a16df6c2

            SHA1

            4206aa8c56bedd1b4910c9a691ca1347bcbb5f24

            SHA256

            215f04383a69d0e6d96ab0f5f12f50db398d5b4383b1175da678e59204db0e0f

            SHA512

            769da2c55ae8c49d2fb74416e491bbe1b1fb365897294c1bf6555469af7dad9178869a587aa6b66a45159194cf4146809ff306e4ff3a24b4de7fb60a95d7d7a1

            Download Submit

          • C:\Users\Admin\AppData\Local\d93de6678f5a387aa5a40d3c165c8250\Admin@YLFOGIOE_en-US\System\Process.txt
            Filesize

            3KB

            MD5

            bf679f3e1f4c7029593979a50df135d9

            SHA1

            88814399a8a3db4c92cb192850b7c104cf7412cd

            SHA256

            f3ba5bf8b2c403aaf045cbf44a9746bd39995da4acaa3c866ce240259df228f8

            SHA512

            c3d4fc1db1e219ca41039551e132305d5938564c82f5d271ac252898bdb7158a240b7b2e89ee4f6aa3f197a6804a535d9dc0660e8e47b4aade698e3026c247f4

            Download Submit

          • C:\Users\Admin\AppData\Local\d93de6678f5a387aa5a40d3c165c8250\Admin@YLFOGIOE_en-US\System\Process.txt
            Filesize

            4KB

            MD5

            f556d803c18e0df4efb20c4a9c170565

            SHA1

            24249b8fe7846d1409692e313499c404ea9faca1

            SHA256

            7ae03393302fd6d7288ad6bfcdc7c46d0ba61555dc71314b559cc9d3e442fb6c

            SHA512

            b493d10e655c4db6471733bb4d501cf60973838c9c4b2d6ee0cbdf4f7e2add5d43e4cda2ed3c4f5fd6f1b99c2d63ae9c2f0123ac8e675ef3b56a5ccb25f9f96d

            Download Submit

          • C:\Users\Admin\AppData\Local\d93de6678f5a387aa5a40d3c165c8250\msgid.dat
            Filesize

            1B

            MD5

            cfcd208495d565ef66e7dff9f98764da

            SHA1

            b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

            SHA256

            5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

            SHA512

            31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

            Download Submit

          • C:\Users\Admin\AppData\Roaming\svchost.exe
            Filesize

            63KB

            MD5

            67ca41c73d556cc4cfc67fc5b425bbbd

            SHA1

            ada7f812cd581c493630eca83bf38c0f8b32b186

            SHA256

            23d2e491a8c7f2f7f344764e6879d9566c9a3e55a3788038e48b346c068dde5b

            SHA512

            0dceb6468147cd2497adf31843389a78460ed5abe2c5a13488fc55a2d202ee6ce0271821d3cf12bc1f09a4d6b79a737ea3bccfc2bb87f89b3fff6410fa85ec02

            Download Submit

          • memory/2064-325-0x00000236701B0000-0x00000236701CA000-memory.dmp

            Filesize

            104KB

            Download

          • memory/2064-405-0x0000023670310000-0x00000236703B0000-memory.dmp

            Filesize

            640KB

            Download

          • memory/2064-52-0x00007FFF4B663000-0x00007FFF4B665000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2064-444-0x00007FFF4B660000-0x00007FFF4C121000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2064-1-0x000002366C130000-0x000002366C4CC000-memory.dmp

            Filesize

            3.6MB

            Download

          • memory/2064-2-0x00007FFF4B660000-0x00007FFF4C121000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2064-324-0x000002366F020000-0x000002366F064000-memory.dmp

            Filesize

            272KB

            Download

          • memory/2064-0-0x00007FFF4B663000-0x00007FFF4B665000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2064-402-0x00000236701D0000-0x0000023670282000-memory.dmp

            Filesize

            712KB

            Download

          • memory/2064-403-0x00000236702B0000-0x00000236702D2000-memory.dmp

            Filesize

            136KB

            Download

          • memory/2064-65-0x00007FFF4B660000-0x00007FFF4C121000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4104-24-0x0000000000E00000-0x0000000000E16000-memory.dmp

            Filesize

            88KB

            Download

          • memory/4104-25-0x00007FFF4B660000-0x00007FFF4C121000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4104-51-0x00007FFF4B660000-0x00007FFF4C121000-memory.dmp

            Filesize

            10.8MB

            Download