Overview

overview

10

Static

static

3

build.exe

windows7-x64

6

build.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-12-2024 13:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    build.exe

  • Size

    3.6MB

  • MD5

    159cb32f97f5a5297b9ef46e16556631

  • SHA1

    d9a2cee6035f972e395015c0847ffd491a65b284

  • SHA256

    452c77d9be7b82107a1325d98f75d0194e61c311e4fa7204a15b52e42bc3c2d2

  • SHA512

    6e974f974d1cb3104e20a51cbe7a636bd81af111ff64784f58a3194acaf6970545436cdc9ee6182a58c168e5aed68a3929baddf0c5227743496ee252136c1e77

  • SSDEEP

    98304:2kqXf0FlL9nrYAWAZi6sfLxkuahjCOeX9YG9see5GnRyCAm0makxH13C:2kSIlLtzWAXAkuujCPX9YG9he5GnQCAL

Score
10/10
asyncratdefaultcollectiondiscoverypersistenceprivilege_escalationratspywarestealer

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

51.89.44.68:8848

Mutex

etb3t1tr5n

Attributes
  • delay

    1

  • install

    true

  • install_file

    svchost.exe

  • install_folder

    %Temp%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\build.exe
    "C:\Users\Admin\AppData\Local\Temp\build.exe"
    1⤵
    • Checks computer location settings
    • Accesses Microsoft Outlook profiles
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:2872
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3616
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4820
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      2⤵
      • System Network Configuration Discovery: Wi-Fi Discovery
      • Suspicious use of WriteProcessMemory
      PID:3452
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:2612
        • C:\Windows\system32\netsh.exe
          netsh wlan show profile
          3⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Network Configuration Discovery: Wi-Fi Discovery
          PID:3920
        • C:\Windows\system32\findstr.exe
          findstr All
          3⤵
            PID:316
        • C:\Windows\SYSTEM32\cmd.exe
          "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:5052
          • C:\Windows\system32\chcp.com
            chcp 65001
            3⤵
              PID:4296
            • C:\Windows\system32\netsh.exe
              netsh wlan show networks mode=bssid
              3⤵
              • Event Triggered Execution: Netsh Helper DLL
              PID:4608
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            "C:\Users\Admin\AppData\Roaming\svchost.exe"
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2228
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            "C:\Users\Admin\AppData\Roaming\svchost.exe"
            2⤵
            • Executes dropped EXE
            PID:2480
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            "C:\Users\Admin\AppData\Roaming\svchost.exe"
            2⤵
            • Executes dropped EXE
            PID:1516
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f2fd17ca-c909-4032-8498-92729b0178b5.bat"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3260
            • C:\Windows\system32\chcp.com
              chcp 65001
              3⤵
                PID:5100
              • C:\Windows\system32\taskkill.exe
                taskkill /F /PID 2872
                3⤵
                • Kills process with taskkill
                PID:2452
              • C:\Windows\system32\timeout.exe
                timeout /T 2 /NOBREAK
                3⤵
                • Delays execution with timeout.exe
                PID:3928
          • C:\Windows\system32\msiexec.exe
            C:\Windows\system32\msiexec.exe /V
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3464

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log
            Filesize

            5KB

            MD5

            ae0761ef852b57ef8eb542ed8ca3a51a

            SHA1

            04a2f40de9bf2125fa639495299cd6dbaa674f67

            SHA256

            871723373f0d91a9e3900251d40837e72c2f8b2b31515a4fc343a1e1c4905392

            SHA512

            72cc827bbee2374769858abf18ebf749c9a1eccc5c3e2ff0927c1daf8c8fbf8647ef65dd0fba6589b0aeb17dc8d41490eec29cd6441b6b9f7ebd439fa11aaeb1

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log
            Filesize

            2KB

            MD5

            7576073f82776987960d9f50c4b8fb36

            SHA1

            79359508581be6a1fffc8ff8db0f93ac78eec2ed

            SHA256

            9fa54e5bfae12cd97747e4303b376546bb0a35ba6818eda0372531e842d56a0d

            SHA512

            05c442e1387a3d3d51582822a56a4c4ed648e3965c4013049bebd722acd468e2fb366c7a651de04cd4da0d33b8e1299c462562d3e39c52d7acb2121c0921533a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\f2fd17ca-c909-4032-8498-92729b0178b5.bat
            Filesize

            152B

            MD5

            0bf8cd3cece0d624676ab0557bcf372b

            SHA1

            aacaa87d62ac0dd97f6c5ec5758091493da6b207

            SHA256

            14677f56bd2499161cdc7efe6cc50d0eb09baffb75f6b6d2cdd7a52130d8e151

            SHA512

            0dde5792fa820a7905b3c350b45961a24faf746540720a4da41fac3defcd97a3331013240661f8372306d29f5b16712e3bdbd946754e8c0344b6ff16e5ca79d4

            Download Submit

          • C:\Users\Admin\AppData\Local\cd90c940bd2a9265cf84b055cb9c0023\Admin@YQRLKYON_en-US\Browsers\Firefox\Bookmarks.txt
            Filesize

            220B

            MD5

            2ab1fd921b6c195114e506007ba9fe05

            SHA1

            90033c6ee56461ca959482c9692cf6cfb6c5c6af

            SHA256

            c79cfdd6d0757eb52fbb021e7f0da1a2a8f1dd81dcd3a4e62239778545a09ecc

            SHA512

            4f0570d7c7762ecb4dcf3171ae67da3c56aa044419695e5a05f318e550f1a910a616f5691b15abfe831b654718ec97a534914bd172aa7a963609ebd8e1fae0a5

            Download Submit

          • C:\Users\Admin\AppData\Local\cd90c940bd2a9265cf84b055cb9c0023\Admin@YQRLKYON_en-US\System\Apps.txt
            Filesize

            2KB

            MD5

            34d276fce9f8207cc4910e766abc12dd

            SHA1

            5faadd237b3de4c534546d09f14121306cff8d39

            SHA256

            9c4cfc5effc22b016af998e581e6c44a0eae3646ad4d2c4d64e7b95b5be24dac

            SHA512

            61a605418e924617410f6435cf5cee1bfaf8317a64c19010e9b2fcaf1b489740d59832f7201734afd5744adf5965c465773942c001a4473a9bee8de939a2ac48

            Download Submit

          • C:\Users\Admin\AppData\Local\cd90c940bd2a9265cf84b055cb9c0023\Admin@YQRLKYON_en-US\System\Apps.txt
            Filesize

            6KB

            MD5

            fb74253abbd86cc6404f902891c7d6ae

            SHA1

            a72dd2bcc491170a992b29500f42bde4a4fbe6ea

            SHA256

            132ff19a3fdeb8dff72f8dbfb77ffecb3cc1c51e9c06458b0b9535b5ea2d1faf

            SHA512

            54231526d1542877b3f9775731391e0f8a01168853936f456a54110bb5c17c14e8c287ec66210752dd581e2cbd7e3f382259613b1134e63d90c938aed8e35c62

            Download Submit

          • C:\Users\Admin\AppData\Local\cd90c940bd2a9265cf84b055cb9c0023\Admin@YQRLKYON_en-US\System\Process.txt
            Filesize

            1KB

            MD5

            832778f85632b031e541ab615566239e

            SHA1

            7a204a233a188d689a154cae4591bcc5a2b98faf

            SHA256

            467674ea80b5c6161a935304e707184c165579cb0296db71f065f361217519fa

            SHA512

            9b47344a9ee6a4c17e152629f7ec9b5544f593c5700a30bc150ab1e60cabc1ca334b6a2efdf236d0531c4f4754d50c619fb7670ac626e3c877fca2ad91a996ad

            Download Submit

          • C:\Users\Admin\AppData\Local\cd90c940bd2a9265cf84b055cb9c0023\Admin@YQRLKYON_en-US\System\Process.txt
            Filesize

            1KB

            MD5

            a7825d36165ed9a5614171e429359f6c

            SHA1

            6cdc79acd5bef9d2f0b48ac7f2d7d9d243b78ac1

            SHA256

            dc03f8ffd282733a9798389afad6c5ea3d4df585dffee1b78c5d559b9f237e06

            SHA512

            dc6d048c8509bf3d78be1d04429beaad4e0c6293d091007bff935a8c038b883bf5448927e6f8c867a935010578daddae7c36bc4e3ab54f4c78147cce1d5c12b8

            Download Submit

          • C:\Users\Admin\AppData\Local\cd90c940bd2a9265cf84b055cb9c0023\Admin@YQRLKYON_en-US\System\Process.txt
            Filesize

            2KB

            MD5

            1d17816fd827495767a9fd22270f3b38

            SHA1

            ee31ca4f807cc2b1e274186cd01f0d880edab3be

            SHA256

            15d2226da1c56ffedc0b94e27d6bb44c4b8bed7eaf2c58711a5d885963f4e693

            SHA512

            7973cb31abc2a89e5dfb92a14fe235be111e944f4d74b31d14dc1598af80d90e98607452e094080acdc0b3968afbe57787efdcac4aa0c30e5049365a61c5cac6

            Download Submit

          • C:\Users\Admin\AppData\Local\cd90c940bd2a9265cf84b055cb9c0023\Admin@YQRLKYON_en-US\System\Process.txt
            Filesize

            3KB

            MD5

            768524aabc79e8f08a59e9962b08b6f3

            SHA1

            53facea6764a671dc0eef2717b988ec6faed055e

            SHA256

            cc7744937aacef8e8ee25cd2797ba3cac51e06f2c170f3febe4efb30a60c7eb6

            SHA512

            b74f37dd340ab2349b6b842e4c9c2d1b947163dd6f1046bd70f32b2eca8229031b6b89f5d295bae3e020c077c78c1b150859c3c94114c689b42c1325dc23c762

            Download Submit

          • C:\Users\Admin\AppData\Local\cd90c940bd2a9265cf84b055cb9c0023\Admin@YQRLKYON_en-US\System\Process.txt
            Filesize

            4KB

            MD5

            0bb0e2d6f1a9f5f8ba5381d086bef3fd

            SHA1

            0cfdc46be6b62d346e14eb9070cbba79661a2acc

            SHA256

            05113f4e1103d3b0fa7b3a0648d5a3696268af34269a9c5c106bf846d70106e9

            SHA512

            77e95fed1351ff49188f5ad3b2652a0d9cc91646e219007bcf88d881de87e742c7a5c288ae1eeb06e8d1c612b59148213267f408b9d0ee18ba6bd75405b8456b

            Download Submit

          • C:\Users\Admin\AppData\Local\cd90c940bd2a9265cf84b055cb9c0023\msgid.dat
            Filesize

            2B

            MD5

            aab3238922bcc25a6f606eb525ffdc56

            SHA1

            fa35e192121eabf3dabf9f5ea6abdbcbc107ac3b

            SHA256

            8527a891e224136950ff32ca212b45bc93f69fbb801c3b1ebedac52775f99e61

            SHA512

            5f3a799ba20c20a225f75d4fe2acab79912dfcd2f2b333bf062b37acbb6463388c344430d5ba1e9fd318d3ed8263074e999e2b2e811bc51c5e2dfea4e2f32e58

            Download Submit

          • C:\Users\Admin\AppData\Roaming\svchost.exe
            Filesize

            63KB

            MD5

            67ca41c73d556cc4cfc67fc5b425bbbd

            SHA1

            ada7f812cd581c493630eca83bf38c0f8b32b186

            SHA256

            23d2e491a8c7f2f7f344764e6879d9566c9a3e55a3788038e48b346c068dde5b

            SHA512

            0dceb6468147cd2497adf31843389a78460ed5abe2c5a13488fc55a2d202ee6ce0271821d3cf12bc1f09a4d6b79a737ea3bccfc2bb87f89b3fff6410fa85ec02

            Download Submit

          • memory/2872-52-0x00007FFD55DD3000-0x00007FFD55DD5000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2872-347-0x00000168EC180000-0x00000168EC19A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/2872-0-0x00007FFD55DD3000-0x00007FFD55DD5000-memory.dmp

            Filesize

            8KB

            Download

          • memory/2872-1-0x00000168D01F0000-0x00000168D058C000-memory.dmp

            Filesize

            3.6MB

            Download

          • memory/2872-53-0x00007FFD55DD0000-0x00007FFD56891000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2872-2-0x00007FFD55DD0000-0x00007FFD56891000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2872-346-0x00000168EC140000-0x00000168EC184000-memory.dmp

            Filesize

            272KB

            Download

          • memory/2872-465-0x00007FFD55DD0000-0x00007FFD56891000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2872-423-0x00000168EC1A0000-0x00000168EC252000-memory.dmp

            Filesize

            712KB

            Download

          • memory/2872-424-0x00000168EC280000-0x00000168EC2A2000-memory.dmp

            Filesize

            136KB

            Download

          • memory/2872-426-0x00000168EC2B0000-0x00000168EC350000-memory.dmp

            Filesize

            640KB

            Download

          • memory/3616-51-0x00007FFD55DD0000-0x00007FFD56891000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3616-25-0x00007FFD55DD0000-0x00007FFD56891000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3616-24-0x0000000000B90000-0x0000000000BA6000-memory.dmp

            Filesize

            88KB

            Download