Analysis

  • max time kernel
    95s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-12-2024 19:31

General

  • Target

    7B17EBBF77F53472D2FEBB38E9785026.exe

  • Size

    996KB

  • MD5

    7b17ebbf77f53472d2febb38e9785026

  • SHA1

    f3e6e40de8a8ca8b7cc3f8f4d636ad788df39935

  • SHA256

    c23b7950208b8f8e8a22c401cb5e9a05e560ae6119307d975ba601b4e2e99273

  • SHA512

    40aeebe55e881e59d0a765a03dcf9d626cf6b83bf7fa667f63098c18d8d745f225a7d779ba1abaae1fdb185695df8bece6f7231c0b6c294ba52a48a5f083d4ac

  • SSDEEP

    24576:hN/BUBb+tYjBFHL68+WHE3YLXiM0hD6di/AX:jpUlRhTfHEoLXiM0hDTU

Malware Config

Extracted

Family

asyncrat

Version

| Edit by Vinom Rat

Botnet

Default

C2

195.26.255.81:6606

195.26.255.81:7707

195.26.255.81:8808

195.26.255.81:0077

195.26.255.81:1996

195.26.255.81:2106

195.26.255.81:7777

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Asyncrat family
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7B17EBBF77F53472D2FEBB38E9785026.exe
    "C:\Users\Admin\AppData\Local\Temp\7B17EBBF77F53472D2FEBB38E9785026.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4352
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\pgoh.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3368
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c ipconfig /release
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4004
        • C:\Windows\SysWOW64\ipconfig.exe
          ipconfig /release
          4⤵
          • System Location Discovery: System Language Discovery
          • Gathers network information
          PID:540
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c cipkucw.ppt xdgrnj.pdf
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4588
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\cipkucw.ppt
          cipkucw.ppt xdgrnj.pdf
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1908
          • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
            "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:2976
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c ipconfig /renew
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3216
        • C:\Windows\SysWOW64\ipconfig.exe
          ipconfig /renew
          4⤵
          • System Location Discovery: System Language Discovery
          • Gathers network information
          PID:2624

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\axha.icm

    Filesize

    537B

    MD5

    f982a60e5f1b14c79fc141b895cc766c

    SHA1

    2ecc98ea11167d0692d64feb812e1e648503ea4a

    SHA256

    e019e67a0f7ec0696febb0dc7c6bcc727aae6079ac6ad3fa23e7bf8a099214aa

    SHA512

    9e1cd62ba25c58e71d7639451c61ee9552eaba25e1e2e969ecc1e3c21df1d339b939b2e1952142d2eb1a2969d494272fc8c391f01f9438b770cd227adc4ffe96

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\bbgsq.mp3

    Filesize

    544B

    MD5

    6067ac7e038c2bfdfb972a778a59b502

    SHA1

    6e271f05dbc646815f80e066278533e679d7e623

    SHA256

    6059ff208eb32ca458348d8090bb816f44df314a45fa150505eaa1cde10c64c9

    SHA512

    c38f9045fb97784546e8c0530c265db7090c0c48f68a38707294258c15c9d08567b08255d16aa715215f6a4b1f90f4f2932bb022f50e74cd9371213ccce1eccb

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\bocmvwxai.mp3

    Filesize

    535B

    MD5

    af67f6bbd092665560cca8a81115f98e

    SHA1

    3e182e87a2fec52365f75827fb97e3efadeae0ec

    SHA256

    b18ee92e84e90f07567cef8a354d820d3a8f973afdd973d8630804c6f731e991

    SHA512

    0a0ce38a8f7e2944c460b4a16b2221a85e1e55ecd86dbfd97b4c60505aaeb2d1ec2ae9c2c50574c082fe742368ee9bddb554ad57e7b2bb28542b78ab04fd7799

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\cbpeb.bmp

    Filesize

    571B

    MD5

    c2c7d019161bb6d62f73528bfe2ed7b5

    SHA1

    6f109fe18e7d094d1145f5b177c65f187f0aa1c0

    SHA256

    b2e334371bb7984dc84bc1a4d009993653dbdab8141a7736f030496b0ccb6eed

    SHA512

    15fe3667791d933c49b8605140abd61cc258da2da1e97799a8bc7583702881da4e0e629325a74b0cc22f2a5efb49333892bfe8470206788b73a762f710356023

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\cipkucw.ppt

    Filesize

    925KB

    MD5

    0adb9b817f1df7807576c2d7068dd931

    SHA1

    4a1b94a9a5113106f40cd8ea724703734d15f118

    SHA256

    98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

    SHA512

    883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\djxaejqg.txt

    Filesize

    523B

    MD5

    7e36b7880b3ecd2297e6f62d55f7a65b

    SHA1

    3815c7699d416a3277aafe3b6a2169c777c85f17

    SHA256

    5669adc7007bff0dc135b86e4c5c10294b6f1e4505f9f3f77f5a363a67e7713b

    SHA512

    0f4f4278b3e263b24398297d3c669f61a41a5b794ea3497ecaab6d315bb2acbc9e7ec0abecadcf3ee834d7f5d415644034af966921ceb28208f0c9df5ae3bff6

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\dvru.icm

    Filesize

    582B

    MD5

    c7812bbccb4ab3db46b91d7dcf04cd2c

    SHA1

    c72a668de5788f0f0f9392ccb85a340377cea2e2

    SHA256

    fe7b196cd1d3bd99d083f252db110d1951aa69f727c305e2b248707e69ac9d55

    SHA512

    9cc3c1e4d0dd28b11ae1b35915750d03e00154a83270ee02bd00a0b885fc1e78d97fd38572e910cca0b7b2d7dbe04b1bf7912401511d8a23e270b49c52d85cbf

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\ebhfwhur.jpg

    Filesize

    553B

    MD5

    0d76c9cb1869319e76a6580c69604257

    SHA1

    27bde805b163c43c51d9e0619ce51dc4cda0443b

    SHA256

    874eb67f37d176bc5557f707087641f74bc89ebf220daa37e6864a2009843fff

    SHA512

    c4c13686c845a61663c768fc7ac4705d9078c6d136ff0d3ded43e0c2f1ec2412b733e4648f347f429096c0455da704df6e7f8fd4e0e29c70b9712f519c27a518

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\etlkuobjq.gum

    Filesize

    109KB

    MD5

    ee0b6dcb2323fe5047de83c300be5c00

    SHA1

    57510c2089062a35b49dcefad5f3552501698940

    SHA256

    8a7a595f49c43f8054f757a9fae31d7d10177638eca9d8060fc3a902a02785ea

    SHA512

    31d8af76ef4b9992adf5a4d78ed0c7231f35339efa484d137519ab219ee76197669cbb18f1947d9a940e89a6a4655ba5d9757a68d604670f6134bab83637358c

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\hoecxexa.mp3

    Filesize

    616B

    MD5

    aa51853ad474caf396b71d76ead8c14a

    SHA1

    9642ce89534071356d8936e433da468a894ca7ab

    SHA256

    ced926b2fd7087fe3f55c6ac0bf6f69643bd41664ef0cbf73c0cef6f37df2e2a

    SHA512

    8be2f90d5e4f93f190933065001539f39aa6217ffae337037d5b4cddf028b6e64c9c9c27d43cd8133e7e6d57c3d1f3a89ad252e9e9902633fe7660111cd11b5f

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\itxdnkl.bmp

    Filesize

    510B

    MD5

    3b87f8a73679f00ebb0f3a7c7b90a673

    SHA1

    d98627e3f197171143c423daeb59aa4e048d996c

    SHA256

    cca32260ab795480d8e57e2eef12f6ed7a19eff48592c9b0a0a725ac23a70780

    SHA512

    d7d57cb735bf461e704048560f516b6c410bc0e5c9bd181ab27ac182ba37f9cb2ae3efd3d239be88c1b76578169b7026ef2e6ac22fccc395fd1e5a2872c5ca92

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\jaqharbas.pdf

    Filesize

    670B

    MD5

    867f44adc5eafa2e46b8025fea340d70

    SHA1

    1e71245c15f72ea6e519820e036fd32fdc0006e2

    SHA256

    9e526db38ba70b50e71a98707a0d292b74577a2c8392db2a7488bfa62c5263a0

    SHA512

    2c73f76f89e563e1855861aefafa3eef7990b1433ca0a6bf0350d28261ca26a335baade132d6fbf0fbddc64bcaba74137d85209dc51b3a4e75344e5e133378c1

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\kmvbdgorw.txt

    Filesize

    565B

    MD5

    7de3a12a6b90580ea356f948345fe9d7

    SHA1

    6afb6144330a0f4ec4f96fe33a7964d1652db92b

    SHA256

    f33f8a54ae5d43df50081a0a872ebcf501e471b8a1ceb918f1df21fcd57781e9

    SHA512

    6beb5d1855ee6ff9afb7bef1a08be47aab5026f9df6c5d4075cdeea17a15f6960af1511ed543c1ef6b5a414658b1e2325553d5d38e58db915d378a9b4764baec

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\lpfjthlm.icm

    Filesize

    533B

    MD5

    0115dba59a3af38e30da2f5aa6c96f4e

    SHA1

    2b5afecd853e5b03b004f3b42a2ed19677f350e7

    SHA256

    e54258a3c5f6258ee9c66a172fbefb1c414ee2701b1b8f674746b05cce851fbf

    SHA512

    3d4f63a33a2fb17217ecb187b94d1a6fad3e15805a89b42c67de12a5cc020af62034e406a535ebb41396db2358aeeb1b03489c115a92b3b427c0c08a994e765b

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\mwcjwjoov.exe

    Filesize

    661B

    MD5

    82f446ae349917dd7dcd403af18bafac

    SHA1

    72970bd4af23321134da39ac452e28d31e219412

    SHA256

    cdd4da4b65abafdcac98afe1080cdc549a074217ea67437a7311d0ff8f8862f4

    SHA512

    fae4b9b118f9caf74ea94334d014816c4b2aa4f4f3db8e372c2a12db49fd1d26e87808144724aaca22599f74b6b141ff288654b5c0f8511fee580bd2bcaaac55

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\mxrv.bin

    Filesize

    617B

    MD5

    c1d1c70a2088d6b655c9ebf6234b8014

    SHA1

    e5bed845b8467b043cefd3ffdf5a333aa9a0e3ba

    SHA256

    a53415b26ae088e51bcf047d4f56ac1c3a32f5953f498b5dd0f181fc8d0a609d

    SHA512

    ecb4c5b514b7ac155b34fbb5d2acc1af3260f6f34623c769599eebbbd3709cc8dad62cfb61f1d9e46e27de5a98d083184d68a1888f8d52864d5bdd61b97b910c

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\nnjjangxc.pdf

    Filesize

    610B

    MD5

    208b5d0b67ffd39189cb1e56f641a569

    SHA1

    4b8151d25c424a62176af7d99b27e02e962350f9

    SHA256

    3f5fb1aae2dc3df95033f74fa4214ba5806c8a3aa9f4784d2b02726f343b5b84

    SHA512

    59876adfc0732347a324aed4c3373568fe77bdf82d7591b4f7508246db20ee55e184f448dd8c29d1b1357de442885856a7149f92ef9e06f060c3fc138f602d11

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\ogtophmgw.mp3

    Filesize

    583B

    MD5

    0b720996f08404c60be94cdabc5f9263

    SHA1

    6bda9867fd28209f187591a0675c03f75b86dde8

    SHA256

    50c0a1003f14144466d3eb55fbf96113032e1d0c169890301e22d4e6d6bb2d1f

    SHA512

    58f68b7bb83ff2b25ea6104ed1ff791bbd0b68bf6e2d182e15e1bfc669edd9d6f080541f801f217d66afd7b50c6a9c9f95b03065cd53134b33cf9cf22a9c1b53

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\pgoh.vbe

    Filesize

    87KB

    MD5

    9cc31f5d12ce4609ec12d092a028bb23

    SHA1

    ae3c36da54c2142a6dc0d2987ad518acc850f803

    SHA256

    1fc30fcf18a2b46d9f3256f069598e0d622615ffc39cf57558be2b398f59e31e

    SHA512

    6e921a8972d1689d48625a4dc9af744382d0880d7768d6906580e87355cef39c789cb746deb93f2e457f2a8cf3a3e6159e001400317051ba8397aa4d635379f8

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\rjhr.pdf

    Filesize

    33KB

    MD5

    55bc888147fd7cc3a422713f543596c8

    SHA1

    748970fbc9a4f80714e0d4fd12d6209f60f2ec97

    SHA256

    ff7fc54eade5736b5805b37bf827e5855a2f71e8d624665539368521a786a8d7

    SHA512

    66490bf66436f33b3ff20232e7a095c97f23cfc19c5e9fecba436853f26ed7055cc3b9219f55b0329b5e656de601a03fa9ecd9f2298ff44d2310beaf5966f972

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\rjhr.pdf

    Filesize

    33KB

    MD5

    588c39a6c997279fe482ad97cc74c93b

    SHA1

    635addd6c1f792793c0a52681dbdb4b4364306bb

    SHA256

    9d7082a1b6be966c16b4eec78cacd7d60e3219401e9d73dd0a85ec5bed8cff85

    SHA512

    ea0af44fca5868313fa271efeb694f7da6a31cbfe4e9944ff68fe8f8c8f0f5c14fa0919b23fe2d7b9211f2b8c0bff2d07277c9618f15aed2a06f59c1b80cb818

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\rxappxurje.txt

    Filesize

    578B

    MD5

    bd024a03bedcf16316ab8a1ec87adaa6

    SHA1

    0d7003b89301ccf8cdb326c3fcd98e96a60f1663

    SHA256

    1bcf4ba6ad5075f633662c184de0e46b4e5764b70ffcf8840c48be4679398560

    SHA512

    28294b36ba4ab7290010ea826952a4f82a06123987c84b3a91db90b5ae7b6e538a407933a750aa4619f7d93449a721b648ecb7f256758abb9fbfac92c6acf066

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\ubddmvlr.jpg

    Filesize

    506B

    MD5

    e167b220b80135a631f589043ca899b5

    SHA1

    0e0850082f18334cd783dd174345934aed7221c5

    SHA256

    819ea1f99b61b3dc631f935eb6c5876034f373eb1ec4fec2db8873523696c518

    SHA512

    cc5fe2989ba6c3bce2310c28d0398500436e65db6b8eea08387c99e5871e2aacbae908a4b1c89b57ef1847a40ffee82a1777b4577eb01e7235176566ca965c86

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\ulgwpj.dll

    Filesize

    519B

    MD5

    70c69aa9f7b1e888ca0714e89be32098

    SHA1

    4f4bb1d33e921cf93182936499bfdf16a96f7f97

    SHA256

    7adb1e9738343f7ebe30ef6b7f6650fffee059ec22d98ebf17dc135e2c835b2f

    SHA512

    a01eb39e1fbc1a647d316264260b8c1748f1c49509342b04547b94bd09fda4b26fa04aa6d10c799a1426ae69746a6a2383e6963cebacf3e66194e295c13e686e

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\wdfnhena.jpg

    Filesize

    551B

    MD5

    f6de4eff7a4743ecfb4fe11e27dde3b4

    SHA1

    b451be4e2c5a0873ad0a69d4855d75cb065a06be

    SHA256

    2f77b1b7fe13aa79b41995f99be0ef1b85b492c30b594deaf0239257c72a5bfe

    SHA512

    0d0470ce4514a6a6951847ac61f5d09ab99e4b064fe4ad8e21a4f8afed68d56bd996eda5392ae6e8be5c4824b884e85d76a4511872386873557d4730c5abbe9c

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\wnfj.docx

    Filesize

    639B

    MD5

    d0c528931b9b927b80b3ff7191e579eb

    SHA1

    2060a0c27ab1c778d6b70828c2dff9d1059e1a70

    SHA256

    466db50bdc62d3c43698cf27d34ff2589782a4c81776dd3d79aac808208fb512

    SHA512

    d508f51fa8cbd713bf9cc426d175193c1d78b670d193a9c1037b4b8c3e89e76f1ce712c74a2917ce81a8b8bbc5a28f1118db1938bb9880ebce5241813d0e55cd

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\xbdarhjg.icm

    Filesize

    568B

    MD5

    f1a870694962da77af70d0d8180af415

    SHA1

    3686ecc61cf21d56c70c7f71160cc0abc5d438d3

    SHA256

    2e3ac55b4c9e18cc1b11f739089eb6a0382ab64df61d7ffb60b6e21b1a3b2852

    SHA512

    74ce196cdbdc9f308dba90e8146768fdc7aebef286b028f741bed0903c3a68feb820c1fb46b021f804defae8647c1ac0309eac3aee320b22ec3011fad9f3b6ab

  • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

    Filesize

    44KB

    MD5

    9d352bc46709f0cb5ec974633a0c3c94

    SHA1

    1969771b2f022f9a86d77ac4d4d239becdf08d07

    SHA256

    2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

    SHA512

    13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

  • memory/2976-158-0x0000000001180000-0x000000000170C000-memory.dmp

    Filesize

    5.5MB

  • memory/2976-161-0x0000000001180000-0x0000000001196000-memory.dmp

    Filesize

    88KB

  • memory/2976-163-0x0000000005B90000-0x0000000005BF6000-memory.dmp

    Filesize

    408KB

  • memory/2976-164-0x0000000006080000-0x000000000611C000-memory.dmp

    Filesize

    624KB

  • memory/2976-165-0x0000000006AB0000-0x0000000007054000-memory.dmp

    Filesize

    5.6MB

  • memory/2976-166-0x00000000067A0000-0x0000000006832000-memory.dmp

    Filesize

    584KB

  • memory/2976-167-0x0000000006710000-0x000000000671A000-memory.dmp

    Filesize

    40KB

  • memory/2976-172-0x0000000007EE0000-0x0000000007F56000-memory.dmp

    Filesize

    472KB

  • memory/2976-173-0x0000000007E70000-0x0000000007E94000-memory.dmp

    Filesize

    144KB

  • memory/2976-174-0x0000000007F80000-0x0000000007F9E000-memory.dmp

    Filesize

    120KB