Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
02-01-2025 19:10
General
-
Target
file.exe
-
Size
551KB
-
MD5
acb979b81c2acf8de8925ac44a607e48
-
SHA1
9be1e0bb48c9343c22f292089e4931f0ce739421
-
SHA256
4fe449d036c64073e840b18ba90368b895159740ee8596476e42125477a70ed7
-
SHA512
41b4e517540a5b2f225f967424c2d009cc85bb6d77398507770b1b474a4ebfd2361f695f380f6c9291cf627e693ba057b4a05c55b52f5c7e5780d37af4c15a01
-
SSDEEP
12288:lxX3xXFdZd9HdkGIwHNLfh2AnX9TML8wHbC708POrXNiH19m9IWIu/rqkR:fzrd9HdkGIONLh2AnXkv8PeUL5WIyp
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
185.208.158.187:4449
tnybaidkzovl
-
delay
10
-
install
true
-
install_file
NotepadUpdate.exe
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Delays execution with timeout.exe 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 49 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 43 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\efQsxHSLtNUjTi.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\efQsxHSLtNUjTi" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEC73.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\Admin\AppData\Roaming\NotepadUpdate.exe"' & exit3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "NotepadUpdate" /tr '"C:\Users\Admin\AppData\Roaming\NotepadUpdate.exe"'4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp19AD.tmp.bat""3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Roaming\NotepadUpdate.exe"C:\Users\Admin\AppData\Roaming\NotepadUpdate.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\efQsxHSLtNUjTi.exe"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\efQsxHSLtNUjTi" /XML "C:\Users\Admin\AppData\Local\Temp\tmp624F.tmp"5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\NotepadUpdate.exe"C:\Users\Admin\AppData\Roaming\NotepadUpdate.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD5f842b03d916fbe484facee7a89329732
SHA11c8585f74368ef2cd79296961cbb0989cc67d9d5
SHA2560615a6f804dc78eb4a061a49fa1612141914a3f8248154c403ec38d8bb7b4de9
SHA512f1f8d438da2736b8bf4bd04cc5653508d6808739b28e4fb1a0f625be5a4b9026dc1bff1b7d5b9392272a83cdf9afed9b5785aa59bb7028fea2f5898be6006572
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
157B
MD5591c8ee57033d9602a228d0a48c1711e
SHA1e4e89080c957c35d8bf7e9859940654273f0578d
SHA2561320cec15335cc2f764fb19dd31a8a3f4fccffee6554697225b617c3abab7570
SHA512be52199638fc124faa32839230f1db0b0a6cdf8f0685c7b0443d41d3bd07fd2fdb4935e72c7e93d878b462d95e0e58a99ab4c34d6336c6425d3c4280b3a92504
-
Filesize
1KB
MD5e3d092844f3519a71cecf717650e747a
SHA149a914e6319737f8d3c810385b08d3312c59ba5c
SHA2564102491c1151c0a000e92e7d6eaa9008e62398b0084b658f4a1f57d8e43a90a3
SHA5126cdfcd62e95847e55b93a67494294c546d881571a5aa0a732b41b4405efb05bae3d75c8f1abfdbc1470e933ad0201fbae5464140223654170a52b70520de1e80
-
Filesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b
-
Filesize
551KB
MD5acb979b81c2acf8de8925ac44a607e48
SHA19be1e0bb48c9343c22f292089e4931f0ce739421
SHA2564fe449d036c64073e840b18ba90368b895159740ee8596476e42125477a70ed7
SHA51241b4e517540a5b2f225f967424c2d009cc85bb6d77398507770b1b474a4ebfd2361f695f380f6c9291cf627e693ba057b4a05c55b52f5c7e5780d37af4c15a01
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
376KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
560KB
-
Filesize
624KB
-
Filesize
7.7MB
-
Filesize
96KB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
96KB
-
Filesize
7.7MB
-
Filesize
304KB
-
Filesize
104KB
-
Filesize
3.3MB
-
Filesize
200KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
652KB
-
Filesize
104KB
-
Filesize
6.5MB
-
Filesize
40KB
-
Filesize
600KB
-
Filesize
68KB
-
Filesize
56KB
-
Filesize
80KB
-
Filesize
32KB
-
Filesize
120KB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
7.7MB
-
Filesize
6.2MB
-
Filesize
7.7MB
-
Filesize
216KB
-
Filesize
7.7MB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
652KB
-
Filesize
68KB
-
Filesize
80KB