Overview

overview

10

Static

static

3

11012025_1...xe.iso

windows7-x64

11012025_1...xe.iso

windows10-2004-x64

11012025_1...xe.iso

android-9-x86

11012025_1...xe.iso

android-10-x64

11012025_1...xe.iso

android-11-x64

11012025_1...xe.iso

macos-10.15-amd64

11012025_1...xe.iso

ubuntu-18.04-amd64

11012025_1...xe.iso

debian-9-armhf

11012025_1...xe.iso

debian-9-mips

11012025_1...xe.iso

debian-9-mipsel

out.iso

windows7-x64

out.iso

windows10-2004-x64

out.iso

android-9-x86

out.iso

android-10-x64

out.iso

android-11-x64

out.iso

macos-10.15-amd64

out.iso

ubuntu-18.04-amd64

out.iso

debian-9-armhf

out.iso

debian-9-mips

out.iso

debian-9-mipsel

Invoice_Payment.exe

windows7-x64

10

Invoice_Payment.exe

windows10-2004-x64

10

Invoice_Payment.exe

android-9-x86

Invoice_Payment.exe

android-10-x64

Invoice_Payment.exe

android-11-x64

Invoice_Payment.exe

macos-10.15-amd64

Invoice_Payment.exe

ubuntu-18.04-amd64

Invoice_Payment.exe

debian-9-armhf

Invoice_Payment.exe

debian-9-mips

Invoice_Payment.exe

debian-9-mipsel

Resubmissions

13/01/2025, 03:30

250113-d2zwsstmcx 10

13/01/2025, 00:34

250113-awxbyaxjas 10

13/01/2025, 00:05

250113-adfw8sylfn 10

12/01/2025, 12:53

250112-p4s2tavqgp 10

Analysis

  • max time kernel
    766s
  • max time network
    886s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/01/2025, 03:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Invoice_Payment.exe

  • Size

    1.3MB

  • MD5

    b1ecdaa42fc6ad9401ca1280d72ebe06

  • SHA1

    5610ce51bd1268176e1c87f4eba2399b9306773b

  • SHA256

    05a06ffd09151298fe40ad89b1042276f8166041fb81064060ec8344013bf3c5

  • SHA512

    57e52b040deb2f8e46be5327bff20a93ec520d5712816ddc8251260c94b4fd6e12fb361488f8c01d31f890364a198491d567be5950b441f924a1e3abce3b0d52

  • SSDEEP

    24576:sNA3R5drXPUP3m31yGejSrrB/O0AP1PLJVssMIjnglWGzMuxHVy0kIiWT6geGKH2:t5223XesrB/O0APOsBMlWaMCARSuFGKW

Score
10/10
asyncratdefault02discoveryrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default02

C2

woolingbrin.sytes.net:8747

woolingbrin.sytes.net:7477

87.120.121.160:8747

87.120.121.160:7477
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    15

  • install

    true

  • install_file

    vtc.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 13 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Invoice_Payment.exe
    C:\Users\Admin\AppData\Local\Temp\Invoice_Payment.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1048
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\cffhxtr.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3424
      • C:\Users\Admin\AppData\Roaming\cfger.sfx.exe
        cfger.sfx.exe -dC:\Users\Admin\AppData\Roaming -p
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4204
        • C:\Users\Admin\AppData\Roaming\cfger.exe
          "C:\Users\Admin\AppData\Roaming\cfger.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:232
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\bdxfhxtr.bat" "
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2320
            • C:\Users\Admin\AppData\Roaming\bzfuble.sfx.exe
              bzfuble.sfx.exe -dC:\Users\Admin\AppData\Roaming -pfhmxvazfugywidasdfHbgnmeUtyRhdepoufslvqxfofnglfyjfodyehal
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1196
              • C:\Users\Admin\AppData\Roaming\bzfuble.exe
                "C:\Users\Admin\AppData\Roaming\bzfuble.exe"
                7⤵
                • Checks computer location settings
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2724
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\dtuysfgdf.bat" "
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:4956
                  • C:\Users\Admin\AppData\Roaming\dthgdxs.sfx.exe
                    dthgdxs.sfx.exe -dC:\Users\Admin\AppData\Roaming -pdcsyRgeygfgfgjdghjdguipbohhyjdfgyjuthmyopeafuszhvqxsdfHbghkgh
                    9⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:1216
                    • C:\Users\Admin\AppData\Roaming\dthgdxs.exe
                      "C:\Users\Admin\AppData\Roaming\dthgdxs.exe"
                      10⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4420
                      • C:\Users\Admin\AppData\Roaming\dthgdxs.exe
                        C:\Users\Admin\AppData\Roaming\dthgdxs.exe
                        11⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:1876
                      • C:\Users\Admin\AppData\Roaming\dthgdxs.exe
                        C:\Users\Admin\AppData\Roaming\dthgdxs.exe
                        11⤵
                        • Executes dropped EXE
                        PID:3348
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -u -p 3348 -s 80
                          12⤵
                          • Program crash
                          PID:3132
                      • C:\Users\Admin\AppData\Roaming\dthgdxs.exe
                        C:\Users\Admin\AppData\Roaming\dthgdxs.exe
                        11⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1012
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "vtc" /tr '"C:\Users\Admin\AppData\Roaming\vtc.exe"' & exit
                          12⤵
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of WriteProcessMemory
                          PID:400
                          • C:\Windows\SysWOW64\schtasks.exe
                            schtasks /create /f /sc onlogon /rl highest /tn "vtc" /tr '"C:\Users\Admin\AppData\Roaming\vtc.exe"'
                            13⤵
                            • System Location Discovery: System Language Discovery
                            • Scheduled Task/Job: Scheduled Task
                            PID:1744
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD8EB.tmp.bat""
                          12⤵
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of WriteProcessMemory
                          PID:3584
                          • C:\Windows\SysWOW64\timeout.exe
                            timeout 3
                            13⤵
                            • System Location Discovery: System Language Discovery
                            • Delays execution with timeout.exe
                            PID:3752
                          • C:\Users\Admin\AppData\Roaming\vtc.exe
                            "C:\Users\Admin\AppData\Roaming\vtc.exe"
                            13⤵
                            • Executes dropped EXE
                            • Suspicious use of SetThreadContext
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1468
                            • C:\Users\Admin\AppData\Roaming\vtc.exe
                              C:\Users\Admin\AppData\Roaming\vtc.exe
                              14⤵
                              • Executes dropped EXE
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of AdjustPrivilegeToken
                              PID:4532
                            • C:\Users\Admin\AppData\Roaming\vtc.exe
                              C:\Users\Admin\AppData\Roaming\vtc.exe
                              14⤵
                              • Executes dropped EXE
                              • System Location Discovery: System Language Discovery
                              PID:1100
                            • C:\Users\Admin\AppData\Roaming\vtc.exe
                              C:\Users\Admin\AppData\Roaming\vtc.exe
                              14⤵
                              • Executes dropped EXE
                              • System Location Discovery: System Language Discovery
                              PID:1772
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3348 -ip 3348
    1⤵
      PID:392

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dthgdxs.exe.log
      Filesize

      706B

      MD5

      d95c58e609838928f0f49837cab7dfd2

      SHA1

      55e7139a1e3899195b92ed8771d1ca2c7d53c916

      SHA256

      0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339

      SHA512

      405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpD8EB.tmp.bat
      Filesize

      147B

      MD5

      f277fbf37335a9278a9d8ab58b5a517a

      SHA1

      5f034729d98dd45e0e533d3346ba00b3df11bfba

      SHA256

      a00af2fef2abe4ddbb5df603736a705f9cde2372aa8b3b2414ebde88cd2fb1c8

      SHA512

      02092267e20b079fe4787b8b055ca429164b6f9e5bc3475eec00b3332a444ecb3f51a0dd3af905d7bbfe16eba379a0aeae4ebc349bad24d5a474fd8251db037b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\bdxfhxtr.bat
      Filesize

      47KB

      MD5

      d782793c652d72fb6560250033fba98e

      SHA1

      c3ef7608998c7eb7513696c942a84c892b9b21db

      SHA256

      a1caad0190eac698c6ec5515362f1bb53193c8a311a5ab03d0125b032b2a9b84

      SHA512

      f296255bded532b6c0645d2550bf32ec43631a9da54b863d2dcceda3a8df817278851e24a25d8c68d8e91fdcc3c52a58364e3d66d670c0fac128413332fce2b7

      Download Submit

    • C:\Users\Admin\AppData\Roaming\bzfuble.exe
      Filesize

      661KB

      MD5

      99412bef1088320fedf948ffdd40765f

      SHA1

      3f8617b329d2706c255b0fc4b355f225f5179f3e

      SHA256

      3d767c19243f1af24dfb750fe7933d7cb4eecffcd45fef48551c63f989f0d63a

      SHA512

      2fbf8fc734849f8a20446274720bbcc8d4c8b3c9979822a4eaf546a291520f01e8c65c368e976ce8b65b9a7f4d289c4df3d3aa01d74e207283abec2cb739a9e7

      Download Submit

    • C:\Users\Admin\AppData\Roaming\bzfuble.sfx.exe
      Filesize

      795KB

      MD5

      1ca07665cdb629ec91c5acd31925c027

      SHA1

      b19b16ff5c2aabf895179b9bdabf18dd559dc1cc

      SHA256

      078871e60d2930abfdb6203b432a65d6556561b25ad077e024e1e4c4d59e678c

      SHA512

      3910ff449999c06b8bc7c913e29b76f94866505e8ffd20567afcc78cb0fc8bfd753cb1063d79ccb12807355bf008171a413cf954f46dc213cf6c8cad7068c95b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\cffhxtr.bat
      Filesize

      47KB

      MD5

      8608e7ce760093c19c0d1e0d539c89c3

      SHA1

      6caef71fb1ccec01c446dab1f707218444ede656

      SHA256

      80f1cd7637a55925f2bd2341fe65e8cddf15ec9bdcccb9d4b9e3906c4d511661

      SHA512

      6ae5316fee516880e212fc3737827e459dfee89f59c77cfe46ba233b028f58648efa69e9d7b52218148f6e5c22ef6d6f31c6da164f2c0928d30363bfde546e0c

      Download Submit

    • C:\Users\Admin\AppData\Roaming\cfger.exe
      Filesize

      937KB

      MD5

      739120c1f7c118f14b10afab34c9a380

      SHA1

      2b62139bd0e2187b5379da0283f21675ecc5fdbb

      SHA256

      9586be184264c169c7e865f6b954aed24cce3547e479e4c38b13753588b5a083

      SHA512

      e9600c458c851cb6264a35ea0c18bcba828a1d986cbc99c4a50104c930d0f103d9b7dac4905a96506fe42f1d3539cc4ca70db6adbeb6123edd1cdbb525b0879e

      Download Submit

    • C:\Users\Admin\AppData\Roaming\cfger.sfx.exe
      Filesize

      1.0MB

      MD5

      8b4cf31dbfb6617251c158a610a7cd99

      SHA1

      e52d859486bcc64058dc020d0304130a911e6b41

      SHA256

      f4b514b7cd2016426463b2f4734b74b10c9cf27f628ccda4abd4743bedf6a782

      SHA512

      491cf02f0cdce7494b287c95477d4c75536258cb6063c4c23726f9d5e9d7cdbdf77f395ca8a6e5b26d6e709fb815b39ca9490a14ab135633f9eb2b8bb96a2bca

      Download Submit

    • C:\Users\Admin\AppData\Roaming\dthgdxs.exe
      Filesize

      155KB

      MD5

      cdf47bec6d0fe4bf96c423897de91ffc

      SHA1

      6c257955b70ab4e30903372e924b40926f2869ae

      SHA256

      6ba01e4e418d76cfcb5232606fb5db91db07de15486971f1aaa4b6df9f624006

      SHA512

      85556a4c3dc2e50a83d2ff059954f047e0447112f27416a7639390e334a754e191f600fedf1d5142b3348080ee8c8f8cf4019f44a1aba37d71b1d2efbf695094

      Download Submit

    • C:\Users\Admin\AppData\Roaming\dthgdxs.sfx.exe
      Filesize

      402KB

      MD5

      baa0a8d860ca253452c8001806b4bec2

      SHA1

      68425b89f27a12c2384ae9d1fb2bb1a48ad4e70f

      SHA256

      a9b46322e7774ac34e463f64c180b2bc290fd133cc1996a08577a7837355db55

      SHA512

      828f280d2cfa24f4769b8233439a46843aafff3432e00c66bb08d9ba0e7d6f908868ac941da63a71aa05aafdd4dc13b5c9b571ca9ac4ddbac0e257e8c5d23676

      Download Submit

    • C:\Users\Admin\AppData\Roaming\dtuysfgdf.bat
      Filesize

      24KB

      MD5

      06d4cab0caa0436e4448862d4a6d31f2

      SHA1

      25545c772e23dd59aa1763c92a3c1c2985f34776

      SHA256

      129ac1bd19e7a37b53d3cc29b4a13d292dd6a9e94c8723e03f0ea3a7335b0f56

      SHA512

      ebcc67bbfe667f778ddc1a5341100ae3d0afb6856c134f3d17346370280236f46b06f82b9f152a20a1c63786b7b9001e2e3f7d14bad2cc1f06daf14e6b5cd7f5

      Download Submit

    • memory/1012-76-0x0000000004EC0000-0x0000000004F26000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1876-69-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4420-63-0x0000000002880000-0x0000000002886000-memory.dmp

      Filesize

      24KB

      Download

    • memory/4420-67-0x0000000007460000-0x00000000074F2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4420-68-0x0000000004F70000-0x0000000004F76000-memory.dmp

      Filesize

      24KB

      Download

    • memory/4420-66-0x0000000007A10000-0x0000000007FB4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4420-65-0x00000000073C0000-0x000000000745C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4420-64-0x00000000027D0000-0x00000000027FE000-memory.dmp

      Filesize

      184KB

      Download

    • memory/4420-62-0x0000000000500000-0x000000000052C000-memory.dmp

      Filesize

      176KB

      Download