Overview

overview

10

Static

static

3

9586be1842...3N.exe

windows7-x64

10

9586be1842...3N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    106s
  • max time network
    114s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/01/2025, 14:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9586be184264c169c7e865f6b954aed24cce3547e479e4c38b13753588b5a083N.exe

  • Size

    937KB

  • MD5

    739120c1f7c118f14b10afab34c9a380

  • SHA1

    2b62139bd0e2187b5379da0283f21675ecc5fdbb

  • SHA256

    9586be184264c169c7e865f6b954aed24cce3547e479e4c38b13753588b5a083

  • SHA512

    e9600c458c851cb6264a35ea0c18bcba828a1d986cbc99c4a50104c930d0f103d9b7dac4905a96506fe42f1d3539cc4ca70db6adbeb6123edd1cdbb525b0879e

  • SSDEEP

    24576:jNA3R5drXm1bYf1c4xt6fLdf+s77ZpwWdBO2JLZULqLfO:O52EfyJWs77ZOAO2Gqi

Score
10/10
asyncratdefault02discoveryrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default02

C2

woolingbrin.sytes.net:8747

woolingbrin.sytes.net:7477

87.120.121.160:8747

87.120.121.160:7477
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    15

  • install

    true

  • install_file

    vtc.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 11 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9586be184264c169c7e865f6b954aed24cce3547e479e4c38b13753588b5a083N.exe
    "C:\Users\Admin\AppData\Local\Temp\9586be184264c169c7e865f6b954aed24cce3547e479e4c38b13753588b5a083N.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\bdxfhxtr.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:748
      • C:\Users\Admin\AppData\Roaming\bzfuble.sfx.exe
        bzfuble.sfx.exe -dC:\Users\Admin\AppData\Roaming -pfhmxvazfugywidasdfHbgnmeUtyRhdepoufslvqxfofnglfyjfodyehal
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:640
        • C:\Users\Admin\AppData\Roaming\bzfuble.exe
          "C:\Users\Admin\AppData\Roaming\bzfuble.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3092
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\dtuysfgdf.bat" "
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2836
            • C:\Users\Admin\AppData\Roaming\dthgdxs.sfx.exe
              dthgdxs.sfx.exe -dC:\Users\Admin\AppData\Roaming -pdcsyRgeygfgfgjdghjdguipbohhyjdfgyjuthmyopeafuszhvqxsdfHbghkgh
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2700
              • C:\Users\Admin\AppData\Roaming\dthgdxs.exe
                "C:\Users\Admin\AppData\Roaming\dthgdxs.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:5020
                • C:\Users\Admin\AppData\Roaming\dthgdxs.exe
                  C:\Users\Admin\AppData\Roaming\dthgdxs.exe
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:3124
                • C:\Users\Admin\AppData\Roaming\dthgdxs.exe
                  C:\Users\Admin\AppData\Roaming\dthgdxs.exe
                  8⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4192
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "vtc" /tr '"C:\Users\Admin\AppData\Roaming\vtc.exe"' & exit
                    9⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:2568
                    • C:\Windows\SysWOW64\schtasks.exe
                      schtasks /create /f /sc onlogon /rl highest /tn "vtc" /tr '"C:\Users\Admin\AppData\Roaming\vtc.exe"'
                      10⤵
                      • System Location Discovery: System Language Discovery
                      • Scheduled Task/Job: Scheduled Task
                      PID:3188
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE56E.tmp.bat""
                    9⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:4748
                    • C:\Windows\SysWOW64\timeout.exe
                      timeout 3
                      10⤵
                      • System Location Discovery: System Language Discovery
                      • Delays execution with timeout.exe
                      PID:3412
                    • C:\Users\Admin\AppData\Roaming\vtc.exe
                      "C:\Users\Admin\AppData\Roaming\vtc.exe"
                      10⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3076
                      • C:\Users\Admin\AppData\Roaming\vtc.exe
                        C:\Users\Admin\AppData\Roaming\vtc.exe
                        11⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:640
                      • C:\Users\Admin\AppData\Roaming\vtc.exe
                        C:\Users\Admin\AppData\Roaming\vtc.exe
                        11⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4632
                      • C:\Users\Admin\AppData\Roaming\vtc.exe
                        C:\Users\Admin\AppData\Roaming\vtc.exe
                        11⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        PID:656
                • C:\Users\Admin\AppData\Roaming\dthgdxs.exe
                  C:\Users\Admin\AppData\Roaming\dthgdxs.exe
                  8⤵
                  • Executes dropped EXE
                  PID:3872
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 80
                    9⤵
                    • Program crash
                    PID:1104
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3872 -ip 3872
    1⤵
      PID:1716

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dthgdxs.exe.log
      Filesize

      706B

      MD5

      d95c58e609838928f0f49837cab7dfd2

      SHA1

      55e7139a1e3899195b92ed8771d1ca2c7d53c916

      SHA256

      0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339

      SHA512

      405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpE56E.tmp.bat
      Filesize

      147B

      MD5

      16bbe6a972958b211f630c6997c79f21

      SHA1

      1ce99d5df7fb83c8ab1cd92215175a819c2f2512

      SHA256

      ded6e7503fa7fb4003f55b39e3ce90e5e5df22c429d6a1609ca1a84de87624cf

      SHA512

      9a994e70db094875b9fe9e48e077792387e19608b24a92cbe94edd754af79b3e8040e0d5036501e58daf1d2354c97550fe2112315a3845f7fc250243f347bf31

      Download Submit

    • C:\Users\Admin\AppData\Roaming\bdxfhxtr.bat
      Filesize

      47KB

      MD5

      d782793c652d72fb6560250033fba98e

      SHA1

      c3ef7608998c7eb7513696c942a84c892b9b21db

      SHA256

      a1caad0190eac698c6ec5515362f1bb53193c8a311a5ab03d0125b032b2a9b84

      SHA512

      f296255bded532b6c0645d2550bf32ec43631a9da54b863d2dcceda3a8df817278851e24a25d8c68d8e91fdcc3c52a58364e3d66d670c0fac128413332fce2b7

      Download Submit

    • C:\Users\Admin\AppData\Roaming\bzfuble.exe
      Filesize

      661KB

      MD5

      99412bef1088320fedf948ffdd40765f

      SHA1

      3f8617b329d2706c255b0fc4b355f225f5179f3e

      SHA256

      3d767c19243f1af24dfb750fe7933d7cb4eecffcd45fef48551c63f989f0d63a

      SHA512

      2fbf8fc734849f8a20446274720bbcc8d4c8b3c9979822a4eaf546a291520f01e8c65c368e976ce8b65b9a7f4d289c4df3d3aa01d74e207283abec2cb739a9e7

      Download Submit

    • C:\Users\Admin\AppData\Roaming\bzfuble.sfx.exe
      Filesize

      795KB

      MD5

      1ca07665cdb629ec91c5acd31925c027

      SHA1

      b19b16ff5c2aabf895179b9bdabf18dd559dc1cc

      SHA256

      078871e60d2930abfdb6203b432a65d6556561b25ad077e024e1e4c4d59e678c

      SHA512

      3910ff449999c06b8bc7c913e29b76f94866505e8ffd20567afcc78cb0fc8bfd753cb1063d79ccb12807355bf008171a413cf954f46dc213cf6c8cad7068c95b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\dthgdxs.exe
      Filesize

      155KB

      MD5

      cdf47bec6d0fe4bf96c423897de91ffc

      SHA1

      6c257955b70ab4e30903372e924b40926f2869ae

      SHA256

      6ba01e4e418d76cfcb5232606fb5db91db07de15486971f1aaa4b6df9f624006

      SHA512

      85556a4c3dc2e50a83d2ff059954f047e0447112f27416a7639390e334a754e191f600fedf1d5142b3348080ee8c8f8cf4019f44a1aba37d71b1d2efbf695094

      Download Submit

    • C:\Users\Admin\AppData\Roaming\dthgdxs.sfx.exe
      Filesize

      402KB

      MD5

      baa0a8d860ca253452c8001806b4bec2

      SHA1

      68425b89f27a12c2384ae9d1fb2bb1a48ad4e70f

      SHA256

      a9b46322e7774ac34e463f64c180b2bc290fd133cc1996a08577a7837355db55

      SHA512

      828f280d2cfa24f4769b8233439a46843aafff3432e00c66bb08d9ba0e7d6f908868ac941da63a71aa05aafdd4dc13b5c9b571ca9ac4ddbac0e257e8c5d23676

      Download Submit

    • C:\Users\Admin\AppData\Roaming\dtuysfgdf.bat
      Filesize

      24KB

      MD5

      06d4cab0caa0436e4448862d4a6d31f2

      SHA1

      25545c772e23dd59aa1763c92a3c1c2985f34776

      SHA256

      129ac1bd19e7a37b53d3cc29b4a13d292dd6a9e94c8723e03f0ea3a7335b0f56

      SHA512

      ebcc67bbfe667f778ddc1a5341100ae3d0afb6856c134f3d17346370280236f46b06f82b9f152a20a1c63786b7b9001e2e3f7d14bad2cc1f06daf14e6b5cd7f5

      Download Submit

    • memory/3124-52-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4192-59-0x00000000052E0000-0x0000000005346000-memory.dmp

      Filesize

      408KB

      Download

    • memory/5020-45-0x0000000005150000-0x000000000517E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/5020-48-0x000000000DB80000-0x000000000DC12000-memory.dmp

      Filesize

      584KB

      Download

    • memory/5020-49-0x0000000002AD0000-0x0000000002AD6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/5020-47-0x000000000E090000-0x000000000E634000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/5020-46-0x000000000DA40000-0x000000000DADC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/5020-44-0x00000000010D0000-0x00000000010D6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/5020-43-0x00000000007E0000-0x000000000080C000-memory.dmp

      Filesize

      176KB

      Download