Overview

overview

10

Static

static

3

4363463463...63.exe

windows11-21h2-x64

10

Resubmissions

17-01-2025 15:11

250117-sk4kzssrhv 10

17-01-2025 15:09

250117-sjgd3asrbs 10

17-01-2025 15:07

250117-shlbmasqgv 10

17-01-2025 14:27

250117-rsndas1pgx 10

16-01-2025 17:37

250116-v7e71s1ncy 10

16-01-2025 17:30

250116-v27eba1lew 10

16-01-2025 17:29

250116-v232ws1let 3

16-01-2025 17:29

250116-v21lrs1ldz 3

16-01-2025 17:27

250116-v1g32a1qfk 10

16-01-2025 09:47

250116-lsajjsvrgn 10

Analysis

  • max time kernel
    41s
  • max time network
    40s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    17-01-2025 15:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4363463463464363463463463.exe

  • Size

    10KB

  • MD5

    2a94f3960c58c6e70826495f76d00b85

  • SHA1

    e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

  • SHA256

    2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

  • SHA512

    fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

  • SSDEEP

    192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score
10/10
asyncratquasardefaultzjebdiscoveryratspywaretrojan

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

3.70.228.168:555

Mutex

bslxturcmlpmyqrv

Attributes
  • delay

    1

  • install

    true

  • install_file

    atat.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

ZJEB

C2

VIPEEK1990-25013.portmap.host:25013

Mutex

ebef1e3c-805b-4b1a-aa24-bf4dcab44476

Attributes
  • encryption_key

    3EBA8BC34FA983893A9B07B831E7CEB183F7492D

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Security Service

  • subdirectory

    SubDir

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Async RAT payload 1 IoCs
    rat
  • Downloads MZ/PE file
  • Executes dropped EXE 6 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies registry class 4 IoCs
  • Runs ping.exe 1 TTPs 4 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
    "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2588
    • C:\Users\Admin\AppData\Local\Temp\Files\aa.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\aa.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1004
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "atat" /tr '"C:\Users\Admin\AppData\Roaming\atat.exe"' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1752
        • C:\Windows\system32\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "atat" /tr '"C:\Users\Admin\AppData\Roaming\atat.exe"'
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:712
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB585.tmp.bat""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:956
        • C:\Windows\system32\timeout.exe
          timeout 3
          4⤵
          • Delays execution with timeout.exe
          PID:1060
        • C:\Users\Admin\AppData\Roaming\atat.exe
          "C:\Users\Admin\AppData\Roaming\atat.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:816
    • C:\Users\Admin\AppData\Local\Temp\Files\sharpmonoinjector.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\sharpmonoinjector.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4108
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2000
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DHiB9LH2V5Fr.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4952
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:4604
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2392
          • C:\Users\Admin\AppData\Local\Temp\Files\sharpmonoinjector.exe
            "C:\Users\Admin\AppData\Local\Temp\Files\sharpmonoinjector.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:888
            • C:\Windows\SYSTEM32\schtasks.exe
              "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:4644
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Z0fBlXJUnUTy.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3980
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:4968
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:4372
                • C:\Users\Admin\AppData\Local\Temp\Files\sharpmonoinjector.exe
                  "C:\Users\Admin\AppData\Local\Temp\Files\sharpmonoinjector.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2216
                  • C:\Windows\SYSTEM32\schtasks.exe
                    "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                    7⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:2144
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4BDYm5oFSF0H.bat" "
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4012
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      8⤵
                        PID:1364
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        8⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:1656
                      • C:\Users\Admin\AppData\Local\Temp\Files\sharpmonoinjector.exe
                        "C:\Users\Admin\AppData\Local\Temp\Files\sharpmonoinjector.exe"
                        8⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:1064
                        • C:\Windows\SYSTEM32\schtasks.exe
                          "schtasks" /create /tn "Windows Security Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                          9⤵
                          • Scheduled Task/Job: Scheduled Task
                          PID:2772
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9v0Y8v6AnJkK.bat" "
                          9⤵
                          • Suspicious use of WriteProcessMemory
                          PID:3568
                          • C:\Windows\system32\chcp.com
                            chcp 65001
                            10⤵
                              PID:4744
                            • C:\Windows\system32\PING.EXE
                              ping -n 10 localhost
                              10⤵
                              • System Network Configuration Discovery: Internet Connection Discovery
                              • Runs ping.exe
                              PID:1988
          • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
            "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
            1⤵
            • Suspicious use of SetWindowsHookEx
            PID:3636
          • C:\Windows\system32\BackgroundTransferHost.exe
            "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
            1⤵
            • Modifies registry class
            PID:3384

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sharpmonoinjector.exe.log
            Filesize

            2KB

            MD5

            15eab799098760706ed95d314e75449d

            SHA1

            273fb07e40148d5c267ca53f958c5075d24c4444

            SHA256

            45030bd997f50bb52c481f7bc86fac5f375d08911bcc106b98d9d8f0c2ce9778

            SHA512

            50c125e2a98740db0a0122d7f4de97c50d84623e800b3d3e173049c8e28ff0fbe4add7677bc56cb2228f78ed17522f67ae8f1b85f62824012414ce38ce0b500c

            Download Submit

          • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\f11dd89a-461b-499b-9a6b-41457b8b10ac.down_data
            Filesize

            555KB

            MD5

            5683c0028832cae4ef93ca39c8ac5029

            SHA1

            248755e4e1db552e0b6f8651b04ca6d1b31a86fb

            SHA256

            855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

            SHA512

            aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\4BDYm5oFSF0H.bat
            Filesize

            220B

            MD5

            9946dc95cc6b5735db710694505c8a87

            SHA1

            95a90de240a7934edce2452dfb0a93c37164a251

            SHA256

            fef560a597d5b670820bb95347525bfa8f1c8e3937bd99737cac998e378fab64

            SHA512

            52426598b6c3d9365a7ff0b53029a5ba3ef909e52f2329fec1485c4bab450cfcba13f7c5d3a4e0772838aa105d12d1b576ab21c61f0a11330651f712d1e4b1b1

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\9v0Y8v6AnJkK.bat
            Filesize

            220B

            MD5

            ce8891bfc3c6561a30fbebcf6e886b22

            SHA1

            629f0de37764d953085c65cb1197513fdff86b47

            SHA256

            ebf26943d228c6cbea422f38412d4178a61806909616ed57ad2e8c1606d8c0c7

            SHA512

            01fc9a7fe92355829f59bfb5460ec07d29939fd82b1eaa82ac7772a2772b09ecb5c5f4725ad0bdb8c9c411e650639ecc8c69e33ae965495b2ebb839cc7f8ad5b

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\DHiB9LH2V5Fr.bat
            Filesize

            220B

            MD5

            b56403e62b72b2dcd0e02319af3bb096

            SHA1

            9a5094b5da8e812d3b6839765dfdc4f160984e30

            SHA256

            d5e29b1ce943a1e20d282e614ad31468478bfdfaf823b167fa06cdc2c510eca5

            SHA512

            8ac39aa4649fbade873093b2baec623dffad63f78dfaa2230be5ea50723bff6ca5f4c4a3c67b640ccc63fe75fae83732703f47b267480b159a6b88973c29a37a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Files\02.08.2022.exe
            Filesize

            234KB

            MD5

            78e7a32731086faee404f1c5cd377eff

            SHA1

            d1da93fca0ee3f48ed47b1fabaa055ff11fff341

            SHA256

            2a165e0c7af2d0c8c3e11ef615914be84c1683afc4f0dc537459838f520a0094

            SHA512

            7705c104cb41b46a939c77a1942b94eb825df157710fdee59bfb8f1e43823bd8b8a81e7051c78f0a0c0a59198d78836931f6b2b4582e438607285681dce14e61

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Files\aa.exe
            Filesize

            74KB

            MD5

            447523b766e4c76092414a6b42080308

            SHA1

            f4218ea7e227bde410f5cbd6b26efd637fc35886

            SHA256

            3e7eb033eaf54c89f14d322597e377be7fd69f9c300f5be0e670b675d2a1a568

            SHA512

            98b68c743d8aab5b9cb0aad2331ab24673e425fbe68ad0ede2f3aafc1394879f8a05c7db5393b3ef3b8c2d21674a35f90c275558f43cdf983d03d995151ec2f9

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Files\sharpmonoinjector.exe
            Filesize

            3.1MB

            MD5

            4522bc113a6f5b984e9ffac278f9f064

            SHA1

            392ec955d7b5c5da965f7af9f929b89c33409b03

            SHA256

            2b38fa923237a10bbc09ba4808fd0e1f56f39a3de2bb0cfc11a591cdaddf7d58

            SHA512

            c0980d621a154adb63bdb8a4e7adc863a40d1af8d98d18bd0671fc07721639d66b10d471d4dddc0e78cc127d4c0429f3084618f227919e4a552d6de4ee7793ff

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Z0fBlXJUnUTy.bat
            Filesize

            220B

            MD5

            952610cb4c4f107f9c91964fd57d8d26

            SHA1

            ec434b112f91e3cd7c38f8b1899a2b73d18d344b

            SHA256

            743d9112d9654c129a85c982ee3339cfe6187064ca4e6872336455c4fd335eab

            SHA512

            d569274f841404cc1c4c6778b2132cb179d03eb19ca4853a15575cf57fe531776d20724ae9574e10ad75f11ff6087986f2b5c2e0a3ac905cc06a09e89ee4e8e9

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\tmpB585.tmp.bat
            Filesize

            148B

            MD5

            cd2f3c96f9074181b8e4c68b301f0790

            SHA1

            fd197af6a5b95cf06b90b6647cc198566ffe92ca

            SHA256

            5971d60745a119669afbe99abd65daa01e9256c07fd59f6af125f9489d93d982

            SHA512

            ec38cec4e39916b162c1e82ed7b80d3818ddedd806265bf3a52a2c02ec34e0f953b715d099dea00e748bb39d5d9fac0563a192015905621c3dc69e6d15861626

            Download Submit

          • C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
            Filesize

            8B

            MD5

            cf759e4c5f14fe3eec41b87ed756cea8

            SHA1

            c27c796bb3c2fac929359563676f4ba1ffada1f5

            SHA256

            c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

            SHA512

            c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

            Download Submit

          • memory/1004-45-0x00007FFFEE620000-0x00007FFFEF0E2000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1004-25-0x0000000000350000-0x0000000000368000-memory.dmp

            Filesize

            96KB

            Download

          • memory/1004-24-0x00007FFFEE623000-0x00007FFFEE625000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1004-27-0x00007FFFEE620000-0x00007FFFEF0E2000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2588-1-0x00000000008E0000-0x00000000008E8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2588-47-0x000000007487E000-0x000000007487F000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2588-0-0x000000007487E000-0x000000007487F000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2588-2-0x0000000005370000-0x000000000540C000-memory.dmp

            Filesize

            624KB

            Download

          • memory/2588-54-0x0000000074870000-0x0000000075021000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/2588-3-0x0000000074870000-0x0000000075021000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/4108-48-0x000000001BBF0000-0x000000001BC40000-memory.dmp

            Filesize

            320KB

            Download

          • memory/4108-40-0x0000000000080000-0x00000000003A4000-memory.dmp

            Filesize

            3.1MB

            Download

          • memory/4108-55-0x00007FFFEE620000-0x00007FFFEF0E2000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4108-49-0x000000001BD00000-0x000000001BDB2000-memory.dmp

            Filesize

            712KB

            Download

          • memory/4108-39-0x00007FFFEE620000-0x00007FFFEF0E2000-memory.dmp

            Filesize

            10.8MB

            Download