Overview

overview

10

Static

static

3

00f0c2f368...c9.exe

windows7-x64

10

00f0c2f368...c9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-01-2025 02:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    00f0c2f3687ab8bf0990084d1e3af62246005c32084fa598aca1d65bdc0740c9.exe

  • Size

    6.1MB

  • MD5

    192bcd791eac82426c69c1496d9059e5

  • SHA1

    036019f9b93f2b2cb80fa251fe769203994e0ae2

  • SHA256

    00f0c2f3687ab8bf0990084d1e3af62246005c32084fa598aca1d65bdc0740c9

  • SHA512

    e774a0a47ec7931a1928ac22f54c65089a340e24cb87fd9b59cf64e8ad203e0bd904da997318ff5c9f0aceddce70dfa415bfae053d97db374adff7cbbe03d3e0

  • SSDEEP

    98304:66nonNZnR83jP+0g/7/DXj6Bi/cwIofEbo4P4HwsffoOX1g8:6WATR8zP/gD/DfP7WqfoOq8

Score
10/10
asyncratgurcumetasploitdefaultbackdoordefense_evasiondiscoveryratstealertrojan

Malware Config

Extracted

Family

metasploit

Version

metasploit_stager

C2

5.75.234.8:5050

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

51.89.44.68:8848

Mutex

etb3t1tr5n

Attributes
  • delay

    1

  • install

    true

  • install_file

    svchost.exe

  • install_folder

    %Temp%

aes.plain

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7694252704:AAGfHKTqga3d5HbNfwWi6gV-IxgHteCjH7w/getM

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Gurcu family
    gurcu
  • Gurcu, WhiteSnake

    Gurcu aka WhiteSnake is a malware stealer written in C#.

    stealergurcu
  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Metasploit family
    metasploit
  • Async RAT payload 1 IoCs
    rat
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\00f0c2f3687ab8bf0990084d1e3af62246005c32084fa598aca1d65bdc0740c9.exe
    "C:\Users\Admin\AppData\Local\Temp\00f0c2f3687ab8bf0990084d1e3af62246005c32084fa598aca1d65bdc0740c9.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1964
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAdQBzACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAawByACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAdgBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGIAdgBnACMAPgA="
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:720
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      2⤵
      • Executes dropped EXE
      PID:1588
    • C:\Users\Admin\AppData\Local\Temp\CRInjector.exe
      "C:\Users\Admin\AppData\Local\Temp\CRInjector.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:448
      • C:\Users\Admin\AppData\Local\Temp\build.exe
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4464
        • C:\Users\Admin\AppData\Roaming\svchost.exe
          "C:\Users\Admin\AppData\Roaming\svchost.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:396
        • C:\Users\Admin\AppData\Roaming\svchost.exe
          "C:\Users\Admin\AppData\Roaming\svchost.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2200
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b7693748-7d0c-4089-ac30-7f55204bde2e.bat"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3036
          • C:\Windows\system32\chcp.com
            chcp 65001
            5⤵
              PID:4656
            • C:\Windows\system32\taskkill.exe
              taskkill /F /PID 4464
              5⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:4008
            • C:\Windows\system32\timeout.exe
              timeout /T 2 /NOBREAK
              5⤵
              • Delays execution with timeout.exe
              PID:2844
        • C:\Users\Admin\AppData\Local\Temp\cr.exe
          "C:\Users\Admin\AppData\Local\Temp\cr.exe"
          3⤵
          • Executes dropped EXE
          PID:4640

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\CRInjector.exe
      Filesize

      6.1MB

      MD5

      1d0ddf1ad8614ed2bf87a911d3191880

      SHA1

      137566648a65e7627ca26e8c6fc5712b4b46a54c

      SHA256

      e6426e2874c427878a7aa4b1c771f72cfcf4d97da189c7f1c7eba802d412af96

      SHA512

      d91c1840094ab7cf1686b1df53e55fc7bf45a14da4526f396776d7ac3340c5d6f82cf56464fa87d2f0320a4d060644c463ef3eb110d8ebb355df312a46e25051

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log
      Filesize

      1KB

      MD5

      cb79d387235b54ab495ae5a7b6649bd4

      SHA1

      ecc88e25afdae71a596aa6570eb7efa686343790

      SHA256

      ab6a9f27449f428136f927bd4d7318223ac3b963921b7d8e5953e89b388f1cc6

      SHA512

      faa84bfbc0a308bf821677b6f91afdf86452ca6d8e58667e88957244dc60a0ea79973de874255ca515ff875509f2231d628d974fea661fa56a3c0e970deb6ee3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log
      Filesize

      2KB

      MD5

      9c9213c9c3eb7d794eab240b36a20a92

      SHA1

      2794d7e4f32127d7a2281b44dcc01eec747d887c

      SHA256

      667a03fabd69191b61dae3b9ab0ce95be6ba34f3c51db315dd58471783116b99

      SHA512

      78f67db6d8a75b14fac4e4ec913c4e087a9d3c74df2aa9a5d336101b89ad8c939f95dbf5020bf031a1c157e6383a5702494b0624a257026f22a9f72ae09f8847

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log
      Filesize

      690B

      MD5

      47da5429c9920236391b4f2bb9822c0e

      SHA1

      1ee0f3cfbb10e9076cdf44d45b66538ee402d9f3

      SHA256

      cba5145c15e33ef65ad976c9e039f6c230348d09d8ac3f58e06bba826e6dfae0

      SHA512

      cc5e1af27d24674bac7d23b0c546c1b698dc312d7be75b978ece97e2dfaeba516838aeb1f702cab55c88986b035589757abe38ef29f0257dda32644b54cbb894

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ixq4kx52.1a5.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\b7693748-7d0c-4089-ac30-7f55204bde2e.bat
      Filesize

      152B

      MD5

      eddc4e6e5bb60014f81d8521f6a6c327

      SHA1

      8afa6e42b795c95a3f83a1d7b241c7d659a372d8

      SHA256

      2212dd1bbfbf737a50ea9c9681ef65afceb2690883358ab14acfdd708851d87f

      SHA512

      4d5942e8ce4028bd8987afea8fbac245b4bbe814e6a4183a919c90dbf49a301bdb564be33e979a334df4fb1f357cbf155f5612baf1f0b9f53cb0895dc1030ac8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\build.exe
      Filesize

      6.1MB

      MD5

      2270f282eea0a6f4f9281a9fa22643e8

      SHA1

      809c81c4a672704b281cd4a858cac8a10df26207

      SHA256

      a23477faa272984c38dbf7533dcab6c12395a2a32845910ba1c2cccb6797880d

      SHA512

      4e9e33d34f51ab7940f686733959ce3b06e1fffe1418bd44be60b1f31762aa2f9eccaa8ec7525d496f0c50160c32252008b74f813ddbc1f4b9bc42c64a22416c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\cr.exe
      Filesize

      23KB

      MD5

      84132b6ff67a2edc0086641076cbe74c

      SHA1

      82e5b836b6003635fb2c98a4851789ab093dfd30

      SHA256

      6061e0a08600cb5beb394bffd3ddfecd1699406f6709c7413962cb3881d845cf

      SHA512

      5096ffeb7f071a5811dca9a6088a99cdbb52240177094eaf9ecef9be27c84e46f4f56f197c0badd76f38cc79d5cbca68faea64c8060e589eab5d7e1dc7552548

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      Filesize

      7KB

      MD5

      073d78ce1468ecbeedc0afecb126e6cd

      SHA1

      5ea217f44b9775effac3c44da2d551294923ae9f

      SHA256

      8bdcaef5756f0e60fdb0fb0c71bff9ff6631b5ad74c3d04614cb09bc83d25c31

      SHA512

      78ffc25e65100488487411582b3d4d732d50ee17daedc84eb1ada44d12a708eb4cf6eb97c9772f74057ae6cc011b4358c454169d87156cd1295a4748162908e0

      Download Submit

    • C:\Users\Admin\AppData\Roaming\svchost.exe
      Filesize

      63KB

      MD5

      67ca41c73d556cc4cfc67fc5b425bbbd

      SHA1

      ada7f812cd581c493630eca83bf38c0f8b32b186

      SHA256

      23d2e491a8c7f2f7f344764e6879d9566c9a3e55a3788038e48b346c068dde5b

      SHA512

      0dceb6468147cd2497adf31843389a78460ed5abe2c5a13488fc55a2d202ee6ce0271821d3cf12bc1f09a4d6b79a737ea3bccfc2bb87f89b3fff6410fa85ec02

      Download Submit

    • memory/396-94-0x00000000000F0000-0x0000000000106000-memory.dmp

      Filesize

      88KB

      Download

    • memory/720-31-0x0000000005CD0000-0x0000000005D36000-memory.dmp

      Filesize

      408KB

      Download

    • memory/720-72-0x00000000078C0000-0x0000000007956000-memory.dmp

      Filesize

      600KB

      Download

    • memory/720-51-0x0000000005D40000-0x0000000006094000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/720-17-0x000000007369E000-0x000000007369F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/720-54-0x0000000006310000-0x000000000632E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/720-55-0x0000000006360000-0x00000000063AC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/720-67-0x00000000068F0000-0x000000000690E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/720-57-0x0000000075260000-0x00000000752AC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/720-56-0x00000000072D0000-0x0000000007302000-memory.dmp

      Filesize

      200KB

      Download

    • memory/720-68-0x0000000007310000-0x00000000073B3000-memory.dmp

      Filesize

      652KB

      Download

    • memory/720-69-0x0000000007CE0000-0x000000000835A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/720-70-0x0000000007630000-0x000000000764A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/720-71-0x00000000076C0000-0x00000000076CA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/720-30-0x0000000005C60000-0x0000000005CC6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/720-73-0x0000000007840000-0x0000000007851000-memory.dmp

      Filesize

      68KB

      Download

    • memory/720-29-0x0000000005350000-0x0000000005372000-memory.dmp

      Filesize

      136KB

      Download

    • memory/720-23-0x0000000005630000-0x0000000005C58000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/720-95-0x0000000007880000-0x000000000788E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/720-20-0x0000000073690000-0x0000000073E40000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/720-96-0x0000000007890000-0x00000000078A4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/720-97-0x0000000007980000-0x000000000799A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/720-98-0x0000000007960000-0x0000000007968000-memory.dmp

      Filesize

      32KB

      Download

    • memory/720-102-0x0000000073690000-0x0000000073E40000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/720-19-0x0000000002D40000-0x0000000002D76000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1588-9-0x0000000140000000-0x0000000140004278-memory.dmp

      Filesize

      16KB

      Download

    • memory/4464-52-0x000002173D5B0000-0x000002173DBC6000-memory.dmp

      Filesize

      6.1MB

      Download