Overview

overview

10

Static

static

10

333.exe

windows7-x64

10

333.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20/01/2025, 08:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    333.exe

  • Size

    65KB

  • MD5

    5855063b0ae049847b1d9eeced51a17b

  • SHA1

    17cab3ae528d133d8f01bd8ef63b1a92f5cb23da

  • SHA256

    62f8cfee286a706856ebe02b176db9169ae776c6609c23016868887ea6b0ab98

  • SHA512

    c24970775e8da3f46763824b22fbccdbd2741836cdc3bd9966ef639db8db28cb1b888875da2babab037df6e26e5774f475f55ba10b6f354504185de4d5f4713f

  • SSDEEP

    1536:VjTDKqibq1iqHNTcNbRn8smHeC403WAx:VjTDKqibq1iqH6NbRnyt39x

Score
10/10
asyncratdefaultdefense_evasiondiscoveryexecutionratspywarestealer

Malware Config

Extracted

Family

asyncrat

Version

A 13

Botnet

Default

C2

163.172.125.253:333

Mutex

AsyncMutex_555223

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell and hide display window.

    execution
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

    Clear artifacts associated with previously established persistence like scheduletasks on a host.

    defense_evasion
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\333.exe
    "C:\Users\Admin\AppData\Local\Temp\333.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2532
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1532
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C schtasks /delete /tn "Windows Update Service" /f
        3⤵
        • Indicator Removal: Clear Persistence
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1832
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /delete /tn "Windows Update Service" /f
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1240
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" –ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\Admin\AppData\Local\Temp\bvkxhl.ps1"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2084
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Player800\xx.vbs"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2112
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\ProgramData\Player800\xx.bat
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:816
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\ProgramData\Player800\xx.bat""
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1920
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks.exe /create /tn Player800 /sc minute /mo 3 /tr "C:\ProgramData\Player800\Cotrl.vbs"
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:1632
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Player800\Cotrl.vbs"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2480
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\ProgramData\Player800\Cotrl.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2272
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM powershell.exe /T
            5⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:944
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\Player800\Cotrl.ps1
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:604
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" –ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\Admin\AppData\Local\Temp\qxsrig.ps1"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1812

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Player800\Cotrl.bat
    Filesize

    126B

    MD5

    8413f11ac195ec3844e954ac45538500

    SHA1

    3e0586796f1202aca0c5f6af6c14781ec2660521

    SHA256

    e1b4f887211f1a6f6af637d98a26dba4318cf1f8500f5a17f62154d4fcca3225

    SHA512

    b7481dde45b9b4fc83731cb2b51b38c1f971b2f87c948e09f8105ab2b5dd40a16f160e529c9acd38f7f5f36cf3802c33c8e7d42235092d6770bd913d69750118

    Download Submit

  • C:\ProgramData\Player800\Cotrl.ps1
    Filesize

    172KB

    MD5

    bdefa9dbc66e6c71dea43df83551425a

    SHA1

    4e51dc57c3a6990615a84bd3895a20b65d6c917a

    SHA256

    3f3df1ff8cd87d96596cab1c8f2d46f0bb0679cce991a31a9e0d40ed559538aa

    SHA512

    6fc06e71d1b957dfe2235c779f0e82edd74a53ca89ad69d48dda040b015b97fe1c65896cc0f052a1b95cc8f5216b65475f6dc9b076c5677b11041261c8bbf4f6

    Download Submit

  • C:\ProgramData\Player800\Cotrl.vbs
    Filesize

    633B

    MD5

    0704a2ff56715d462324e74432c452c3

    SHA1

    f20f04dc68c2dd4786f24e01ab661c7eb1b0d763

    SHA256

    1adf93db95f147dc8d83a90720f746619897b7a0dd29f76d57e138a8276a52f7

    SHA512

    1d614aaf75a240430071d64b889fe7c08251821fbb7786164cc5de8e339813999c4aff385a363cf074a1562aae1799fdaaea1205aecbda6c22d5d7a8eb404494

    Download Submit

  • C:\ProgramData\Player800\xx.bat
    Filesize

    99B

    MD5

    e61680324b182019ff5c19318328af2c

    SHA1

    873bb4a2b81f547d7e96af7630b6a7ec046fadde

    SHA256

    136c19925edd50e80762854c743f995442756a24a8bbe2881eb2dd2b29e60ea1

    SHA512

    b7c032fce7ad525c6dbea1c4652f481597345bc4a44334cc53acdbd3e70f50b60a56e3a6b45d3eca449db2102815eaeef8a892e795a96211cef26ee6c834e1ab

    Download Submit

  • C:\ProgramData\Player800\xx.vbs
    Filesize

    777B

    MD5

    451b8ecc6199593ff330395bde5724b2

    SHA1

    2e64df5e6accca8e497fb16bcbbb4e44c67a6ad3

    SHA256

    6aaa311e7ea5f886df73a5058e44589272b29f5fa4ff8fb497ff6c1694042987

    SHA512

    d3f350a7cd3121940fbeba7cede07ffa49fc66466e28de9beafc1b27d3324e7a732d1cd591f86b45da30d6f61b0e7740b440afd590d20cc2dbb908678c5dc155

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabB647.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarCB40.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\bvkxhl.ps1
    Filesize

    175KB

    MD5

    8e3c298bfec35470897383407038f653

    SHA1

    d231448a508649c8aa163bbc9e605bd417c3c0ff

    SHA256

    0ac77c14accd3fe938f7f7465aecf709b218d323b07c04a20e2deff0fc968dff

    SHA512

    cac0dbd264cce5ed6d37c2a54e7b8fe6120ade57e3c72fc1a92608cbc17ce0439b88eb7045c10b7ffc63892653ec19269f875b86f39b3452e36acb4a3dc39a10

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\qxsrig.ps1
    Filesize

    615B

    MD5

    eb620b32fbda807e2d3d85c9ea7e7ecf

    SHA1

    3f07ce18947ee7ac4e9395d3d99746edd6055826

    SHA256

    d089f984fe9f0794217ede2c54e90972763fc518b3059e6d28c83c2b5ab793b5

    SHA512

    a2bfd7a501cd258516a978c8d21f2a387e4b955153d1cf76c6ad5f855dc618caffa67122994672dc8f9bd49539144884476aa5182fdcf9b2239d6da477500586

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    87710c9b357759db842391af298e211f

    SHA1

    dac02d45f1a3e9143d78d7fc27b16fcd815e3faf

    SHA256

    9fbc26e71f134383aa772950b2cd0840d3af9e6cb977f225d7692e23ad42b982

    SHA512

    c479244747b47931e9d73e2fbb930a43a4ca78f24b3119a27abe31e35efbc854f42760c4e43bac984588e4e21ca9807eff7231a0cfdd762a32c64f8821b98b0a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    57776a0791a72fda606aad0e7c8d34db

    SHA1

    882d6983eb2034c9a24a111e699f14f9b4fbc0cf

    SHA256

    a1ca29900a6e3db4511811754bb9be4dc11efd678f08020cce4150e02e27d43b

    SHA512

    beab6bd408849cbc24e2fcf476ae99b5c79d7848de6667a674da694f64a91a367d26d16e44e524bab7c9c3c6f82fe6edc8bfafc9dd0b1c392311f9c2bd3e653d

    Download Submit

  • memory/1532-57-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1532-59-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1532-69-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1532-71-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1532-61-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1532-73-0x0000000074CE0000-0x00000000753CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1532-74-0x0000000074CE0000-0x00000000753CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1532-63-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1532-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1532-67-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2532-75-0x0000000000A80000-0x0000000000A8C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2532-72-0x0000000074CE0000-0x00000000753CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2532-0-0x0000000074CEE000-0x0000000074CEF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2532-38-0x00000000009E0000-0x00000000009EE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2532-19-0x0000000074CEE000-0x0000000074CEF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2532-2-0x0000000074CE0000-0x00000000753CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2532-1-0x0000000000F40000-0x0000000000F56000-memory.dmp

    Filesize

    88KB

    Download