Overview

overview

10

Static

static

10

333.exe

windows7-x64

10

333.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/01/2025, 08:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    333.exe

  • Size

    65KB

  • MD5

    5855063b0ae049847b1d9eeced51a17b

  • SHA1

    17cab3ae528d133d8f01bd8ef63b1a92f5cb23da

  • SHA256

    62f8cfee286a706856ebe02b176db9169ae776c6609c23016868887ea6b0ab98

  • SHA512

    c24970775e8da3f46763824b22fbccdbd2741836cdc3bd9966ef639db8db28cb1b888875da2babab037df6e26e5774f475f55ba10b6f354504185de4d5f4713f

  • SSDEEP

    1536:VjTDKqibq1iqHNTcNbRn8smHeC403WAx:VjTDKqibq1iqH6NbRnyt39x

Score
10/10
asyncratdefaultdefense_evasiondiscoveryexecutionratspywarestealer

Malware Config

Extracted

Family

asyncrat

Version

A 13

Botnet

Default

C2

163.172.125.253:333

Mutex

AsyncMutex_555223

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

A9

Botnet

Default

C2

windows-cam.casacam.net:800

Mutex

AsyncMutex_800

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

    Clear artifacts associated with previously established persistence like scheduletasks on a host.

    defense_evasion
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\333.exe
    "C:\Users\Admin\AppData\Local\Temp\333.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4576
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2384
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C schtasks /delete /tn "Windows Update Service" /f
        3⤵
        • Indicator Removal: Clear Persistence
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:948
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /delete /tn "Windows Update Service" /f
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3012
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" –ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\Admin\AppData\Local\Temp\cjwjhs.ps1"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2220
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Player800\xx.vbs"
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3336
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\ProgramData\Player800\xx.bat
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2644
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Player800\xx.bat""
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1756
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks.exe /create /tn Player800 /sc minute /mo 3 /tr "C:\ProgramData\Player800\Cotrl.vbs"
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:2500
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Player800\Cotrl.vbs"
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4752
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Player800\Cotrl.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4724
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM powershell.exe /T
            5⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2648
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\Player800\Cotrl.ps1
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:324
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: AddClipboardFormatListener
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:4408
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" –ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\Admin\AppData\Local\Temp\pqjrbf.ps1"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3584

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Player800\Cotrl.bat
    Filesize

    126B

    MD5

    8413f11ac195ec3844e954ac45538500

    SHA1

    3e0586796f1202aca0c5f6af6c14781ec2660521

    SHA256

    e1b4f887211f1a6f6af637d98a26dba4318cf1f8500f5a17f62154d4fcca3225

    SHA512

    b7481dde45b9b4fc83731cb2b51b38c1f971b2f87c948e09f8105ab2b5dd40a16f160e529c9acd38f7f5f36cf3802c33c8e7d42235092d6770bd913d69750118

    Download Submit

  • C:\ProgramData\Player800\Cotrl.ps1
    Filesize

    172KB

    MD5

    bdefa9dbc66e6c71dea43df83551425a

    SHA1

    4e51dc57c3a6990615a84bd3895a20b65d6c917a

    SHA256

    3f3df1ff8cd87d96596cab1c8f2d46f0bb0679cce991a31a9e0d40ed559538aa

    SHA512

    6fc06e71d1b957dfe2235c779f0e82edd74a53ca89ad69d48dda040b015b97fe1c65896cc0f052a1b95cc8f5216b65475f6dc9b076c5677b11041261c8bbf4f6

    Download Submit

  • C:\ProgramData\Player800\Cotrl.vbs
    Filesize

    633B

    MD5

    0704a2ff56715d462324e74432c452c3

    SHA1

    f20f04dc68c2dd4786f24e01ab661c7eb1b0d763

    SHA256

    1adf93db95f147dc8d83a90720f746619897b7a0dd29f76d57e138a8276a52f7

    SHA512

    1d614aaf75a240430071d64b889fe7c08251821fbb7786164cc5de8e339813999c4aff385a363cf074a1562aae1799fdaaea1205aecbda6c22d5d7a8eb404494

    Download Submit

  • C:\ProgramData\Player800\xx.bat
    Filesize

    99B

    MD5

    e61680324b182019ff5c19318328af2c

    SHA1

    873bb4a2b81f547d7e96af7630b6a7ec046fadde

    SHA256

    136c19925edd50e80762854c743f995442756a24a8bbe2881eb2dd2b29e60ea1

    SHA512

    b7c032fce7ad525c6dbea1c4652f481597345bc4a44334cc53acdbd3e70f50b60a56e3a6b45d3eca449db2102815eaeef8a892e795a96211cef26ee6c834e1ab

    Download Submit

  • C:\ProgramData\Player800\xx.vbs
    Filesize

    777B

    MD5

    451b8ecc6199593ff330395bde5724b2

    SHA1

    2e64df5e6accca8e497fb16bcbbb4e44c67a6ad3

    SHA256

    6aaa311e7ea5f886df73a5058e44589272b29f5fa4ff8fb497ff6c1694042987

    SHA512

    d3f350a7cd3121940fbeba7cede07ffa49fc66466e28de9beafc1b27d3324e7a732d1cd591f86b45da30d6f61b0e7740b440afd590d20cc2dbb908678c5dc155

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aspnet_compiler.exe.log
    Filesize

    321B

    MD5

    08027eeee0542c93662aef98d70095e4

    SHA1

    42402c02bf4763fcd6fb0650fc13386f2eae8f9b

    SHA256

    1b9ec007ac8e7de37c61313c5e1b9444df6dc0cd9110553bfa281b13204a646d

    SHA512

    c4e7a17a1dc1f27c91791439d92435a5d750a065508e9539c9af458f21472a7ce45ba0666ef6855a00386e1a75c518d0908b82d929084a1b67ca4c65997a5979

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    0774a05ce5ee4c1af7097353c9296c62

    SHA1

    658ff96b111c21c39d7ad5f510fb72f9762114bb

    SHA256

    d9c5347ed06755feeb0615f1671f6b91e2718703da0dbc4b0bd205cbd2896dd4

    SHA512

    104d69fc4f4aaa5070b78ada130228939c7e01436351166fe51fe2da8a02f9948e6d92dd676f62820da1813872b91411e2f863c9a98a760581ec34d4aa354994

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    17KB

    MD5

    51317a613d8eb762e964791643e1430d

    SHA1

    116541a144432cfca6d065f5e7e280dca194fbb4

    SHA256

    aa53657735d9b8f584fbd330e7650940f8cebc9694be82ae592bd05149c7b615

    SHA512

    5db7fc67ad55cccc3c84b52764c79025b89ccd26360718316064a300cf97a69b1a563d87a253eb1535b0882f8f9efccb3895dd7affadac68fb1564f0d961b6a3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    8aabb6ad5f0a9f76a139aa084c62a573

    SHA1

    8841e006ee4d3611e3bc3021eba1b5e397b77ada

    SHA256

    11014ae4ac7b58869b69be8136425c49a5662e1657fbb6f3472c470eca1c4653

    SHA512

    f66c999cde5eb921ab561cea1f2d33e9d1b85745c1690b2767a66801c6c0d75d8469b31cf302cbac4d6eb00e635cb93965e76e712b7ec70373bc5a6f75c1b9e9

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    11KB

    MD5

    a2bfecdc54ca7a77e32327a49d6ac64b

    SHA1

    ebe5fe2aa05dbd4cddd267e5337d94d38741e949

    SHA256

    20ce19b568baaabc61085366df6580b384f810bc8bc42e7cff852d072d0d28d6

    SHA512

    c1393c1b0205e7d90b9ba73b6461bea269bf2345a871775ff560704c6bee6f6de3ec83c778ee00794cf39802b2d319430f13f4735c0e1f1e26a44c0531aa7682

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vf4k1ndf.q3r.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\cjwjhs.ps1
    Filesize

    175KB

    MD5

    8e3c298bfec35470897383407038f653

    SHA1

    d231448a508649c8aa163bbc9e605bd417c3c0ff

    SHA256

    0ac77c14accd3fe938f7f7465aecf709b218d323b07c04a20e2deff0fc968dff

    SHA512

    cac0dbd264cce5ed6d37c2a54e7b8fe6120ade57e3c72fc1a92608cbc17ce0439b88eb7045c10b7ffc63892653ec19269f875b86f39b3452e36acb4a3dc39a10

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\pqjrbf.ps1
    Filesize

    615B

    MD5

    eb620b32fbda807e2d3d85c9ea7e7ecf

    SHA1

    3f07ce18947ee7ac4e9395d3d99746edd6055826

    SHA256

    d089f984fe9f0794217ede2c54e90972763fc518b3059e6d28c83c2b5ab793b5

    SHA512

    a2bfd7a501cd258516a978c8d21f2a387e4b955153d1cf76c6ad5f855dc618caffa67122994672dc8f9bd49539144884476aa5182fdcf9b2239d6da477500586

    Download Submit

  • memory/324-70-0x0000000005F00000-0x0000000006254000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/324-72-0x0000000006AE0000-0x0000000006B2C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/324-99-0x0000000007710000-0x000000000771C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2220-36-0x0000000005C30000-0x0000000005F84000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2220-43-0x0000000008480000-0x0000000008AFA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/2220-22-0x00000000751F0000-0x00000000759A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2220-23-0x00000000751F0000-0x00000000759A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2220-24-0x00000000053A0000-0x00000000059C8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2220-25-0x0000000005AB0000-0x0000000005AD2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2220-26-0x0000000005B50000-0x0000000005BB6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2220-58-0x00000000751F0000-0x00000000759A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2220-21-0x0000000002900000-0x0000000002936000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2220-37-0x00000000061F0000-0x000000000620E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2220-38-0x0000000006230000-0x000000000627C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2220-49-0x00000000751F0000-0x00000000759A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2220-40-0x0000000006810000-0x00000000068A6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2220-41-0x0000000006700000-0x000000000671A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2220-42-0x0000000006770000-0x0000000006792000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2384-16-0x00000000751F0000-0x00000000759A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2384-18-0x00000000751F0000-0x00000000759A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2384-15-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4408-100-0x0000000000400000-0x0000000000416000-memory.dmp

    Filesize

    88KB

    Download

  • memory/4576-10-0x00000000751FE000-0x00000000751FF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4576-8-0x0000000006D90000-0x0000000006E2C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4576-13-0x0000000006D60000-0x0000000006D6E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4576-12-0x0000000007760000-0x00000000077D6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4576-11-0x00000000751F0000-0x00000000759A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4576-19-0x00000000077E0000-0x00000000077EC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4576-9-0x0000000006E30000-0x0000000006E96000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4576-14-0x0000000007720000-0x000000000773E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4576-5-0x0000000005D00000-0x0000000005D0A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4576-4-0x0000000005D10000-0x0000000005DA2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4576-3-0x0000000006100000-0x00000000066A4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4576-0-0x00000000751FE000-0x00000000751FF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4576-2-0x00000000751F0000-0x00000000759A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4576-1-0x0000000000F50000-0x0000000000F66000-memory.dmp

    Filesize

    88KB

    Download