Overview

overview

10

Static

static

3

6449.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    16s
  • max time network
    17s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/01/2025, 10:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6449.exe

  • Size

    234KB

  • MD5

    ed9902c806bf40a5feb79ef29c4c2622

  • SHA1

    aa65fd7f5e96deb0ed647a608171e170e08393a7

  • SHA256

    da11a2056d3d8d11ed7e45772fa3ceca3495759b3c200271c12ff4a3cd9f2f93

  • SHA512

    156a71e1de65b2c825914f61d8430862e0a655bed28547e7f8e856d2f1cdab1dd20d8b8b8b390dc3b095a19d17ba8faac78f6e68fba6dace1ee6e34ddd772601

  • SSDEEP

    6144:4zWPYSc7LT8VFna9pXysJkIddwXQeYBayx4x28WQbNHx/b8ew:4z4s0Fa9IsJ3Fgg48QbNHh1w

Score
10/10
asyncratdefaultdefense_evasiondiscoveryrat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

Mutex

hmydzmicrk

Attributes
  • delay

    1

  • install

    true

  • install_file

    NIVDIA CONTAINER.exe

  • install_folder

    %AppData%

  • pastebin_config

    https://pastebin.com/raw/1CTFVWdd

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Manipulates Digital Signatures 1 TTPs 3 IoCs

    Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Deobfuscate/Decode Files or Information 1 TTPs 1 IoCs

    Payload decoded via CertUtil.

    defense_evasion
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\6449.exe
    "C:\Users\Admin\AppData\Local\Temp\6449.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:808
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zS823B7D97\6449.bat" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2000
      • C:\Windows\SysWOW64\certutil.exe
        CERTUTIL -f -decode "C:\Users\Admin\AppData\Local\Temp\7zS823B7D97\6449.bat" "C:\Users\Admin\AppData\Local\Temp\DJBuzzRadio.vbs"
        3⤵
        • Manipulates Digital Signatures
        • Deobfuscate/Decode Files or Information
        • System Location Discovery: System Language Discovery
        PID:2460
      • C:\Users\Admin\AppData\Local\Temp\DJBuzzRadio.vbs
        "C:\Users\Admin\AppData\Local\Temp\DJBuzzRadio.vbs"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2768
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "NIVDIA CONTAINER" /tr '"C:\Users\Admin\AppData\Roaming\NIVDIA CONTAINER.exe"' & exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4060
          • C:\Windows\system32\schtasks.exe
            schtasks /create /f /sc onlogon /rl highest /tn "NIVDIA CONTAINER" /tr '"C:\Users\Admin\AppData\Roaming\NIVDIA CONTAINER.exe"'
            5⤵
            • Scheduled Task/Job: Scheduled Task
            PID:212
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAE8F.tmp.bat""
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1332
          • C:\Windows\system32\timeout.exe
            timeout 3
            5⤵
            • Delays execution with timeout.exe
            PID:4224
          • C:\Users\Admin\AppData\Roaming\NIVDIA CONTAINER.exe
            "C:\Users\Admin\AppData\Roaming\NIVDIA CONTAINER.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:3164

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7zS823B7D97\6449.bat
    Filesize

    101KB

    MD5

    5e9f5d76a2a871a9c68fd2d6eaec88ad

    SHA1

    c24473e371474556bab7460ff1a46ab2193d071f

    SHA256

    ebfb8edf383a9f3498f301db7a12b074fcfd2041c48678527f6aaafd5ce64124

    SHA512

    8a03d6ac1d1ade0c2d52f6d9ee64c5549bd2c839f56fa835d72b61615ea065a1aa3e2342315a316df8b443b074dc6618098f74b0982f7dbda6a429a8e1673700

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DJBuzzRadio.vbs
    Filesize

    74KB

    MD5

    a3829709e4516f5abaae73e643d5dc6b

    SHA1

    fd28c1adc3f900bf128827ca795dbc66f9092f7b

    SHA256

    a9777ff383269952187a6a2983e888e6010311425f5dddd98f4f8240d717456e

    SHA512

    c028a01788a62a2f8c155eb54bf58fa364159329d92f25a5f47d35c1e1d3d2cba3ad2c6d33858712ce4e897edd5f0f024264ed71b51aeb6f5d21d5af91ec6b5c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpAE8F.tmp.bat
    Filesize

    160B

    MD5

    42cc487938e5d4723438086d7ed39938

    SHA1

    f7de0c9e3137cfdd4b9896caf8ce2cbfc16079da

    SHA256

    48207f3f8d8650aa60c4248d551960b3936e092462689e911a45b31736b8789d

    SHA512

    5dd27f20a785d8dc01e7b49a24e0fa380e5bd30db2da5e640c0c955102363e50e14e12f58dc4288f8d194a53cd496716e337623d2e23c2d6c0bed452a41f208d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
    Filesize

    8B

    MD5

    cf759e4c5f14fe3eec41b87ed756cea8

    SHA1

    c27c796bb3c2fac929359563676f4ba1ffada1f5

    SHA256

    c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

    SHA512

    c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

    Download Submit

  • memory/2768-11-0x00007FFE5F5B3000-0x00007FFE5F5B5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2768-13-0x0000000000FC0000-0x0000000000FD8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2768-15-0x00007FFE5F5B0000-0x00007FFE60071000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2768-21-0x00007FFE5F5B0000-0x00007FFE60071000-memory.dmp

    Filesize

    10.8MB

    Download