Overview

overview

10

Static

static

10

tool.exe

windows7-x64

10

tool.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/01/2025, 21:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tool.exe

  • Size

    45KB

  • MD5

    b84e27e5b6cef684af80c868bf0b4ba0

  • SHA1

    213d29cc30c693675911547643112d4c9a6c02d2

  • SHA256

    165289612527e1bfad340f7675a701bfe9608a3a4cfbfefe6a662574d5c05f90

  • SHA512

    3d5fb00a3793174b8f98e972c9ed7f322d1333dbda79a00676d015532e63eb69449453eda3d7e7de4d3026b49f3816ae4a12c4a2e434893d5aee52d9a3d00813

  • SSDEEP

    768:7ugPNTjgkH7F7WUHw9pmo2q7Z0R3+418iZPIXzjbag13ibiWzqrLyXDkZBgkBDZg:7ugPNTcI42B3OiWX3bN1S2UwOzkZCSdg

Score
10/10
asyncratdefaultdiscoveryrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    Tool.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tool.exe
    "C:\Users\Admin\AppData\Local\Temp\tool.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3708
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Tool" /tr '"C:\Users\Admin\AppData\Roaming\Tool.exe"' & exit
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3780
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "Tool" /tr '"C:\Users\Admin\AppData\Roaming\Tool.exe"'
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2812
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCC39.tmp.bat""
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5064
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:3152
      • C:\Users\Admin\AppData\Roaming\Tool.exe
        "C:\Users\Admin\AppData\Roaming\Tool.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3024

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Tool.exe.log
    Filesize

    522B

    MD5

    acc9090417037dfa2a55b46ed86e32b8

    SHA1

    53fa6fb25fb3e88c24d2027aca6ae492b2800a4d

    SHA256

    2412679218bb0a7d05ceee32869bbb223619bde9966c4c460a68304a3367724b

    SHA512

    d51f7085ec147c708f446b9fb6923cd2fb64596d354ed929e125b30ace57c8cb3217589447a36960e5d3aea87a4e48aaa82c7509eced6d6c2cecd71fcfe3697b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpCC39.tmp.bat
    Filesize

    148B

    MD5

    f7307da0e711085717e7e9853b3e35e6

    SHA1

    394e93ce37a2e7eee08e221b5e0224ab6193d4df

    SHA256

    50e3dcb40877d037373f070e3a04baa4e6d1656bab5099c7cf425c7621334e41

    SHA512

    c1e57f65c7a0c672070d46c995c0549c0de53f3f7c0b94fc9bc61ab65553968645db7841f1655a75d93fe218532f21dab8f05e3b44188f27bff540496c0fd630

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Tool.exe
    Filesize

    45KB

    MD5

    b84e27e5b6cef684af80c868bf0b4ba0

    SHA1

    213d29cc30c693675911547643112d4c9a6c02d2

    SHA256

    165289612527e1bfad340f7675a701bfe9608a3a4cfbfefe6a662574d5c05f90

    SHA512

    3d5fb00a3793174b8f98e972c9ed7f322d1333dbda79a00676d015532e63eb69449453eda3d7e7de4d3026b49f3816ae4a12c4a2e434893d5aee52d9a3d00813

    Download Submit

  • memory/3024-14-0x00000000749B0000-0x0000000075160000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3024-15-0x00000000749B0000-0x0000000075160000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3708-0-0x0000000074A6E000-0x0000000074A6F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3708-1-0x00000000009A0000-0x00000000009B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3708-2-0x0000000074A60000-0x0000000075210000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3708-3-0x0000000005370000-0x000000000540C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3708-8-0x0000000074A60000-0x0000000075210000-memory.dmp

    Filesize

    7.7MB

    Download