Resubmissions
14-02-2025 01:10
250214-bjsnnayne1 1014-02-2025 01:00
250214-bc5pmsymhw 1013-02-2025 05:01
250213-fnkwtstpgw 1013-02-2025 04:24
250213-e1kk6atmaz 1013-02-2025 04:08
250213-eqe8patkgx 812-02-2025 23:56
250212-3yzt3azrdx 1012-02-2025 23:44
250212-3rgd5szmbm 1012-02-2025 23:19
250212-3a9dlazkep 1012-02-2025 13:32
250212-qs211ssrfr 10Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20250211-en -
resource tags
-
submitted
14-02-2025 01:00
General
-
Target
4363463463464363463463463.exe
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Malware Config
Extracted
asyncrat
0.5.8
Default
14.243.221.170:3322
ynBzTukwLg8N
-
delay
3
-
install
false
-
install_file
Clean.bat
-
install_folder
%Temp%
Extracted
stealc
QQtalk
http://154.216.17.90
-
url_path
/a48146f6763ef3af.php
Extracted
amadey
5.03
7c4393
http://185.215.113.217
-
install_dir
f9c76c1660
-
install_file
corept.exe
-
strings_key
9808a67f01d2f0720518035acbde7521
-
url_paths
/CoreOPT/index.php
Extracted
stealerium
https://api.telegram.org/bot6926474815:AAFx9tLAnf5OAVQZp2teS3G2_6T1wCP67xM/sendMessage?chat_id=-4224073938
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Amadey family
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Stealc
Stealc is an infostealer written in C++.
-
Stealc family
-
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Stealerium family
-
Async RAT payload 1 IoCs
-
Downloads MZ/PE file 6 IoCs
-
Drops startup file 2 IoCs
-
Executes dropped EXE 7 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Kills process with taskkill 1 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 48 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"1⤵
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Files\TCP.exe"C:\Users\Admin\AppData\Local\Temp\Files\TCP.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\Files\plrifjidicfid.exe"C:\Users\Admin\AppData\Local\Temp\Files\plrifjidicfid.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Wallet-PrivateKey.Pdf.exe"C:\Users\Admin\AppData\Local\Temp\Files\Wallet-PrivateKey.Pdf.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecurityHealthHost.exe"C:\Users\Admin\AppData\Local\Temp\SecurityHealthHost.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f54de641-b5f1-487d-994f-cde4236f1e51.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 8006⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\timeout.exetimeout /T 2 /NOBREAK6⤵
- Delays execution with timeout.exe
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\random.exe"C:\Users\Admin\AppData\Local\Temp\Files\random.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\perviy.exe"C:\Users\Admin\AppData\Local\Temp\Files\perviy.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QUEyRDQ2QTUtQkEwMS00Q0E0LUIzMEMtNzcwMkRENzkxMkExfSIgdXNlcmlkPSJ7Q0QwMkFFMUUtRDUxMS00ODIzLTg0NEEtNTk4RkJFNkREMTVGfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QjAyMUJCRTQtNzQxOS00MTc5LTlGREYtQjRERkQzNEMxMUJGfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjIiIGluc3RhbGxkYXRldGltZT0iMTczOTI5NDgzNCIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNzY2NTUyNTM3MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQ3OTY3Mzg4NzUiLz48L2FwcD48L3JlcXVlc3Q-1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Drops startup file
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD59918786300ad8c717995d228a3239f40
SHA1d2eaabdad2ae7975eda10ca4b164aa03ff40e90c
SHA25698ef46a27db3af45c6a72f04826f6eef615a427f48caae9ccce6ed94a788a3e5
SHA512d4d43b9a896b8c8029b7a159af96135cfcdf2fb9a1eca4e5c657beee3fd1226d355eba78ac883c89bef5efef179b8609ef9ecf173991b724118339d831e9a040
-
Filesize
63KB
MD58e195a05808b604246ac1b67766767af
SHA18a6ad7a4c6feab1b532a915f75996b96e1ae1893
SHA256c979cd46da2dc655bd08fc0181ecaa20e2b276f5ca44aa0717bdf4b9cabce388
SHA51284f3621ae8bb7ddf6ee224361df9819654cff7a691e2069b5ebba3d7d8be44c0ad68913bbf9d076ac85cefaa3fa58cbd8a75990f23d1f2dabe0e43e76da1c1b8
-
Filesize
45KB
MD5f127aef5829703426ff8399a76c1852c
SHA117e72d081ceb20119abe7bef8c640d5db48276f6
SHA2566907ab3a0f4e69bf6dcb8c03a18bd8402afa701ade8863a0e15808614ffb1b17
SHA512c3125920567b59119b86e284ed96c3860b1998f9d6b6078b5c2a18aa6b4c56274124fd2f77710bbbf972a6387ef20cb4a5d19c96be2131fb02f6d5692c2384c0
-
Filesize
107KB
MD5036ba72c9c4cf36bda1dc440d537af3c
SHA13c10ef9932ffc206a586fe5768879bf078e9ebeb
SHA256bb41ae95f911a55ab1101ca7854918ec0f23548376d4846a2176b9c289102114
SHA512c7e8c37787b759bca7fb6d02692c0263d6c60f606ee52e890f3c177dabd00ac6305cd43056164f6e16fbc18046a8c4226172f295ebc85e310ea7e52878d5137d
-
Filesize
239KB
MD523ad8a022dd0138e14615a93b01d87da
SHA18c8d2b1d1c8006410fab2111b56ab55e0d55eb8b
SHA256fbb5cee6f3ee4ca8643b64da8d85e2aee256199f009d195d8b776cf0445e4b91
SHA512c1889f29d8813b4853a688900c461a6f45950038387069176fc8950ba44f6c53705a39fdc09dfdd32979cd3f12790898fe505ea3c725f55413b4b3234e545c86
-
Filesize
105KB
MD5b56db4ebf7110c1083550ed83a03df17
SHA1258b171956d961a628efa6433f8cb3f629a346fc
SHA2562d6863a49648f59642f53236790f35a63df119facda1d98549025b3a8ddac2fb
SHA512f94d231f631a55a14130b7c8d9f5c1fd314b0b07029dc28146677f65aac99055e860b5744231b119fb06d0d582db59d4d73716c79f087d4fa455955a77ba4580
-
Filesize
514KB
MD526d8d52bac8f4615861f39e118efa28d
SHA1efd5a7ccd128ffe280af75ec8b3e465c989d9e35
SHA2568521a1f4d523a2a9e7f8ddf01147e65e7f3ff54b268e9b40f91e07dc01fa148f
SHA5121911a21d654e317fba50308007bb9d56fba2c19a545ef6dfaade17821b0f8fc48aa041c8a4a0339bee61cbd429852d561985e27c574eced716b2e937afa18733
-
Filesize
3.7MB
MD56967a105bf22f11871cf14fb2fda7bf1
SHA19be5af0232c8219b9ba0df4cb2b924b07e467ac2
SHA256d06a144d1382d9fb1596b5a7a94d43377249bc95faee1d7b23dce3d6ac98dd3d
SHA512df232d8915746eac5383a179fbcf322d697eacca9104da95962826a85416555c708575ffb84a769d8699c03597309a84269f310f3d555525a39f86967f85dcc5
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
151B
MD55ea688e3c877101837eaa05b3b6b531b
SHA1252a60373659fe784464323587b7e278b29a0b6d
SHA256d8c1feb552976a859ae3890da831cc4f3944e7a95c5390cfe024b0c4c1f95227
SHA512e573dc6dee8db7e0bed30885fd41c19a992c9dec956e62e1f94ccb82e62b3adf282586ac8ca76712f5ca3f149d671616591ea6ba3122134bec1f449db5759942
-
Filesize
73KB
MD59d347d5ac998a89f78ba00e74b951f55
SHA173df3d5c8388a4d6693cbb24f719dba8833c9157
SHA2562ea5686422bd8fb6eda542e9a96588f9deb1c97c45f3cb7d3b21ac4da540b57c
SHA5123db7421aa98e8e108bf982048dda7e0f09428c6498cf5f9f56ef499fb2fafc5deabde8ecb99e1fdd570d54ae9c0533b7502de5848c9e772708cf75509d0c9d9e
-
Filesize
64B
MD576f433b3fbd6c3d0ca94f50293292ecc
SHA155cecbed8cb353b05ce046ad185488fbcb91bed8
SHA256b04b8ad6f41d55d715fee227f2c1e4d333627ff2a1b89c0f55e35384028f1b32
SHA512829f24bd3474abb436d4f685fc6ec8172b1d3ad548cfa71b3cd263b0a3fc353ae4cdd0ab925397fdb07bfa859e79711a6c0b7dbdd95b94b419fedce60090bdb6
-
Filesize
3.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
280KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
216KB
-
Filesize
6.2MB
-
Filesize
136KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
460KB
-
Filesize
460KB
-
Filesize
460KB
-
Filesize
460KB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
96KB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
624KB
-
Filesize
32KB
-
Filesize
520KB
-
Filesize
536KB