Overview

overview

10

Static

static

10

98cae67f5c...4f.exe

windows7-x64

7

98cae67f5c...4f.exe

windows10-2004-x64

7

98cfbc262e...bc.exe

windows7-x64

10

98cfbc262e...bc.exe

windows10-2004-x64

10

98d8bede74...ed.exe

windows7-x64

10

98d8bede74...ed.exe

windows10-2004-x64

10

9905bf91d0...cd.exe

windows7-x64

3

9905bf91d0...cd.exe

windows10-2004-x64

3

99171e268b...08.exe

windows7-x64

10

99171e268b...08.exe

windows10-2004-x64

10

991fdf0c20...cd.exe

windows7-x64

10

991fdf0c20...cd.exe

windows10-2004-x64

10

9921900649...5f.exe

windows7-x64

10

9921900649...5f.exe

windows10-2004-x64

10

9941d8f932...2a.exe

windows7-x64

10

9941d8f932...2a.exe

windows10-2004-x64

10

997e8d89ff...b8.exe

windows7-x64

3

997e8d89ff...b8.exe

windows10-2004-x64

10

998566d8ea...73.exe

windows7-x64

10

998566d8ea...73.exe

windows10-2004-x64

10

99bf888072...4b.exe

windows7-x64

10

99bf888072...4b.exe

windows10-2004-x64

10

99f05fe5d0...13.exe

windows7-x64

7

99f05fe5d0...13.exe

windows10-2004-x64

10

9a11a17452...66.exe

windows7-x64

10

9a11a17452...66.exe

windows10-2004-x64

8

9a26a56f56...c3.exe

windows7-x64

10

9a26a56f56...c3.exe

windows10-2004-x64

10

9a292ed0f5...7a.exe

windows7-x64

10

9a292ed0f5...7a.exe

windows10-2004-x64

10

9a3fe6a67d...4c.exe

windows7-x64

10

9a3fe6a67d...4c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    22/03/2025, 06:14 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    998566d8ea82f0a3c8f337e42a95f373.exe

  • Size

    45KB

  • MD5

    998566d8ea82f0a3c8f337e42a95f373

  • SHA1

    e61b997562fadf8c805bf9d66b194db9fac2e958

  • SHA256

    c19fa552e9898ac3a969fccbd5225b286393e4d4ef0343df96794e0a633ba1c5

  • SHA512

    b7bdf4a03674899c02999a9a0f9f1fae67d97c0646d37fed97ae770d4ee1240a39f0388ff8dc6eac760bde12d6e291f5371c075ce49728fcf84e2edaddec6407

  • SSDEEP

    768:wuYqlTLoczGWUgP28mo2qMAKjPGaG6PIyzjbFgX3irduljz5WpcBDZ7B:wuYqlTLbj2AKTkDy3bCXSrqz0p6d7B

Score
10/10
asyncratdefaultdiscoveryrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:8000
Mutex

ddsO1QLOdEGK

Attributes
  • delay

    3

  • install

    true

  • install_file

    Windows745635.exe

  • install_folder

    %Temp%

aes.plain
1
1aICevoS90zJkBByu7BVQwwEZLQx0it3

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\998566d8ea82f0a3c8f337e42a95f373.exe
    "C:\Users\Admin\AppData\Local\Temp\998566d8ea82f0a3c8f337e42a95f373.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows745635" /tr '"C:\Users\Admin\AppData\Local\Temp\Windows745635.exe"' & exit
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2784
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "Windows745635" /tr '"C:\Users\Admin\AppData\Local\Temp\Windows745635.exe"'
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:3064
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp54E.tmp.bat""
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2576
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:2716
      • C:\Users\Admin\AppData\Local\Temp\Windows745635.exe
        "C:\Users\Admin\AppData\Local\Temp\Windows745635.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2568

Network

    No results found
  • 127.0.0.1:8000
    Windows745635.exe
  • 127.0.0.1:8808
    Windows745635.exe
  • 127.0.0.1:8808
    Windows745635.exe
  • 127.0.0.1:8808
    Windows745635.exe
  • 127.0.0.1:7707
    Windows745635.exe
  • 127.0.0.1:7707
    Windows745635.exe
  • 127.0.0.1:6606
    Windows745635.exe
  • 127.0.0.1:6606
    Windows745635.exe
  • 127.0.0.1:6606
    Windows745635.exe
  • 127.0.0.1:8000
    Windows745635.exe
  • 127.0.0.1:8000
    Windows745635.exe
  • 127.0.0.1:6606
    Windows745635.exe
  • 127.0.0.1:6606
    Windows745635.exe
  • 127.0.0.1:6606
    Windows745635.exe
  • 127.0.0.1:6606
    Windows745635.exe
  • 127.0.0.1:7707
    Windows745635.exe
  • 127.0.0.1:6606
    Windows745635.exe
  • 127.0.0.1:8808
    Windows745635.exe
  • 127.0.0.1:8808
    Windows745635.exe
  • 127.0.0.1:8000
    Windows745635.exe
  • 127.0.0.1:8000
    Windows745635.exe
  • 127.0.0.1:6606
    Windows745635.exe
  • 127.0.0.1:8000
    Windows745635.exe
No results found

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp54E.tmp.bat
    Filesize

    159B

    MD5

    9ff2e535d582bab5b2118c06102bfc0a

    SHA1

    5ea6607e70447325b5d8f3499e22b51568713d7f

    SHA256

    3b856d4e2e105b9bba1a061d5d3f641fbf7d679a2def1f1b44bb7414ddf46abe

    SHA512

    17c959792e2c456d8c2c8a3b876ee8cc01ca72ca76860a066c434be0fcfc4eb3762a22d16a997ca1492e1cc7e056d33b9ff4e011b28dea552090739f53d52e6d

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Windows745635.exe
    Filesize

    45KB

    MD5

    998566d8ea82f0a3c8f337e42a95f373

    SHA1

    e61b997562fadf8c805bf9d66b194db9fac2e958

    SHA256

    c19fa552e9898ac3a969fccbd5225b286393e4d4ef0343df96794e0a633ba1c5

    SHA512

    b7bdf4a03674899c02999a9a0f9f1fae67d97c0646d37fed97ae770d4ee1240a39f0388ff8dc6eac760bde12d6e291f5371c075ce49728fcf84e2edaddec6407

    Download Submit

  • memory/2232-0-0x0000000074D5E000-0x0000000074D5F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2232-1-0x0000000000FE0000-0x0000000000FF2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2232-2-0x0000000074D50000-0x000000007543E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2232-11-0x0000000074D50000-0x000000007543E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2568-16-0x0000000000A20000-0x0000000000A32000-memory.dmp

    Filesize

    72KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.