Analysis Overview
SHA256
3ec778942e2d803125fa551096a19a7f1e3cf0a9f513aa6633c96dd584dfe204
Threat Level: Known bad
The file Infected.exe was found to be: Known bad.
Malicious Activity Summary
Asyncrat family
Async RAT payload
Stealerium family
Stealerium
AsyncRat
Async RAT payload
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Looks up geolocation information via web service
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Event Triggered Execution: Netsh Helper DLL
Unsigned PE
Browser Information Discovery
Enumerates physical storage devices
System Network Configuration Discovery: Wi-Fi Discovery
outlook_win_path
Checks processor information in registry
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Scheduled Task/Job: Scheduled Task
Delays execution with timeout.exe
outlook_office_path
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-03-27 10:52
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Asyncrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-27 10:52
Reported
2025-03-27 10:55
Platform
win7-20241010-en
Max time kernel
118s
Max time network
140s
Command Line
Signatures
AsyncRat
Asyncrat family
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Infected.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Infected.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Infected.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Infected.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Infected.exe
"C:\Users\Admin\AppData\Local\Temp\Infected.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "1" /tr '"C:\Users\Admin\AppData\Local\Temp\1.exe"' & exit
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp9B94.tmp.bat""
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "1" /tr '"C:\Users\Admin\AppData\Local\Temp\1.exe"'
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | born-me.gl.at.ply.gg | udp |
| US | 147.185.221.16:51852 | born-me.gl.at.ply.gg | tcp |
Files
memory/2448-0-0x000007FEF5713000-0x000007FEF5714000-memory.dmp
memory/2448-1-0x0000000001190000-0x00000000011A6000-memory.dmp
memory/2448-2-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp
memory/2448-3-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp9B94.tmp.bat
| MD5 | 4e352ae713f42ae0e93d130e5309676b |
| SHA1 | 42541b5468f7dd17c292a31b3a783fb242ebbe76 |
| SHA256 | db5fdcadf9e7e787a07499ac7ebffbddd5c98b31ea78b3b64fa6c5d21583998e |
| SHA512 | 0a6f156f75ed34694c7ccd3c9bb3a7bcdc4caa7ca82230cfae9c358901c5a33d52d411a1dfd9512d141caad1d16e3184053e795403d525e9f153943a424ae804 |
memory/2448-12-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1.exe
| MD5 | f9caeabd873c3735af9b6bf7118d4955 |
| SHA1 | ce94b174c93e8716d5ea69cdffd8f83cc138c1cd |
| SHA256 | 3ec778942e2d803125fa551096a19a7f1e3cf0a9f513aa6633c96dd584dfe204 |
| SHA512 | 12fdaa215362ef00d8258d3764d6bf0fe58241034f468d072fd748ac04cbc5df0c6fe5090ed1cdd7112af334ce47e9c881896c92761c7a3d5f12c0a2fc5b3dbc |
memory/2444-17-0x0000000001040000-0x0000000001056000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-03-27 10:52
Reported
2025-03-27 10:55
Platform
win10v2004-20250314-en
Max time kernel
104s
Max time network
150s
Command Line
Signatures
AsyncRat
Asyncrat family
Stealerium
Stealerium family
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Infected.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Looks up geolocation information via web service
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Infected.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Infected.exe
"C:\Users\Admin\AppData\Local\Temp\Infected.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "1" /tr '"C:\Users\Admin\AppData\Local\Temp\1.exe"' & exit
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp53CD.tmp.bat""
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "1" /tr '"C:\Users\Admin\AppData\Local\Temp\1.exe"'
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\findstr.exe
findstr All
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show networks mode=bssid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | born-me.gl.at.ply.gg | udp |
| US | 147.185.221.16:51852 | born-me.gl.at.ply.gg | tcp |
| US | 147.185.221.16:51852 | born-me.gl.at.ply.gg | tcp |
| US | 147.185.221.16:51852 | born-me.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| US | 147.185.221.16:51852 | born-me.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.16.184.241:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | api.mylnikov.org | udp |
| US | 172.67.196.114:443 | api.mylnikov.org | tcp |
Files
memory/632-0-0x00007FFEC1343000-0x00007FFEC1345000-memory.dmp
memory/632-1-0x0000000000010000-0x0000000000026000-memory.dmp
memory/632-2-0x00007FFEC1340000-0x00007FFEC1E01000-memory.dmp
memory/632-3-0x00007FFEC1340000-0x00007FFEC1E01000-memory.dmp
memory/632-8-0x00007FFEC1340000-0x00007FFEC1E01000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp53CD.tmp.bat
| MD5 | c2b472d28d9ca6c546c80cbdaca9b62f |
| SHA1 | 1a663a650c7573fdf86315dd2d35ee42b2f0a5f1 |
| SHA256 | 654fba240635c208c016f448caa0b5f798370b0c7cca721d4b9a8dd0351a303d |
| SHA512 | ac5ffa0f407d91d9a8b9ab07efb4f92b7e354d21ececd291024387d6983d1c8213c490944c78d2b8ba8d6184969bcb501fba0362e2d73e2b56ec21f122304d18 |
C:\Users\Admin\AppData\Local\Temp\1.exe
| MD5 | f9caeabd873c3735af9b6bf7118d4955 |
| SHA1 | ce94b174c93e8716d5ea69cdffd8f83cc138c1cd |
| SHA256 | 3ec778942e2d803125fa551096a19a7f1e3cf0a9f513aa6633c96dd584dfe204 |
| SHA512 | 12fdaa215362ef00d8258d3764d6bf0fe58241034f468d072fd748ac04cbc5df0c6fe5090ed1cdd7112af334ce47e9c881896c92761c7a3d5f12c0a2fc5b3dbc |
memory/392-15-0x000000001CF20000-0x000000001CF96000-memory.dmp
memory/392-16-0x0000000000BD0000-0x0000000000C04000-memory.dmp
memory/392-17-0x0000000002630000-0x000000000264E000-memory.dmp
memory/392-18-0x000000001AE50000-0x000000001AE82000-memory.dmp
memory/392-19-0x000000001ED80000-0x000000001EF08000-memory.dmp
memory/392-24-0x0000000000B80000-0x0000000000B8A000-memory.dmp
C:\Users\Admin\AppData\Local\760c63a83baacba6c2f27c7d96382396\Admin@ISKSVYMX_en-US\System\Process.txt
| MD5 | 0b734cab1f6295e67cb4c391dcd335e2 |
| SHA1 | ef1228d1449066482fc1c6f7e1e593c1377c9dd0 |
| SHA256 | eb239077e16a3be854645c408788f342109ee0e0592f63ebc563d5bf81253931 |
| SHA512 | 507a2f2d4598238e8748e5f9a1db75ed9d3bec8005246955a62327355ee9f03838b7985ce619004779a4f96be56bfa7c9b62b63e3cb53124d2653eb395edd345 |
C:\Users\Admin\AppData\Local\760c63a83baacba6c2f27c7d96382396\Admin@ISKSVYMX_en-US\System\Process.txt
| MD5 | 0270adde645bff1bef54407e1beca863 |
| SHA1 | 0f14f56ec22bbdde989cbc74672eb359787c8a13 |
| SHA256 | 5776427b7513f6f422f3eb3205124b223abd9721f7ce0900a9790818d88c158c |
| SHA512 | 037c668b51c91d9ee49af3c251cbb22f9415377acf30f9f2817c6d7a3d731448c1b355e0708671e5de557d4bd7d7cef37299ab0c919cd7209667a0a8e69ffb43 |
C:\Users\Admin\AppData\Local\760c63a83baacba6c2f27c7d96382396\Admin@ISKSVYMX_en-US\System\Process.txt
| MD5 | 3c8b00a561ebb0810a5518851145d99e |
| SHA1 | e19afccc8b4073a3e1447cf562bf29ac1c40456d |
| SHA256 | 647d71932f8665f75325ad4a7479829b4364abdc90c193dd80e6667539289162 |
| SHA512 | 11dd2a22574b4721bead8e6b4232c581495643c1ee5f03ec1f10b5a797b775b7a51c4dee8a4028bd5e4ffbb750cd622b1b0c0243fc37f89c72576c4866aa3f54 |
memory/392-175-0x000000001CD20000-0x000000001CD9A000-memory.dmp
C:\Users\Admin\AppData\Local\760c63a83baacba6c2f27c7d96382396\Admin@ISKSVYMX_en-US\Browsers\Mozilla\Firefox\Bookmarks.txt
| MD5 | ea511fc534efd031f852fcf490b76104 |
| SHA1 | 573e5fa397bc953df5422abbeb1a52bf94f7cf00 |
| SHA256 | e5fe7f327ae62df007bd1117aa7f522dbbcd371ec67953f66d786424cb1d7995 |
| SHA512 | f7d8e575a2332b0fbd491b5e092b7ed6b0942a5165557fcc5d215d873b05103aa6ba01843133871c1c7ac81b10182a15895be49885c98d1a379dd55f88004fae |