Analysis
-
max time kernel
144s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
29/03/2025, 19:39 UTC
Behavioral task
behavioral1
Sample
Valorant Spoofer 2025 (by BBaox/Valorant Spoofer (by BBaox).exe
Resource
win7-20240903-en
General
-
Target
Valorant Spoofer 2025 (by BBaox/Valorant Spoofer (by BBaox).exe
-
Size
47KB
-
MD5
fd64259b217827ebbe114699e9194ba7
-
SHA1
3b09e655d4d557ee1fca294613867e9f886dcf7a
-
SHA256
68fb8f06592b84297fc6adf794044e693bc8ca655502d7c661a5a00128dd37b4
-
SHA512
a1e35e0edf30da7ae08cfa853cee5aa6b3b53f25c8f06106a93d305115dad1ba12a481e77210a1b3964533d06a7ad346fdd798d91cb4d3a3c19618cddb64c156
-
SSDEEP
768:Du+K1TQQEX1WUVt1Pmo2qj6tHo0LxT5FWfD7hh0bVXW4yBQaTq+GcDZz1+:Du+K1TQfb2NLxTGfDMbVXjymaWWdz1+
Malware Config
Extracted
asyncrat
0.5.7B
Default
127.0.0.1:1604
127.0.0.1:1600
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
Valorant Spoofer.exe
-
install_folder
%Temp%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x000c00000001225c-15.dat family_asyncrat -
Executes dropped EXE 1 IoCs
pid Process 2832 Valorant Spoofer.exe -
Loads dropped DLL 1 IoCs
pid Process 2276 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Valorant Spoofer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Valorant Spoofer (by BBaox).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2784 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2764 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1980 Valorant Spoofer (by BBaox).exe 1980 Valorant Spoofer (by BBaox).exe 1980 Valorant Spoofer (by BBaox).exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1980 Valorant Spoofer (by BBaox).exe Token: SeDebugPrivilege 2832 Valorant Spoofer.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1980 wrote to memory of 748 1980 Valorant Spoofer (by BBaox).exe 31 PID 1980 wrote to memory of 748 1980 Valorant Spoofer (by BBaox).exe 31 PID 1980 wrote to memory of 748 1980 Valorant Spoofer (by BBaox).exe 31 PID 1980 wrote to memory of 748 1980 Valorant Spoofer (by BBaox).exe 31 PID 1980 wrote to memory of 2276 1980 Valorant Spoofer (by BBaox).exe 32 PID 1980 wrote to memory of 2276 1980 Valorant Spoofer (by BBaox).exe 32 PID 1980 wrote to memory of 2276 1980 Valorant Spoofer (by BBaox).exe 32 PID 1980 wrote to memory of 2276 1980 Valorant Spoofer (by BBaox).exe 32 PID 748 wrote to memory of 2764 748 cmd.exe 35 PID 748 wrote to memory of 2764 748 cmd.exe 35 PID 748 wrote to memory of 2764 748 cmd.exe 35 PID 748 wrote to memory of 2764 748 cmd.exe 35 PID 2276 wrote to memory of 2784 2276 cmd.exe 36 PID 2276 wrote to memory of 2784 2276 cmd.exe 36 PID 2276 wrote to memory of 2784 2276 cmd.exe 36 PID 2276 wrote to memory of 2784 2276 cmd.exe 36 PID 2276 wrote to memory of 2832 2276 cmd.exe 37 PID 2276 wrote to memory of 2832 2276 cmd.exe 37 PID 2276 wrote to memory of 2832 2276 cmd.exe 37 PID 2276 wrote to memory of 2832 2276 cmd.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\Valorant Spoofer 2025 (by BBaox\Valorant Spoofer (by BBaox).exe"C:\Users\Admin\AppData\Local\Temp\Valorant Spoofer 2025 (by BBaox\Valorant Spoofer (by BBaox).exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Valorant Spoofer" /tr '"C:\Users\Admin\AppData\Local\Temp\Valorant Spoofer.exe"' & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Valorant Spoofer" /tr '"C:\Users\Admin\AppData\Local\Temp\Valorant Spoofer.exe"'3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2764
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpEEC2.tmp.bat""2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2784
-
-
C:\Users\Admin\AppData\Local\Temp\Valorant Spoofer.exe"C:\Users\Admin\AppData\Local\Temp\Valorant Spoofer.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2832
-
-
Network
- No results found
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
47KB
MD5fd64259b217827ebbe114699e9194ba7
SHA13b09e655d4d557ee1fca294613867e9f886dcf7a
SHA25668fb8f06592b84297fc6adf794044e693bc8ca655502d7c661a5a00128dd37b4
SHA512a1e35e0edf30da7ae08cfa853cee5aa6b3b53f25c8f06106a93d305115dad1ba12a481e77210a1b3964533d06a7ad346fdd798d91cb4d3a3c19618cddb64c156
-
Filesize
163B
MD50261b2802c3fb2b03fe65410695b2ef8
SHA13e34e767248d2a5bc894b7ecd50c0771125e46f5
SHA2561306509a3827199d8ed272a8010809da40fffad592ee9dc9df2b22a3e661c76d
SHA512f15e2668da5f1d1b3973c943db4e9d9ccd8b4be614dc3ffdf77b5704f255b3e89045e902551cb584e46427f0dd9e2db2d033a32f4892d446314094c32b5d07fc