Overview

overview

10

Static

static

10

Valorant S...x).exe

windows7-x64

10

Valorant S...x).exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29/03/2025, 19:39 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Valorant Spoofer 2025 (by BBaox/Valorant Spoofer (by BBaox).exe

  • Size

    47KB

  • MD5

    fd64259b217827ebbe114699e9194ba7

  • SHA1

    3b09e655d4d557ee1fca294613867e9f886dcf7a

  • SHA256

    68fb8f06592b84297fc6adf794044e693bc8ca655502d7c661a5a00128dd37b4

  • SHA512

    a1e35e0edf30da7ae08cfa853cee5aa6b3b53f25c8f06106a93d305115dad1ba12a481e77210a1b3964533d06a7ad346fdd798d91cb4d3a3c19618cddb64c156

  • SSDEEP

    768:Du+K1TQQEX1WUVt1Pmo2qj6tHo0LxT5FWfD7hh0bVXW4yBQaTq+GcDZz1+:Du+K1TQfb2NLxTGfDMbVXjymaWWdz1+

Score
10/10
asyncratdefaultdiscoveryrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

127.0.0.1:1604

127.0.0.1:1600
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    Valorant Spoofer.exe

  • install_folder

    %Temp%

aes.plain
1
cSocUf7EMLxRxQR37qm2Phr4hrHkTGGa

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Valorant Spoofer 2025 (by BBaox\Valorant Spoofer (by BBaox).exe
    "C:\Users\Admin\AppData\Local\Temp\Valorant Spoofer 2025 (by BBaox\Valorant Spoofer (by BBaox).exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1980
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Valorant Spoofer" /tr '"C:\Users\Admin\AppData\Local\Temp\Valorant Spoofer.exe"' & exit
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:748
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "Valorant Spoofer" /tr '"C:\Users\Admin\AppData\Local\Temp\Valorant Spoofer.exe"'
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2764
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpEEC2.tmp.bat""
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2276
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:2784
      • C:\Users\Admin\AppData\Local\Temp\Valorant Spoofer.exe
        "C:\Users\Admin\AppData\Local\Temp\Valorant Spoofer.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2832

Network

    No results found
  • 127.0.0.1:1600
    Valorant Spoofer.exe
  • 127.0.0.1:1600
    Valorant Spoofer.exe
  • 127.0.0.1:1604
    Valorant Spoofer.exe
  • 127.0.0.1:1604
    Valorant Spoofer.exe
  • 127.0.0.1:1604
    Valorant Spoofer.exe
  • 127.0.0.1:1600
    Valorant Spoofer.exe
  • 127.0.0.1:1600
    Valorant Spoofer.exe
  • 127.0.0.1:1600
    Valorant Spoofer.exe
  • 127.0.0.1:1604
    Valorant Spoofer.exe
  • 127.0.0.1:1600
    Valorant Spoofer.exe
  • 127.0.0.1:1604
    Valorant Spoofer.exe
  • 127.0.0.1:1604
    Valorant Spoofer.exe
  • 127.0.0.1:1604
    Valorant Spoofer.exe
  • 127.0.0.1:1604
    Valorant Spoofer.exe
  • 127.0.0.1:1604
    Valorant Spoofer.exe
  • 127.0.0.1:1604
    Valorant Spoofer.exe
  • 127.0.0.1:1600
    Valorant Spoofer.exe
  • 127.0.0.1:1604
    Valorant Spoofer.exe
  • 127.0.0.1:1600
    Valorant Spoofer.exe
  • 127.0.0.1:1600
    Valorant Spoofer.exe
  • 127.0.0.1:1600
    Valorant Spoofer.exe
  • 127.0.0.1:1600
    Valorant Spoofer.exe
  • 127.0.0.1:1604
    Valorant Spoofer.exe
No results found

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Valorant Spoofer.exe
    Filesize

    47KB

    MD5

    fd64259b217827ebbe114699e9194ba7

    SHA1

    3b09e655d4d557ee1fca294613867e9f886dcf7a

    SHA256

    68fb8f06592b84297fc6adf794044e693bc8ca655502d7c661a5a00128dd37b4

    SHA512

    a1e35e0edf30da7ae08cfa853cee5aa6b3b53f25c8f06106a93d305115dad1ba12a481e77210a1b3964533d06a7ad346fdd798d91cb4d3a3c19618cddb64c156

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpEEC2.tmp.bat
    Filesize

    163B

    MD5

    0261b2802c3fb2b03fe65410695b2ef8

    SHA1

    3e34e767248d2a5bc894b7ecd50c0771125e46f5

    SHA256

    1306509a3827199d8ed272a8010809da40fffad592ee9dc9df2b22a3e661c76d

    SHA512

    f15e2668da5f1d1b3973c943db4e9d9ccd8b4be614dc3ffdf77b5704f255b3e89045e902551cb584e46427f0dd9e2db2d033a32f4892d446314094c32b5d07fc

    Download Submit

  • memory/1980-0-0x000000007463E000-0x000000007463F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1980-1-0x0000000000050000-0x0000000000062000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1980-2-0x0000000074630000-0x0000000074D1E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1980-11-0x0000000074630000-0x0000000074D1E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2832-16-0x00000000001D0000-0x00000000001E2000-memory.dmp

    Filesize

    72KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.