Analysis
-
max time kernel
2s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
29/03/2025, 19:40
Behavioral task
behavioral1
Sample
6bf8ec1cf3a7bb15d7f0cc5408dc9ba25226ca0456edde5c5ff3e0e785e1a7cd.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
6bf8ec1cf3a7bb15d7f0cc5408dc9ba25226ca0456edde5c5ff3e0e785e1a7cd.exe
Resource
win10v2004-20250314-en
General
-
Target
6bf8ec1cf3a7bb15d7f0cc5408dc9ba25226ca0456edde5c5ff3e0e785e1a7cd.exe
-
Size
63KB
-
MD5
9dd10f9335e7979d2a90b3ab9106d261
-
SHA1
2633da3549195050d665d0fd3eefd96dcb15470d
-
SHA256
6bf8ec1cf3a7bb15d7f0cc5408dc9ba25226ca0456edde5c5ff3e0e785e1a7cd
-
SHA512
acc081e163e92f5c06d7185053b85e288639462486c85c718fd619cdce8fd84943735f597165b20045160c078144de88ef6178012f17bf2ebc7c47d5aada6ba8
-
SSDEEP
1536:OBVb3plA0aTdeKX7QNaoxvGbbnwKbn2BGtkpqKmY7:OBVb3plA0aTRX7QDtGbbnfj22vz
Malware Config
Extracted
asyncrat
5.0.5
Venom Clients
127.0.0.1:4449
Venom_RAT_HVNC_Mutex_Venom RAT_HVNC
-
delay
1
-
install
true
-
install_file
scs2.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x0007000000012119-15.dat family_asyncrat -
Delays execution with timeout.exe 1 IoCs
pid Process 1908 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2548 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2668 6bf8ec1cf3a7bb15d7f0cc5408dc9ba25226ca0456edde5c5ff3e0e785e1a7cd.exe 2668 6bf8ec1cf3a7bb15d7f0cc5408dc9ba25226ca0456edde5c5ff3e0e785e1a7cd.exe 2668 6bf8ec1cf3a7bb15d7f0cc5408dc9ba25226ca0456edde5c5ff3e0e785e1a7cd.exe 2668 6bf8ec1cf3a7bb15d7f0cc5408dc9ba25226ca0456edde5c5ff3e0e785e1a7cd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2668 6bf8ec1cf3a7bb15d7f0cc5408dc9ba25226ca0456edde5c5ff3e0e785e1a7cd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6bf8ec1cf3a7bb15d7f0cc5408dc9ba25226ca0456edde5c5ff3e0e785e1a7cd.exe"C:\Users\Admin\AppData\Local\Temp\6bf8ec1cf3a7bb15d7f0cc5408dc9ba25226ca0456edde5c5ff3e0e785e1a7cd.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "scs2" /tr '"C:\Users\Admin\AppData\Roaming\scs2.exe"' & exit2⤵PID:2652
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "scs2" /tr '"C:\Users\Admin\AppData\Roaming\scs2.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:2548
-
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp52C2.tmp.bat""2⤵PID:2864
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:1908
-
-
C:\Users\Admin\AppData\Roaming\scs2.exe"C:\Users\Admin\AppData\Roaming\scs2.exe"3⤵PID:2452
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
148B
MD58c8a27823f0f29e67c3a535552650e3f
SHA1aad1f6c3642c4cd2e8cf9953543e490159d4fd96
SHA25647b8568bf9d8aafac592dcea7a107b8aa8bf2ad4f895d6c0da89bd4bacdddeaf
SHA512ac811cbd747ae000448e5226447b1b94414a0a2db4110389290671ed9af88d23f2905d26d6b4a4ad9c430bb596aedeb156b25d0290130e2c8d7bb9d2e0a45b0c
-
Filesize
63KB
MD59dd10f9335e7979d2a90b3ab9106d261
SHA12633da3549195050d665d0fd3eefd96dcb15470d
SHA2566bf8ec1cf3a7bb15d7f0cc5408dc9ba25226ca0456edde5c5ff3e0e785e1a7cd
SHA512acc081e163e92f5c06d7185053b85e288639462486c85c718fd619cdce8fd84943735f597165b20045160c078144de88ef6178012f17bf2ebc7c47d5aada6ba8