Overview

overview

10

Static

static

10

RuntimeBroker.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    312s
  • max time network
    318s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250313-en
  • resource tags

    arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    29/03/2025, 21:10 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RuntimeBroker.exe

  • Size

    45KB

  • MD5

    7a984e3a8ef99e429ceef1f1ddc144f4

  • SHA1

    581dd32af3c53b1dc7b8a95aa2805ee0e8f44190

  • SHA256

    4d8c876b969caf2449f169f89ec257f5e1412e23b609ab4f7c7ee72cd4b0de60

  • SHA512

    b078b827e49cddfd743dd55802c0a48dc5056ccb172cb83a65e484a26c62fa30e1fa6860621752d4adbad3e5d234d759c817a0c0b3532531a99f50f05622bf6a

  • SSDEEP

    768:ruGr1TVhfPNWUtWuHmo2qzVh7N78wJuPIozjbNVgXKDi4Rj6nKBDZjx:ruGr1TVxx2GFN4iXo3bsXjCj6nUdjx

Score
10/10
asyncratdefaultdiscoveryratspywarestealer

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

holefo2785-22820.portmap.host:22820

holefo2785-22820.portmap.host:6606
Mutex

I674w9YbNo4n

Attributes
  • delay

    3

  • install

    true

  • install_file

    RuntimeBroker.exe

  • install_folder

    %AppData%

aes.plain
1
ZPMgXRNDWjLWpAwd4K1szMfec1Eo6chl

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 2 IoCs
    defense_evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1492
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "RuntimeBroker" /tr '"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"' & exit
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5696
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "RuntimeBroker" /tr '"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"'
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:1788
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7F32.tmp.bat""
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3720
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:1692
      • C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
        "C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5528
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "RuntimeBroker"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:556
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /delete /f /tn "RuntimeBroker"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2408
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE6D1.tmp.bat""
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:5272
          • C:\Windows\SysWOW64\timeout.exe
            timeout 3
            5⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:5376

Network

  • flag-us
    DNS
    holefo2785-22820.portmap.host
    RuntimeBroker.exe
    Remote address:
    8.8.8.8:53
    Request
    holefo2785-22820.portmap.host
    IN A
    Response
    holefo2785-22820.portmap.host
    IN A
    193.161.193.99
  • flag-us
    DNS
    ctldl.windowsupdate.com
    RuntimeBroker.exe
    Remote address:
    8.8.8.8:53
    Request
    ctldl.windowsupdate.com
    IN A
    Response
    ctldl.windowsupdate.com
    IN CNAME
    ctldl.windowsupdate.com.delivery.microsoft.com
    ctldl.windowsupdate.com.delivery.microsoft.com
    IN CNAME
    wu-b-net.trafficmanager.net
    wu-b-net.trafficmanager.net
    IN CNAME
    edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
    edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
    IN A
    91.81.130.133
    edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
    IN A
    91.80.49.85
    edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
    IN A
    91.80.49.86
    edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
    IN A
    91.80.49.21
    edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
    IN A
    91.81.130.134
    edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
    IN A
    91.81.129.181
    edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
    IN A
    91.80.49.20
    edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
    IN A
    91.81.129.180
  • flag-us
    DNS
    99.193.161.193.in-addr.arpa
    RuntimeBroker.exe
    Remote address:
    8.8.8.8:53
    Request
    99.193.161.193.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    nexusrules.officeapps.live.com
    RuntimeBroker.exe
    Remote address:
    8.8.8.8:53
    Request
    nexusrules.officeapps.live.com
    IN A
    Response
    nexusrules.officeapps.live.com
    IN CNAME
    prod.nexusrules.live.com.akadns.net
    prod.nexusrules.live.com.akadns.net
    IN A
    52.111.229.48
  • flag-us
    DNS
    self.events.data.microsoft.com
    RuntimeBroker.exe
    Remote address:
    8.8.8.8:53
    Request
    self.events.data.microsoft.com
    IN A
    Response
    self.events.data.microsoft.com
    IN CNAME
    self-events-data.trafficmanager.net
    self-events-data.trafficmanager.net
    IN CNAME
    onedscolprdcus19.centralus.cloudapp.azure.com
    onedscolprdcus19.centralus.cloudapp.azure.com
    IN A
    52.182.143.214
  • flag-us
    DNS
    ctldl.windowsupdate.com
    RuntimeBroker.exe
    Remote address:
    8.8.8.8:53
    Request
    ctldl.windowsupdate.com
    IN A
    Response
    ctldl.windowsupdate.com
    IN CNAME
    ctldl.windowsupdate.com.delivery.microsoft.com
    ctldl.windowsupdate.com.delivery.microsoft.com
    IN CNAME
    wu-b-net.trafficmanager.net
    wu-b-net.trafficmanager.net
    IN CNAME
    download.windowsupdate.com.edgesuite.net
    download.windowsupdate.com.edgesuite.net
    IN CNAME
    a767.dspw65.akamai.net
    a767.dspw65.akamai.net
    IN A
    2.18.190.77
    a767.dspw65.akamai.net
    IN A
    2.18.190.79
  • flag-us
    DNS
    77.190.18.2.in-addr.arpa
    RuntimeBroker.exe
    Remote address:
    8.8.8.8:53
    Request
    77.190.18.2.in-addr.arpa
    IN PTR
    Response
    77.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-77deploystaticakamaitechnologiescom
  • flag-us
    DNS
    167.173.78.104.in-addr.arpa
    RuntimeBroker.exe
    Remote address:
    8.8.8.8:53
    Request
    167.173.78.104.in-addr.arpa
    IN PTR
    Response
    167.173.78.104.in-addr.arpa
    IN PTR
    a104-78-173-167deploystaticakamaitechnologiescom
  • 193.161.193.99:22820
    holefo2785-22820.portmap.host
    tls
    RuntimeBroker.exe
    19.3kB
     598.1kB
     306
    480
  • 193.161.193.99:22820
    holefo2785-22820.portmap.host
    tls
    RuntimeBroker.exe
    768 B
     361 B
     8
    5
  • 193.161.193.99:22820
    holefo2785-22820.portmap.host
    tls
    RuntimeBroker.exe
    454 B
     361 B
     6
    5
  • 8.8.8.8:53
    holefo2785-22820.portmap.host
    dns
    RuntimeBroker.exe
    581 B
     1.5kB
     8
    8

    DNS Request

    holefo2785-22820.portmap.host

    DNS Response

    193.161.193.99

    DNS Request

    ctldl.windowsupdate.com

    DNS Response

    91.81.130.133
    91.80.49.85
    91.80.49.86
    91.80.49.21
    91.81.130.134
    91.81.129.181
    91.80.49.20
    91.81.129.180

    DNS Request

    99.193.161.193.in-addr.arpa

    DNS Request

    nexusrules.officeapps.live.com

    DNS Response

    52.111.229.48

    DNS Request

    self.events.data.microsoft.com

    DNS Response

    52.182.143.214

    DNS Request

    ctldl.windowsupdate.com

    DNS Response

    2.18.190.77
    2.18.190.79

    DNS Request

    77.190.18.2.in-addr.arpa

    DNS Request

    167.173.78.104.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RuntimeBroker.exe.log
    Filesize

    522B

    MD5

    db9f45365506c49961bfaf3be1475ad2

    SHA1

    6bd7222f7b7e3e9685207cb285091c92728168e4

    SHA256

    3a8c487575696f7ace931dc220c85a47d33e0ead96aa9e47c705fee5dfac667a

    SHA512

    807028e2aed5b25b2d19ec4f09867746456de4e506c90c73e6730b35303511349a79ca0b9290509664edc0433d47e3fc7f2661534293ebb82185b1494da86a41

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp7F32.tmp.bat
    Filesize

    157B

    MD5

    798111abd16ae4ff04844750f696fea3

    SHA1

    4d5831313b5b4f36ec5dfa14a1abd96ebb56bc97

    SHA256

    a4c7714cdbc4e8f0fcff1d0184cf3021a7e950a8cc78a5f5ed63956200229c96

    SHA512

    dc7f98a5314cd086bdab8b6c4add0c1dc1c3f7f48ef6aeb71ec9e2121b913d16b957f976b5459c626b9cab43f92cbed2265053a4841e12dc14ee48acdf6e4ed5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpE6D1.tmp.bat
    Filesize

    162B

    MD5

    eeb17e530eb4c24b5c70015136d7c80c

    SHA1

    a8e09e5b8c41ca3d950c0250ffb5c5108a23b876

    SHA256

    e71a506310c0da8869d7f1fed5cf131d33a10383a4b630c01c3ed3a6306cce90

    SHA512

    9a0cd20e55e939c8e04f1f9615de736733f7e09ef6e21d22348833535db12717ed5732b9486c9637248983b56c338be1a83a7e5e52af0713cdeba1a6014d5e90

    Download Submit

  • C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
    Filesize

    45KB

    MD5

    7a984e3a8ef99e429ceef1f1ddc144f4

    SHA1

    581dd32af3c53b1dc7b8a95aa2805ee0e8f44190

    SHA256

    4d8c876b969caf2449f169f89ec257f5e1412e23b609ab4f7c7ee72cd4b0de60

    SHA512

    b078b827e49cddfd743dd55802c0a48dc5056ccb172cb83a65e484a26c62fa30e1fa6860621752d4adbad3e5d234d759c817a0c0b3532531a99f50f05622bf6a

    Download Submit

  • memory/1492-0-0x000000007431E000-0x000000007431F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1492-1-0x0000000000A80000-0x0000000000A92000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1492-2-0x0000000005CA0000-0x0000000005D3C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/5528-16-0x00000000067B0000-0x0000000006D56000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/5528-13-0x0000000074310000-0x0000000074AC1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5528-17-0x0000000005CD0000-0x0000000005D36000-memory.dmp

    Filesize

    408KB

    Download

  • memory/5528-18-0x00000000070E0000-0x0000000007156000-memory.dmp

    Filesize

    472KB

    Download

  • memory/5528-19-0x0000000007160000-0x00000000071FC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/5528-20-0x0000000007080000-0x000000000709E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/5528-21-0x0000000007250000-0x0000000007290000-memory.dmp

    Filesize

    256KB

    Download

  • memory/5528-22-0x00000000070B0000-0x00000000070BA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/5528-23-0x0000000007330000-0x0000000007394000-memory.dmp

    Filesize

    400KB

    Download

  • memory/5528-26-0x0000000074310000-0x0000000074AC1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5528-12-0x0000000074310000-0x0000000074AC1000-memory.dmp

    Filesize

    7.7MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.