Overview

overview

10

Static

static

3

Downloads.exe

windows7-x64

10

Downloads.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    2s
  • max time network
    15s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    31/03/2025, 01:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Downloads.exe

  • Size

    3.6MB

  • MD5

    d07a0825045c8467fee83e2b668e944c

  • SHA1

    bff086232a40763ee1f6cf075bfa3626e7ecdf51

  • SHA256

    89ec0cb73afbc666af8de174d6480611875e92a07fc38232bc41a0c63a3b0e89

  • SHA512

    358da591a1176bb6258b41da4b095eef17186bd353c2852aeccce56d6cfc57ab812027cd2851b7b6f89b5dcbabc577289635e3e5dd354fd12a736a3f9a313f91

  • SSDEEP

    98304:zzAu7vg+PONHdBcMyuNFBAkHOZhRaHPnIOMojlQjR9Zs1mIxYl2qq:zzAuTgKqHd1xshEPhHRaTa1jYl2qq

Score
10/10
asyncratquasarumbralxmrigdefaultoffice04minerratspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

102.41.58.213:5505

Mutex

1e97a2db-0622-4c39-84ac-2f640c70aaf5

Attributes
  • encryption_key

    1F6CCF154B4C85A58D675CA9A482E9C7A041C879

  • install_name

    svchost.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    svchost

  • subdirectory

    SubDir

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

197.48.105.157:5505

41.233.14.164:5505

197.48.230.161:5505

102.41.58.213:5505
Mutex

RW4mawavalFO

Attributes
  • delay

    3

  • install

    true

  • install_file

    svchost.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Detect Umbral payload 2 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Umbral family
    umbral
  • XMRig Miner payload 2 IoCs
    miner
  • Xmrig family
    xmrig
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Async RAT payload 1 IoCs
    rat
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

Processes

  • C:\Users\Admin\AppData\Local\Temp\Downloads.exe
    "C:\Users\Admin\AppData\Local\Temp\Downloads.exe"
    1⤵
      PID:2908
      • C:\Users\Admin\AppData\Local\Temp\v2.exe
        "C:\Users\Admin\AppData\Local\Temp\v2.exe"
        2⤵
          PID:3052
        • C:\Users\Admin\AppData\Local\Temp\umbral.exe
          "C:\Users\Admin\AppData\Local\Temp\umbral.exe"
          2⤵
            PID:2840
          • C:\Users\Admin\AppData\Local\Temp\svchost.exe
            "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
            2⤵
              PID:2680
            • C:\Users\Admin\AppData\Local\Temp\xmrig.exe
              "C:\Users\Admin\AppData\Local\Temp\xmrig.exe"
              2⤵
                PID:1056

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\Umbral.exe
              Filesize

              231KB

              MD5

              cb74e74c04357a7f8c0df2277c4248f0

              SHA1

              1bc3fedce9f5e6a71b7e493699cb3774b8042c18

              SHA256

              d1734e1266ee9ae362168458054123674211b0bd40ca93732114735886a12895

              SHA512

              c62322e61bcec1f2efe4736f73df73fd256c8a2361599b7c270521966cdba38a800a8f30b67748a06753c46904f470c087f748c85f1251ace0cab888e5b4af31

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\config.json
              Filesize

              2KB

              MD5

              1cdbd472c68d1f35a20e0fadeff45af3

              SHA1

              3a40e0bd82550ee2eb3faec4232aa118f36b0276

              SHA256

              6e4c57c72f39daff5ec37ded92939d18da3179ccb3acaa4a54358dc86758d422

              SHA512

              75d97da51e23bb896a1ab024c85116b29ae8d2a10a2335768ea33a1f9b1cfbcf31c5c3f81b8275226e2aa4e44db55fec3c6d91a3055f380f63e4ae6325782ac1

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\svchost.exe
              Filesize

              45KB

              MD5

              c4484c446e4151680918c3564a6e7eca

              SHA1

              ad142d75ffd178efbf556726392d69f735506466

              SHA256

              f4d8d8829ff73a9c12e508a6f37d8a2e97f8cd9673d2d471d2c9c7af843db3a0

              SHA512

              1726d8493d8897c8165c2e1aeee1df699e1cc3b42836345af0f9b4e486daaea679421f26908518d57bb5ca3c7ff7460c914233847719909119519fa9175de247

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\v2.exe
              Filesize

              3.1MB

              MD5

              44bf522a553e8fde9a377f75fde20442

              SHA1

              0f9cb72fe60c334f6aa0c6ae642f5d9867a4ff8e

              SHA256

              1467681b3b224b5447b70e54088ded2dd27ca04ea5f27f14dfe6ce8369ad73b7

              SHA512

              f72c59872ed8954d7ec4ab3e109c19bb7b2a750b1e7041a0aff9b38f0726d5bbaedc364f549a401c9f827d988521204f5c765ef286ff8d9d609ca4e1e5886879

              Download Submit

            • \Users\Admin\AppData\Local\Temp\xmrig.exe
              Filesize

              6.1MB

              MD5

              f6d520ae125f03056c4646c508218d16

              SHA1

              f65e63d14dd57eadb262deaa2b1a8a965a2a962c

              SHA256

              d2fcf28897ddc2137141d838b734664ff7592e03fcd467a433a51cb4976b4fb1

              SHA512

              d1ec3da141ce504993a0cbf8ea4b719ffa40a2be4941c18ffc64ec3f71435f7bddadda6032ec0ae6cada66226ee39a2012079ed318df389c7c6584ad3e1c334d

              Download Submit

            • memory/1056-49-0x0000000000080000-0x00000000000A0000-memory.dmp

              Filesize

              128KB

              Download

            • memory/2680-46-0x00000000011E0000-0x00000000011F2000-memory.dmp

              Filesize

              72KB

              Download

            • memory/2840-40-0x0000000000210000-0x0000000000250000-memory.dmp

              Filesize

              256KB

              Download

            • memory/2840-48-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/3052-21-0x000007FEF56D3000-0x000007FEF56D4000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3052-41-0x0000000000260000-0x0000000000584000-memory.dmp

              Filesize

              3.1MB

              Download