Overview

overview

10

Static

static

3

Downloads.exe

windows7-x64

10

Downloads.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    0s
  • max time network
    3s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/03/2025, 01:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Downloads.exe

  • Size

    3.6MB

  • MD5

    d07a0825045c8467fee83e2b668e944c

  • SHA1

    bff086232a40763ee1f6cf075bfa3626e7ecdf51

  • SHA256

    89ec0cb73afbc666af8de174d6480611875e92a07fc38232bc41a0c63a3b0e89

  • SHA512

    358da591a1176bb6258b41da4b095eef17186bd353c2852aeccce56d6cfc57ab812027cd2851b7b6f89b5dcbabc577289635e3e5dd354fd12a736a3f9a313f91

  • SSDEEP

    98304:zzAu7vg+PONHdBcMyuNFBAkHOZhRaHPnIOMojlQjR9Zs1mIxYl2qq:zzAuTgKqHd1xshEPhHRaTa1jYl2qq

Score
10/10
asyncratquasarumbraldefaultoffice04ratspywarestealertrojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

197.48.105.157:5505

41.233.14.164:5505

197.48.230.161:5505

102.41.58.213:5505
Mutex

RW4mawavalFO

Attributes
  • delay

    3

  • install

    true

  • install_file

    svchost.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

102.41.58.213:5505

Mutex

1e97a2db-0622-4c39-84ac-2f640c70aaf5

Attributes
  • encryption_key

    1F6CCF154B4C85A58D675CA9A482E9C7A041C879

  • install_name

    svchost.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    svchost

  • subdirectory

    SubDir

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Detect Umbral payload 2 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Umbral family
    umbral
  • Async RAT payload 1 IoCs
    rat

Processes

  • C:\Users\Admin\AppData\Local\Temp\Downloads.exe
    "C:\Users\Admin\AppData\Local\Temp\Downloads.exe"
    1⤵
      PID:3992
      • C:\Users\Admin\AppData\Local\Temp\v2.exe
        "C:\Users\Admin\AppData\Local\Temp\v2.exe"
        2⤵
          PID:3604
        • C:\Users\Admin\AppData\Local\Temp\umbral.exe
          "C:\Users\Admin\AppData\Local\Temp\umbral.exe"
          2⤵
            PID:6088
            • C:\Windows\System32\Wbem\wmic.exe
              "wmic.exe" csproduct get uuid
              3⤵
                PID:3580
            • C:\Users\Admin\AppData\Local\Temp\svchost.exe
              "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
              2⤵
                PID:6040
              • C:\Users\Admin\AppData\Local\Temp\xmrig.exe
                "C:\Users\Admin\AppData\Local\Temp\xmrig.exe"
                2⤵
                  PID:5472

              Network

              MITRE ATT&CK Matrix

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\Umbral.exe
                Filesize

                231KB

                MD5

                cb74e74c04357a7f8c0df2277c4248f0

                SHA1

                1bc3fedce9f5e6a71b7e493699cb3774b8042c18

                SHA256

                d1734e1266ee9ae362168458054123674211b0bd40ca93732114735886a12895

                SHA512

                c62322e61bcec1f2efe4736f73df73fd256c8a2361599b7c270521966cdba38a800a8f30b67748a06753c46904f470c087f748c85f1251ace0cab888e5b4af31

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\config.json
                Filesize

                2KB

                MD5

                1cdbd472c68d1f35a20e0fadeff45af3

                SHA1

                3a40e0bd82550ee2eb3faec4232aa118f36b0276

                SHA256

                6e4c57c72f39daff5ec37ded92939d18da3179ccb3acaa4a54358dc86758d422

                SHA512

                75d97da51e23bb896a1ab024c85116b29ae8d2a10a2335768ea33a1f9b1cfbcf31c5c3f81b8275226e2aa4e44db55fec3c6d91a3055f380f63e4ae6325782ac1

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                Filesize

                45KB

                MD5

                c4484c446e4151680918c3564a6e7eca

                SHA1

                ad142d75ffd178efbf556726392d69f735506466

                SHA256

                f4d8d8829ff73a9c12e508a6f37d8a2e97f8cd9673d2d471d2c9c7af843db3a0

                SHA512

                1726d8493d8897c8165c2e1aeee1df699e1cc3b42836345af0f9b4e486daaea679421f26908518d57bb5ca3c7ff7460c914233847719909119519fa9175de247

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\v2.exe
                Filesize

                3.1MB

                MD5

                44bf522a553e8fde9a377f75fde20442

                SHA1

                0f9cb72fe60c334f6aa0c6ae642f5d9867a4ff8e

                SHA256

                1467681b3b224b5447b70e54088ded2dd27ca04ea5f27f14dfe6ce8369ad73b7

                SHA512

                f72c59872ed8954d7ec4ab3e109c19bb7b2a750b1e7041a0aff9b38f0726d5bbaedc364f549a401c9f827d988521204f5c765ef286ff8d9d609ca4e1e5886879

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\xmrig.exe
                Filesize

                3.8MB

                MD5

                eb9e7a95cc608cf02b9e1d6548e25d41

                SHA1

                5452157235d23856cd3ff140c57265c304ccf99b

                SHA256

                ba2464a4a2bdc82513047104c333a7f5dac4ac086adc73ad6fe4e3ce5d4f44ae

                SHA512

                032083a482fca1714c0fe09653345eda3ecd1aa76e6f7c9b2623d359b4840e0d0007734e4d9920039221e5a32266685d5f29264d88e206f3f5e8fb32a08524f8

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\xmrig.exe
                Filesize

                3.4MB

                MD5

                44254dd39068c59467b89f720107b47a

                SHA1

                6b36fbf8d975c31d76a5a9db3ed896a3b6d3775b

                SHA256

                229c78abd537bcceaf700552208c5ca441474587d1dae3f25a5e1518abcce65e

                SHA512

                8e4011d942f1290804f6e97ce799759147ff138cc13b61c5b5fcc4872536d1e0f58e0718184303c51f7f6c30236f3e799cc084349ce092186aa2c28a1ae6ddcd

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\xmrig.exe
                Filesize

                2.1MB

                MD5

                5691e214523949274713f6284532f136

                SHA1

                132b7da6399ff1480051b90e3455105e1c67d927

                SHA256

                4e8d26e816b5dab04f70fcbf8b3ed5b9e5e1e0cf525f61a7c2be792d4878eb7c

                SHA512

                a032f12da372dbd1555ba7721ba31dfed112307160f44d81a1aca9d9fcde2d712574e14a040659cf2648182ca87b78c0f1730b787c1b41ae93ee680d6863ca52

                Download Submit

              • memory/3604-48-0x00000000004F0000-0x0000000000814000-memory.dmp

                Filesize

                3.1MB

                Download

              • memory/3604-33-0x00007FF979DF3000-0x00007FF979DF5000-memory.dmp

                Filesize

                8KB

                Download

              • memory/5472-55-0x000001F002C20000-0x000001F002C40000-memory.dmp

                Filesize

                128KB

                Download

              • memory/6040-53-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/6088-51-0x00007FF979DF0000-0x00007FF97A8B1000-memory.dmp

                Filesize

                10.8MB

                Download

              • memory/6088-32-0x0000022B90DD0000-0x0000022B90E10000-memory.dmp

                Filesize

                256KB

                Download