Analysis
-
max time kernel
113s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
04/04/2025, 18:25
Static task
static1
Behavioral task
behavioral1
Sample
Fund Transfer Advice of USD 109,000 & USD 108,000.PDF.vbs
Resource
win10v2004-20250314-en
General
-
Target
Fund Transfer Advice of USD 109,000 & USD 108,000.PDF.vbs
-
Size
2.1MB
-
MD5
54d124bf1ebe1f73d5201075ab7b0c7d
-
SHA1
9243d20658be25495f9d008d1c0cbb77d3c96a22
-
SHA256
5c9f911425493134acd77379a98edaa7e161c6780fdba68791e9098fb9885400
-
SHA512
1e639b2e26598636f0fe326eb13f55905cadbb83bbfc1872a501e09e70cfb871b8ebc4c980c9cfb82b6d031562c8092c408b74d828ae21283b9f253145263672
-
SSDEEP
24576:Y04XRbFcSxHO9zTHod1wmV44huQN8CK5w2cByoj64ladzMiPeANvpDRJMj66/SXS:YJhbOhTHoLxKQNYceEU+P
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot7772893676:AAHsXXekbKXk34N9C2s13jbOqoFMDLR-8pQ/sendMessage?chat_id=5064120322
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 3 IoCs
resource yara_rule behavioral1/memory/4052-431-0x0000000027410000-0x0000000027458000-memory.dmp family_stormkitty behavioral1/memory/4052-433-0x0000000029C20000-0x0000000029C66000-memory.dmp family_stormkitty behavioral1/memory/7364-2156-0x000000001C750000-0x000000001C796000-memory.dmp family_stormkitty -
Stormkitty family
-
Async RAT payload 2 IoCs
resource yara_rule behavioral1/memory/4052-433-0x0000000029C20000-0x0000000029C66000-memory.dmp family_asyncrat behavioral1/memory/7364-2156-0x000000001C750000-0x000000001C796000-memory.dmp family_asyncrat -
ModiLoader Second Stage 61 IoCs
resource yara_rule behavioral1/memory/3464-10-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-15-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-23-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-41-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-72-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-70-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-69-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-68-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-67-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-66-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-65-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-64-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-63-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-61-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-60-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-59-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-57-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-56-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-55-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-54-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-53-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-52-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-51-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-50-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-49-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-46-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-45-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-40-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-39-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-38-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-37-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-73-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-71-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-62-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-30-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-58-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-28-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-27-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-26-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-48-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-47-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-25-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-24-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-44-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-43-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-42-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-22-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-21-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-20-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-36-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-35-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-34-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-33-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-19-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-32-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-31-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-18-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-29-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-16-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-17-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 behavioral1/memory/3464-14-0x0000000002EF0000-0x0000000003EF0000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation rundll32.exe -
Executes dropped EXE 6 IoCs
pid Process 3464 x.exe 5908 alpha.pif 1376 alpha.pif 4052 azsanbsP.pif 3248 Psbnasza.PIF 7364 azsanbsP.pif -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3464 set thread context of 4052 3464 x.exe 111 PID 3248 set thread context of 7364 3248 Psbnasza.PIF 123 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language alpha.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language alpha.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language azsanbsP.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Psbnasza.PIF Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language azsanbsP.pif -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 5500 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 5500 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3780 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4052 azsanbsP.pif Token: SeDebugPrivilege 7364 azsanbsP.pif -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 4280 wrote to memory of 3464 4280 WScript.exe 86 PID 4280 wrote to memory of 3464 4280 WScript.exe 86 PID 4280 wrote to memory of 3464 4280 WScript.exe 86 PID 3464 wrote to memory of 3524 3464 x.exe 97 PID 3464 wrote to memory of 3524 3464 x.exe 97 PID 3464 wrote to memory of 3524 3464 x.exe 97 PID 3464 wrote to memory of 2348 3464 x.exe 98 PID 3464 wrote to memory of 2348 3464 x.exe 98 PID 3464 wrote to memory of 2348 3464 x.exe 98 PID 3524 wrote to memory of 6136 3524 cmd.exe 101 PID 3524 wrote to memory of 6136 3524 cmd.exe 101 PID 3524 wrote to memory of 6136 3524 cmd.exe 101 PID 2348 wrote to memory of 5500 2348 cmd.exe 102 PID 2348 wrote to memory of 5500 2348 cmd.exe 102 PID 2348 wrote to memory of 5500 2348 cmd.exe 102 PID 3524 wrote to memory of 5908 3524 cmd.exe 103 PID 3524 wrote to memory of 5908 3524 cmd.exe 103 PID 3524 wrote to memory of 5908 3524 cmd.exe 103 PID 3524 wrote to memory of 1376 3524 cmd.exe 104 PID 3524 wrote to memory of 1376 3524 cmd.exe 104 PID 3524 wrote to memory of 1376 3524 cmd.exe 104 PID 3464 wrote to memory of 5096 3464 x.exe 105 PID 3464 wrote to memory of 5096 3464 x.exe 105 PID 3464 wrote to memory of 5096 3464 x.exe 105 PID 5096 wrote to memory of 3780 5096 cmd.exe 109 PID 5096 wrote to memory of 3780 5096 cmd.exe 109 PID 5096 wrote to memory of 3780 5096 cmd.exe 109 PID 3464 wrote to memory of 4052 3464 x.exe 111 PID 3464 wrote to memory of 4052 3464 x.exe 111 PID 3464 wrote to memory of 4052 3464 x.exe 111 PID 3464 wrote to memory of 4052 3464 x.exe 111 PID 3464 wrote to memory of 4052 3464 x.exe 111 PID 2708 wrote to memory of 3248 2708 rundll32.exe 121 PID 2708 wrote to memory of 3248 2708 rundll32.exe 121 PID 2708 wrote to memory of 3248 2708 rundll32.exe 121 PID 3248 wrote to memory of 7364 3248 Psbnasza.PIF 123 PID 3248 wrote to memory of 7364 3248 Psbnasza.PIF 123 PID 3248 wrote to memory of 7364 3248 Psbnasza.PIF 123 PID 3248 wrote to memory of 7364 3248 Psbnasza.PIF 123 PID 3248 wrote to memory of 7364 3248 Psbnasza.PIF 123
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Fund Transfer Advice of USD 109,000 & USD 108,000.PDF.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Users\Admin\AppData\Local\Temp\x.exe"C:\Users\Admin\AppData\Local\Temp\x.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\\ProgramData\\2932.cmd3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\SysWOW64\esentutl.exeC:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o4⤵PID:6136
-
-
C:\Users\Public\alpha.pifC:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5908
-
-
C:\Users\Public\alpha.pifC:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1376
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\\ProgramData\\3090.cmd3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 104⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5500
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\\ProgramData\\56.cmd3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Psbnasza" /tr C:\\ProgramData\\Psbnasza.url"4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3780
-
-
-
C:\Users\Admin\Links\azsanbsP.pifC:\\Users\\Admin\\Links\azsanbsP.pif3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4052
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe "C:\Windows\System32\ieframe.dll",OpenURL C:\\ProgramData\\Psbnasza.url1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Users\Admin\Links\Psbnasza.PIF"C:\Users\Admin\Links\Psbnasza.PIF"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3248 -
C:\Users\Admin\Links\azsanbsP.pifC:\\Users\\Admin\\Links\azsanbsP.pif3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:7364
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD51df650cca01129127d30063634ab5c03
SHA1bc7172dec0b12b05f2247bd5e17751eb33474d4e
SHA256edd4094e7a82a6ff8be65d6b075e9513bd15a6b74f8032b5c10ce18f7191fa60
SHA5120bddf9ecaaedb0c30103a1fbfb644d6d4f7608bd596403307ed89b2390568c3a29e2cf55d10e2eadbfc407ede52eaf9a4f2321ba5f37e358a1039f73c7688fbd
-
Filesize
2KB
MD59a020804eba1ffac2928d7c795144bbf
SHA161fdc4135afdc99e106912aeafeac9c8a967becc
SHA256a86c6c7a2bf9e12c45275a5e7ebebd5e6d2ba302fe0a12600b7c9fdf283d9e63
SHA51242f6d754f1bdbeb6e4cc7aeb57ff4c4d126944f950d260a0839911e576ad16002c16122f81c1d39fa529432dca0a48c9acfbb18804ca9044425c8e424a5518be
-
Filesize
83B
MD5aae341baf28061e246e9540d7ba39ad7
SHA1792188c0d27948011132c3f1c6e92c4750ec568c
SHA25624a6548e554e431a79b813705353045cd540a5a372d9cecd3cf9c9d2cdab95f7
SHA5127185a571557e25c77d0f98fb69be013c0b72f98ac9a8410d2b0fe97571d71880651ba213d92096e8c9a45707b5c4bdce68016e91047c09a230a8c53efb9e4f77
-
Filesize
99B
MD59406572bcc22b801e224fc17408f6e37
SHA1b27a1ccb4c2965642cc60ecd245c9c516fdb434e
SHA25642d0a91aba4bf58535927568aa6f4e029aff95ef95231c3a9ec38bdbef04b204
SHA51277eb2b42aaa31b054121f39b78e95d50b585b8a595417512838aec56ed38f19a440c1297380095774f966377b8f0c1c3f243fcf9fd70f5d33a92ced4c3e5bc07
-
Filesize
701B
MD5ed461e33dcaaa65254b9aa2bccb17ae4
SHA1b2f7d108e98b12adcd9d19aa6fe826c8b22708d8
SHA2568085e797aa610db576ba58c937d9ae5682b04255497d0a344bc9f3ac6281e7df
SHA512d214fbf85ee724540515ace28567c894a60115f5b2f53d28243bffc52266d66df223e3001b2c7bd789c81d14e65196d0c0dceb228e83fd37db8b78b9bc043931
-
Filesize
1.5MB
MD54393d5688f41ec40b65269cca87b4e0a
SHA14b53d7af58fa01b1b20afa1dcbb55e538a5af5c1
SHA256707df66c47cf8802ebbaf1c6028df0e00a81db55098c73a1917970feeee58579
SHA51271ace85a64d74c8cbb03186e07b00dd9a566433a171d0913cea70081d103a6f05add87ec6280060b52a72a6629939b525f9f96e59bdbf5c76ca442992e96e091
-
Filesize
66KB
MD5c116d3604ceafe7057d77ff27552c215
SHA1452b14432fb5758b46f2897aeccd89f7c82a727d
SHA2567bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
SHA5129202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6
-
Filesize
231KB
MD5d0fce3afa6aa1d58ce9fa336cc2b675b
SHA14048488de6ba4bfef9edf103755519f1f762668f
SHA2564d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22
SHA51280e127ef81752cd50f9ea2d662dc4d3bf8db8d29680e75fa5fc406ca22cafa5c4d89ef2eac65b486413d3cdd57a2c12a1cb75f65d1e312a717d262265736d1c2