Overview

overview

10

Static

static

5

RFQ_TB2837...25.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    72s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/04/2025, 02:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RFQ_TB2837V_MATERIALS&TECH-SPEC-OP6736-2025.exe

  • Size

    1.4MB

  • MD5

    90dc7c1dea8a6e2c03fedc9db60a1b5a

  • SHA1

    1add1bc885460dd045c7241e3385af2aa1d2c521

  • SHA256

    a52110ba312a9500399c954fdb31a54288e2ab7b1f44b77adcb6864575460d8f

  • SHA512

    834d34798067448ba3d5683625eb0c01cd170a6decbfcbccf470795af45cade6eb1924a3929e64bf7d5c60eab53dc8694d66cce1e405e770e812d257266ad8a4

  • SSDEEP

    24576:8u6J33O0c+JY5UZ+XC0kGso6Fa7KOf3sGJtaRd/7zXgQKFKncbTEPVbxxgWY:mu0c++OCvkGs9Fa7KUEDjLkRbTAVbxhY

Score
10/10
asyncratredlinexwormdefaultsuccessdiscoveryexecutioninfostealerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

204.10.161.147:7081

Mutex

XoFHv1TT4hWErxRo

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

aes.plain

Extracted

Family

redline

Botnet

success

C2

204.10.161.147:7082

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

204.10.161.147:5009

Mutex

ihdiqhrlparelebtcw

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Detect Xworm Payload 2 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Async RAT payload 1 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RFQ_TB2837V_MATERIALS&TECH-SPEC-OP6736-2025.exe
    "C:\Users\Admin\AppData\Local\Temp\RFQ_TB2837V_MATERIALS&TECH-SPEC-OP6736-2025.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2196
    • C:\Users\Admin\AppData\Local\preconform\conged.exe
      "C:\Users\Admin\AppData\Local\Temp\RFQ_TB2837V_MATERIALS&TECH-SPEC-OP6736-2025.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4588
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\RFQ_TB2837V_MATERIALS&TECH-SPEC-OP6736-2025.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1368
        • C:\Users\Admin\AppData\Local\Temp\build.exe
          "C:\Users\Admin\AppData\Local\Temp\build.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1604
        • C:\Users\Admin\AppData\Local\Temp\XClient.exe
          "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2444
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:540
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2384
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1512
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1296
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\XClient.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2964
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      C:\Users\Admin\AppData\Roaming\XClient.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:112

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    3930c254bc452c4fd482e3059b51aa04

    SHA1

    1c4bdb41f3a7c9d4ee3b8006cc1c495eedb072e2

    SHA256

    dc600748250d0dd0ffa2678049fd27ec8e56e262601f3d8a1fd7165b03f97fb8

    SHA512

    888565d3356b5fc9c5b55d6842c520487219bc2220df2a56cb74686cc36ebd0fbd1ab9f2a17f93e9c15031c8d6366031a4fd2c1f8a6f8cf96bc3a5939f31a083

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    10890cda4b6eab618e926c4118ab0647

    SHA1

    1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d

    SHA256

    00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14

    SHA512

    a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    67e8893616f805af2411e2f4a1411b2a

    SHA1

    39bf1e1a0ddf46ce7c136972120f512d92827dcd

    SHA256

    ca0dfe104c1bf27f7e01999fcdabc16c6400c3da937c832c26bdbca322381d31

    SHA512

    164e911a9935e75c8be1a6ec3d31199a16ba2a1064da6c09d771b2a38dd7fddd142301ef55d67d90f306d3a454a1ce7b72e129ea42e44500b9b8c623a8d98b4d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    Filesize

    37KB

    MD5

    f298510c3c663fe4ee5dfb82ea0f6e7e

    SHA1

    9a47a552e16c2e5b965c7c481cfc85618f35cc4a

    SHA256

    58018602d0ad31538a4c4926ec8b79cd9c4951bf0f1b4aafd07a785ac13d55be

    SHA512

    b3d8d1501e61ab1f98b0e03194542725dbe25292a803cc440c9b24f75cd4357e55e6e15f4a9cf8831d0b0219cddd135f9c9f5f59e165e0f5c9ac6f962e636a2a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xzq5vvse.tvl.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\aut8B0A.tmp
    Filesize

    518KB

    MD5

    cfe2edd123c7af6d5c965448b181dd96

    SHA1

    acdcd001c0eb99345b4ac9896506e407829c1ae5

    SHA256

    dab09fe26b469c8e6bc96fafe60928eab73b0d0d5bb3034c87d8cd7ef2093c55

    SHA512

    af08bfb1b8a956ac9ce6e1a97b1fe1585cc59eed6c675245ffad97c9ba5fa54662ff5591f86134b0bad752c9d0aa4dfd2b82cb943f1b38270a918dc247ffe9f8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\build.exe
    Filesize

    300KB

    MD5

    209b15fade618af5831e6e2528a4fedc

    SHA1

    2efc49db01f3df2c1cd0a528c75e466a9478b698

    SHA256

    f07a706c0554ed9363bd396dd49f788a0df232caf0af01161d831a12b95d964d

    SHA512

    3431efa0cfe6c2262ed07a9fe084567d9548e586efcfa752e0cec455e07f8a3e6b3acacacef77317881a0682358cf92d37abad80730560c33cb1e2d564afa8be

    Download Submit

  • C:\Users\Admin\AppData\Local\preconform\conged.exe
    Filesize

    1.4MB

    MD5

    90dc7c1dea8a6e2c03fedc9db60a1b5a

    SHA1

    1add1bc885460dd045c7241e3385af2aa1d2c521

    SHA256

    a52110ba312a9500399c954fdb31a54288e2ab7b1f44b77adcb6864575460d8f

    SHA512

    834d34798067448ba3d5683625eb0c01cd170a6decbfcbccf470795af45cade6eb1924a3929e64bf7d5c60eab53dc8694d66cce1e405e770e812d257266ad8a4

    Download Submit

  • memory/540-96-0x000001BCA3D50000-0x000001BCA3D72000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1368-32-0x0000000005FB0000-0x0000000006019000-memory.dmp

    Filesize

    420KB

    Download

  • memory/1368-31-0x0000000005FB0000-0x000000000601E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/1368-30-0x0000000006500000-0x0000000006AA4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1368-49-0x0000000005FB0000-0x0000000006019000-memory.dmp

    Filesize

    420KB

    Download

  • memory/1368-53-0x0000000005FB0000-0x0000000006019000-memory.dmp

    Filesize

    420KB

    Download

  • memory/1368-52-0x0000000005FB0000-0x0000000006019000-memory.dmp

    Filesize

    420KB

    Download

  • memory/1368-47-0x0000000005FB0000-0x0000000006019000-memory.dmp

    Filesize

    420KB

    Download

  • memory/1368-45-0x0000000005FB0000-0x0000000006019000-memory.dmp

    Filesize

    420KB

    Download

  • memory/1368-43-0x0000000005FB0000-0x0000000006019000-memory.dmp

    Filesize

    420KB

    Download

  • memory/1368-42-0x0000000005FB0000-0x0000000006019000-memory.dmp

    Filesize

    420KB

    Download

  • memory/1368-39-0x0000000005FB0000-0x0000000006019000-memory.dmp

    Filesize

    420KB

    Download

  • memory/1368-29-0x0000000005EE0000-0x0000000005F50000-memory.dmp

    Filesize

    448KB

    Download

  • memory/1368-80-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/1368-24-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/1368-26-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/1368-27-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/1368-25-0x0000000000400000-0x0000000000486000-memory.dmp

    Filesize

    536KB

    Download

  • memory/1368-28-0x00000000744AE000-0x00000000744AF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1368-37-0x0000000005FB0000-0x0000000006019000-memory.dmp

    Filesize

    420KB

    Download

  • memory/1368-35-0x0000000005FB0000-0x0000000006019000-memory.dmp

    Filesize

    420KB

    Download

  • memory/1368-33-0x0000000005FB0000-0x0000000006019000-memory.dmp

    Filesize

    420KB

    Download

  • memory/1604-82-0x00000000067D0000-0x0000000006DE8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1604-137-0x0000000006330000-0x0000000006396000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1604-84-0x0000000005800000-0x0000000005812000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1604-85-0x0000000005880000-0x00000000058BC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1604-86-0x00000000058C0000-0x000000000590C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1604-81-0x0000000005690000-0x000000000569A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1604-77-0x0000000000D70000-0x0000000000DC2000-memory.dmp

    Filesize

    328KB

    Download

  • memory/1604-140-0x0000000007170000-0x00000000071C0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1604-79-0x00000000056F0000-0x0000000005782000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1604-139-0x00000000078C0000-0x0000000007DEC000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/1604-138-0x00000000071C0000-0x0000000007382000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1604-83-0x00000000061B0000-0x00000000062BA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2196-8-0x0000000000FC0000-0x00000000013C0000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/2444-78-0x0000000000B20000-0x0000000000B30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2444-143-0x000000001D3D0000-0x000000001D3E8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2444-148-0x000000001E580000-0x000000001E5F6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2444-149-0x000000001E150000-0x000000001E15E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2444-150-0x000000001E180000-0x000000001E19E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2444-151-0x000000001E170000-0x000000001E17E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2444-152-0x000000001E1C0000-0x000000001E1CA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4588-22-0x0000000000F30000-0x0000000001330000-memory.dmp

    Filesize

    4.0MB

    Download