Analysis
-
max time kernel
58s -
max time network
61s -
platform
windows11-21h2_x64 -
resource
win11-20250410-en -
resource tags
-
submitted
21/04/2025, 19:18
General
-
Target
fba348d623f8cd0af63315a97ff67a51e0af864fb07c02824cbd83dafb173f8e.exe
-
Size
47KB
-
MD5
8a157f3fc0ea3d6b8644b918b610947e
-
SHA1
095c33d5b86fd75d76619cffd6259badb5d1b03e
-
SHA256
fba348d623f8cd0af63315a97ff67a51e0af864fb07c02824cbd83dafb173f8e
-
SHA512
f2584732363237d6e409c6f0c0c7f038c67df2ae31df92bbed3431afa60495955b896d8a5bf7a913c876e5c7446b9fedab70d040832b82b32dbc5d43c461fc38
-
SSDEEP
768:6uW81Towx/9WU9Vt+Xmo2qzgTRVTzuuSPIG5RorYKN8n5b0bK78dpNXbpl3rePD+:6uW81Toq7C2fFz97kRaYKN3bK4dfXaF8
Malware Config
Extracted
asyncrat
0.5.7B
Default
5.tcp.eu.ngrok.io:15310
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
Valorantbuild.exe
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Async RAT payload 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Delays execution with timeout.exe 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 17 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\fba348d623f8cd0af63315a97ff67a51e0af864fb07c02824cbd83dafb173f8e.exe"C:\Users\Admin\AppData\Local\Temp\fba348d623f8cd0af63315a97ff67a51e0af864fb07c02824cbd83dafb173f8e.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Valorantbuild" /tr '"C:\Users\Admin\AppData\Roaming\Valorantbuild.exe"' & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Valorantbuild" /tr '"C:\Users\Admin\AppData\Roaming\Valorantbuild.exe"'3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp77DF.tmp.bat""2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
C:\Users\Admin\AppData\Roaming\Valorantbuild.exe"C:\Users\Admin\AppData\Roaming\Valorantbuild.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
157B
MD52e8e80c9bad767bf979d5bc9c60a313f
SHA148c0c6e627d3ccb9b9d0bdb1c47a91a2d57c00ce
SHA256090a8276367c1920006ac0575f1d8459fd494d803353bcc9de127c78866e5d96
SHA5129ef0471786e946afd2f654e9168a55d028e3936ba40b8b13064a740b69ae76961eabb1ac9ceb53bc8a12f29e459e7ca1e680ae1ee62206548b10b5627ad76b17
-
Filesize
47KB
MD58a157f3fc0ea3d6b8644b918b610947e
SHA1095c33d5b86fd75d76619cffd6259badb5d1b03e
SHA256fba348d623f8cd0af63315a97ff67a51e0af864fb07c02824cbd83dafb173f8e
SHA512f2584732363237d6e409c6f0c0c7f038c67df2ae31df92bbed3431afa60495955b896d8a5bf7a913c876e5c7446b9fedab70d040832b82b32dbc5d43c461fc38
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
7.7MB
-
Filesize
624KB
-
Filesize
7.7MB