Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
22-06-2024 02:06
General
-
Target
3564-586-0x0000000000D70000-0x00000000016CC000-memory.exe
-
Size
9.4MB
-
MD5
4e970cf3977ff2c7e655904839c9ec92
-
SHA1
783a1ae2b547f81f81c6516a719e625b49733606
-
SHA256
871e54c8224dc17a578a0897b675e8b111b1c7060031cae105c3cb83952d325d
-
SHA512
16b9f0b9575078786465a84a168479567dbb5d4e7682a0e2e6689d01012b3b3d83d723e6c960088f2032c1cb2b7221783230f60a890ac8afe8a9cf54c2ecbc43
-
SSDEEP
98304:n/FgpI4E+Lb8SoqAh7ziTMotYBR8hbLocrRKjbE+R9V+EKS9tRjNcqeFl5XODzTu:b+wo68NoctSVrV1X5vT+N
Malware Config
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
95.142.46.3:4449
95.142.46.3:7000
zlgcqgmshzbvhurfz
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload 3 IoCs
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 5 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Start PowerShell.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 34 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3564-586-0x0000000000D70000-0x00000000016CC000-memory.exe"C:\Users\Admin\AppData\Local\Temp\3564-586-0x0000000000D70000-0x00000000016CC000-memory.exe"1⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\t2.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\t2.exe"'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\t2.exe"C:\Users\Admin\AppData\Local\Temp\t2.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\build_protected.exe"C:\Users\Admin\AppData\Local\Temp\build_protected.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
C:\Windows\system32\netsh.exenetsh wlan show profile3⤵
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\system32\findstr.exefindstr All3⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
C:\Windows\system32\netsh.exenetsh wlan show networks mode=bssid3⤵
- Event Triggered Execution: Netsh Helper DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fpyltgyu.ffw.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\build_protected.exeFilesize
3.2MB
MD5f411ac6865b0f2b3886908123a49a371
SHA1fd68e0b16d04ec0a0d9065a42cca50538ee83954
SHA25666ecde4a57995aa833dee6a54c01543b0245523b5ffa523b5403b9209a9ac5ca
SHA51257fbde1edf3b64ecdc5edab5600ede44a5622bec90baf0766a3bc039a080f0a74cf0af9c9209cbc4b58780ce7d14cc62a9dbad5efcadd998cc7c02ad3da1a3a7
-
C:\Users\Admin\AppData\Local\Temp\t2.exeFilesize
3.5MB
MD5f33784bcf0df66384f76e73445c044a2
SHA19cbe368357870126f772c32fdd966ffc06de5746
SHA256c89ee2297d9ec15c86600dbb570c21b161b9b05ecc3b77dadf36967005ffd8e2
SHA5127ef24c5cda6e6c60bff6ce65fa75d9c632220a4326f091aae365a1af186df14f085517cefde5b5a5ef23a29aa471432b2c52d41ad1e8ec679ae0dd1952d29bce
-
C:\Users\Admin\AppData\Local\Temp\tmp9670.tmp.datFilesize
100KB
MD5a5184eca65ce2a0a2a610f2bb64902d2
SHA13bbb8b4c006066e79a1719c766cc5280be31dee7
SHA2564c4106c875351ad7bb2a2dc4606a7e6acc00b2d40c8af9da4f1b67136f4b3411
SHA512890eff22db2c8fabd0837220605d2db4a6b36189fc21bf2c7a4445845adf1ee6368f052ebb9cbc2b4f6fcfb21d2c03ba54c9c38db42df8f7f6d59d427a1cb2a7
-
C:\Users\Admin\AppData\Local\Temp\tmp9682.tmp.datFilesize
152KB
MD573bd1e15afb04648c24593e8ba13e983
SHA14dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91
SHA256aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b
SHA5126eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7
-
C:\Users\Admin\AppData\Local\Temp\tmpC655.tmpFilesize
46KB
MD58f5942354d3809f865f9767eddf51314
SHA120be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218
-
C:\Users\Admin\AppData\Local\Temp\tmpC6B7.tmpFilesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
C:\Users\Admin\AppData\Local\Temp\tmpC6BD.tmpFilesize
20KB
MD549693267e0adbcd119f9f5e02adf3a80
SHA13ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2
-
C:\Users\Admin\AppData\Local\Temp\tmpC6D1.tmpFilesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
C:\Users\Admin\AppData\Local\Temp\tmpC6EE.tmpFilesize
96KB
MD5d367ddfda80fdcf578726bc3b0bc3e3c
SHA123fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA2560b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA51240e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77
-
C:\Users\Admin\AppData\Local\f6e6d9a0d73c2e292f36d7b25c21f158\Admin@PKVHMXKI_en-US\System\Process.txtFilesize
755B
MD55d00785ba395f3f417e50b38c563b428
SHA1e518767f357bb2df4573b101590850d2d7b642d1
SHA25623c7ca7cb1683507adcce91f88d848ffa2644260ba87794f3b218188d8add4ee
SHA5121ce717b81c2592bc3343fc53fa0f2f34e33879cb5ab7ede3996474dada9bb7f5de6d5092c4abdbeed965a21a954c7ac3eea0cc2e1009701b6e765c3065f8f632
-
C:\Users\Admin\AppData\Local\f6e6d9a0d73c2e292f36d7b25c21f158\Admin@PKVHMXKI_en-US\System\Process.txtFilesize
3KB
MD51029bb6d0591bd2a36426d0ffccb4ec8
SHA1ef6bb80e4dd3d14a3fcc2b77d7c02401e67aa316
SHA25652efa0d7ddce31d9e5b2b80ec4dbb852d6b81de38f221a8be2cdf210bf5ffb68
SHA51269be7a7421ea360257141cafc6011b27dc7b964f93c3f1f23e9c42db20812c2c85070bc45c18150f53fc483396c0268866a5ae4d9a3123a4e16a23ad8fd0f55f
-
C:\Users\Admin\AppData\Local\f6e6d9a0d73c2e292f36d7b25c21f158\Admin@PKVHMXKI_en-US\System\Process.txtFilesize
3KB
MD5df3ac9676edae37d1b1c3474a6fabe98
SHA1d21c95d43d3c212bf67a808e0875061abbb1225c
SHA2563014f47573fd6ffe2eacfeb5ecda31b51f724a3d5bbc70c1e6427f2da079ee34
SHA512c6bb94cb8e22a1513f7b0f6b1cd6f564c874a68154f40f73eba0454a15a5a6d5b1d569d3725aa89fd2b36c2ffb84a1978acd0c7998938c9a628d9172a4a41ddb
-
C:\Users\Admin\AppData\Local\f6e6d9a0d73c2e292f36d7b25c21f158\Admin@PKVHMXKI_en-US\System\Process.txtFilesize
5KB
MD5e1398664468c975b89dabca525fd5544
SHA17d5cb6f0f9b89a66087ef839e89409308dacf6c5
SHA2560554d2afee31b9c4d7c852a1f125df081d4836e699d50f28b2de2c9601c71608
SHA5126f60c85697e2b99b55917be50bd2acb73699707449406d47f3692fa076493de166648475e51850f7a580342329eb56514e4051fc70701b870dad7b3455ef4de3
-
C:\Users\Admin\AppData\Local\f6e6d9a0d73c2e292f36d7b25c21f158\msgid.datFilesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
memory/1772-26-0x00007FFD8DD60000-0x00007FFD8E821000-memory.dmpFilesize
10.8MB
-
memory/1772-25-0x00007FFD8DD60000-0x00007FFD8E821000-memory.dmpFilesize
10.8MB
-
memory/1772-70-0x00007FFD8DD60000-0x00007FFD8E821000-memory.dmpFilesize
10.8MB
-
memory/1772-15-0x000001CB71F60000-0x000001CB71F82000-memory.dmpFilesize
136KB
-
memory/1772-27-0x00007FFD8DD60000-0x00007FFD8E821000-memory.dmpFilesize
10.8MB
-
memory/1852-8-0x00007FFD8DD60000-0x00007FFD8E821000-memory.dmpFilesize
10.8MB
-
memory/1852-4-0x00007FFD8DD60000-0x00007FFD8E821000-memory.dmpFilesize
10.8MB
-
memory/1852-1-0x0000000000E70000-0x00000000017CC000-memory.dmpFilesize
9.4MB
-
memory/1852-72-0x000000001D520000-0x000000001D52A000-memory.dmpFilesize
40KB
-
memory/1852-14-0x000000001E050000-0x000000001E172000-memory.dmpFilesize
1.1MB
-
memory/1852-12-0x000000001D750000-0x000000001D76E000-memory.dmpFilesize
120KB
-
memory/1852-11-0x000000001D720000-0x000000001D72E000-memory.dmpFilesize
56KB
-
memory/1852-201-0x00007FFD8DD63000-0x00007FFD8DD65000-memory.dmpFilesize
8KB
-
memory/1852-204-0x00007FFD8DD60000-0x00007FFD8E821000-memory.dmpFilesize
10.8MB
-
memory/1852-206-0x000000001D920000-0x000000001D99A000-memory.dmpFilesize
488KB
-
memory/1852-249-0x000000001D9A0000-0x000000001DA24000-memory.dmpFilesize
528KB
-
memory/1852-3-0x00007FFD8DD60000-0x00007FFD8E821000-memory.dmpFilesize
10.8MB
-
memory/1852-0-0x00007FFD8DD63000-0x00007FFD8DD65000-memory.dmpFilesize
8KB
-
memory/1852-7-0x00007FFD8DD60000-0x00007FFD8E821000-memory.dmpFilesize
10.8MB
-
memory/1852-71-0x000000001DA20000-0x000000001DB54000-memory.dmpFilesize
1.2MB
-
memory/1852-268-0x00007FFD8DD60000-0x00007FFD8E821000-memory.dmpFilesize
10.8MB
-
memory/1852-10-0x000000001D7A0000-0x000000001D816000-memory.dmpFilesize
472KB
-
memory/1852-259-0x00007FFD8DD60000-0x00007FFD8E821000-memory.dmpFilesize
10.8MB
-
memory/2500-252-0x0000000000DD0000-0x000000000172C000-memory.dmpFilesize
9.4MB
-
memory/2500-254-0x0000000005C20000-0x0000000006238000-memory.dmpFilesize
6.1MB
-
memory/2500-256-0x0000000005550000-0x000000000558C000-memory.dmpFilesize
240KB
-
memory/2500-269-0x0000000006AE0000-0x0000000006CA2000-memory.dmpFilesize
1.8MB
-
memory/2500-258-0x0000000005800000-0x000000000590A000-memory.dmpFilesize
1.0MB
-
memory/2500-255-0x00000000054F0000-0x0000000005502000-memory.dmpFilesize
72KB
-
memory/2500-257-0x0000000005590000-0x00000000055DC000-memory.dmpFilesize
304KB
-
memory/2500-253-0x0000000000DD0000-0x000000000172C000-memory.dmpFilesize
9.4MB
-
memory/2500-270-0x00000000071E0000-0x000000000770C000-memory.dmpFilesize
5.2MB
-
memory/2500-84-0x0000000000DD0000-0x000000000172C000-memory.dmpFilesize
9.4MB
-
memory/2500-449-0x0000000006CB0000-0x0000000006D16000-memory.dmpFilesize
408KB
-
memory/2500-450-0x0000000007CC0000-0x0000000008264000-memory.dmpFilesize
5.6MB
-
memory/2500-451-0x0000000006F40000-0x0000000006FD2000-memory.dmpFilesize
584KB
-
memory/2500-452-0x0000000006FE0000-0x0000000007056000-memory.dmpFilesize
472KB
-
memory/2500-453-0x0000000007840000-0x000000000785E000-memory.dmpFilesize
120KB
-
memory/2500-457-0x0000000000DD0000-0x000000000172C000-memory.dmpFilesize
9.4MB