Analysis
-
max time kernel
32s -
max time network
32s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
30-06-2024 23:41
General
-
Target
MailAcess Checker by xRisky.exe
-
Size
10.4MB
-
MD5
0bfe538046352ebb0d7b5fcd50a287ad
-
SHA1
e76a0b5d42648df99604079af74931a333703ef3
-
SHA256
a32ad92bc669d691f17c943761f30ebbdc17e85054595c648d78c1015ffcebb9
-
SHA512
e938f69267ed773f26ec8b7d47d98b127c6f659ef04fde925484a1e755e20b435d61a2d3822274e23db48caaa1574c51ce3cb5c87c8c24109998bb0e0a58bfd2
-
SSDEEP
196608:+6JnRoCYJnksvvcHbMdYWSm2iLRoyru5Q2ZGe/QDbA0SnTbja57K4q6:FPoVJnpqi+6XySReIqHjaQ4q
Malware Config
Extracted
asyncrat
| Edit 3LOSH RAT
AsyncMutex_7SI8OkPnk
-
delay
3
-
install
true
-
install_file
ContainerRuntime.exe
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/Kb8rTgY7
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Async RAT payload 1 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Themida packer 11 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Delays execution with timeout.exe 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "ContainerRuntime" /tr '"C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"' & exit3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "ContainerRuntime" /tr '"C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"'4⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7D9C.tmp.bat""3⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "ContainerRuntime" /tr '"C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"' & exit4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "ContainerRuntime" /tr '"C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"'5⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8BD5.tmp.bat""4⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"C:\Users\Admin\AppData\Roaming\ContainerRuntime.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"C:\Users\Admin\AppData\Local\Temp\MailAcess Checker by xRisky.exe"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MailAcess Checker by xRisky.exe.logFilesize
522B
MD50f39d6b9afc039d81ff31f65cbf76826
SHA18356d04fe7bba2695d59b6caf5c59f58f3e1a6d8
SHA256ea16b63ffd431ebf658b903710b6b3a9b8a2eb6814eee3a53b707a342780315d
SHA5125bad54adb2e32717ef6275f49e2f101dd7e2011c9be14a32e5c29051e8a3f608cbd0b44ac4855ab21e790cb7a5d84c5f69de087074fd01b35259d34d07f5aaf9
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.logFilesize
522B
MD5acc9090417037dfa2a55b46ed86e32b8
SHA153fa6fb25fb3e88c24d2027aca6ae492b2800a4d
SHA2562412679218bb0a7d05ceee32869bbb223619bde9966c4c460a68304a3367724b
SHA512d51f7085ec147c708f446b9fb6923cd2fb64596d354ed929e125b30ace57c8cb3217589447a36960e5d3aea87a4e48aaa82c7509eced6d6c2cecd71fcfe3697b
-
C:\Users\Admin\AppData\Local\Temp\Leaf.xNet.dllFilesize
130KB
MD5dc5f27d5f080e77f1b205e80199d5c1f
SHA10de5aa944ad8e1e5f1f064235ebb16f87c806d78
SHA25660a1f61c367696219175b73eccdc868c44090b227b47754454c9fc47a5848f62
SHA512c650d22eca52a4e05a0d5791f08c7b636986b8685a74b3264eb3efa400e0a0f687b013c57a1b890fc8ce98644e5a66f5b4e924d79b4ac60087a5c220ab3467df
-
C:\Users\Admin\AppData\Local\Temp\MailKit.dllFilesize
787KB
MD5ba0255f547fab7eed60863ad27d24c97
SHA1a5d095ac3d746eb400a314317a88c215d78cc304
SHA2565fd7f167bdf289ae48b9f0f68e63c07370427d4eb8436005a5859b5bba3a7d2b
SHA512e672daa19be91d84e5f2e0124b0508faeb241c91c6515f687a55b20d8febb2e2360e695aaf2e1d252e9ed0d494f71087315199f7b43eb6fa13949484ee177ea0
-
C:\Users\Admin\AppData\Local\Temp\MailKit.dllFilesize
263KB
MD584569895e7b65a6bf943a34db309c1bd
SHA1e585c62c8ddf28915573eb0e2cf4c4898f943edb
SHA256a23a3b2e81eb7d12d142b4da829a5a0d31b3d70e72bb814a44f87e164939c50a
SHA5125c955064b69fcdba9e1146bdd89896c0a4e4e08fa3cee0165e6d0d65b180e4ed6f4289e8b0c3b549f8f961dae6cacdb504110effc4b9f30112b2720b1ea8f71d
-
C:\Users\Admin\AppData\Local\Temp\MetroSuite 2.0.dllFilesize
149KB
MD54aaad1ac32209babe5b0018ff7e3f053
SHA1c831f7f9b37762468d5be0e8c098b82e154b94d7
SHA256aded5af8d6ccb65f41524cb1edb1cb0706c92494b0b49504f3eacf704aa5343b
SHA5126347297efe53bcb52c309a9ee1583eb1df84ce512ff209ba2170f6e879d58cd0f1a49e1731cd471146dbebc7b5ff4a9ae0c3417db24b704da1d6dc177ff2690d
-
C:\Users\Admin\AppData\Local\Temp\MetroSuite 2.0.dllFilesize
305KB
MD50d30a398cec0ff006b6ea2b52d11e744
SHA14ceebd9c6180a321c4d4f3cfb5cfc3952bf72b45
SHA2568604bf2a1fe2e94dc1ea1fbd0cf54e77303493b93994df48479dc683580aa654
SHA5128e06ff131a81e73b1ff5de78262701a11ecc2bcdaf41011f4e96f11c5372742478e70b6a0901b61953c21c95725532af8d785654405ec5066ad157e2143467cc
-
C:\Users\Admin\AppData\Local\Temp\MimeKit.dllFilesize
347KB
MD59c97e568a5daee81ae93c602f5c8d5a1
SHA128d15f50f455c552143add629d4ec8f61c837f8e
SHA256018b133acde6a3075b95124548a53cbc9a1433c504592dfcc7aabeb626fda119
SHA512c056462c19bb63a00da704dfa093e443302144418a9326105efe7b852976b223d2496671d98217d76a17990daca4340d82e6449f34755444cbe68f9f3f119fae
-
C:\Users\Admin\AppData\Local\Temp\MimeKit.dllFilesize
971KB
MD5695ef3be6c2169067e0f1d9f7d99bc27
SHA124185ff27f8a64fb71abf29b8f1338492cd7c0c6
SHA25678d4f282269afba07ba89d1434dc1c3f9c48097fc252e93cf94e493ac8c109fd
SHA512b3c7d1cee7f6ae16d66caf1d39113c0b5fe1b7ac4fb813134450679c82a2d306293799efc66c4d2ffed703dbc3921136f3cb393c2c4452791c8681129c74ed36
-
C:\Users\Admin\AppData\Local\Temp\Qoollo.Turbo.dllFilesize
349KB
MD54e8246df4ee956ec273c4baa2054593c
SHA17847f523fefc14fec2c739c293593b673fb1c9d8
SHA2561172732fd0fe6b679f5c6bf750598133dc815622c55ef1fa84087087bf42b495
SHA51213398ea46879d533774e7ace1d3320ca60f7220277fcb2393c243ffeadbb5bb37900f87ac35b9eeb134e26e71068874b9eee226853a52d1528d5db761bcf22b7
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
61KB
MD589ae031a0e2f7f28576a63d3c100dcaf
SHA16b26dfe7e76fbc96109a4d0773593443277978df
SHA256acaa87f43a617016d09caeb26c1e30d9e9fd069fcbe2165723f80a0056aaf6bf
SHA512aea507c78832cca5bf4b7c16ac5ba9b4b87028d2a99fbd1ca535a6336952516ab74571475f2a074b89b9c12754a2979803a3aba74c7a326f2c70a8431a7010d6
-
C:\Users\Admin\AppData\Local\Temp\tmp7D9C.tmp.batFilesize
160B
MD5b1ac075c17301c8ea2ee2dfa25fab825
SHA1a56eead76467d3c80382929b93cfd440b97a5832
SHA256abe171db5e8cf33d1358a163a8c62bc9a608a84028f21e16441695c0541132d7
SHA5127a9a35d782ecda566baabfc7ab25f76613995e10bec9f57b8c273eccab82b6474f895e8097308b00ad12740ecb627778606bce8629ca1eaf83eaa93bd2bd38d1
-
C:\Users\Admin\AppData\Local\Temp\tmp8BD5.tmp.batFilesize
160B
MD5c0935575a03c3898e3c7b205f375bf43
SHA11d57a815fcd40d973a0bb4c6a5496350ce0311d2
SHA256e6a89349a6003d866d9381b940bb41c42ba0239ae30767a721977d315ffe3302
SHA5120d11b335a5c2d4b6fb24dac3ba6e13e8491938d14aa403c165a811f193c15e02e2121ff5fcbee1e1a2f5e7c44a07313807eb31d4adda9043f4459bede66c32ff
-
memory/348-65-0x0000000076A90000-0x0000000076B80000-memory.dmpFilesize
960KB
-
memory/348-26-0x0000000076A90000-0x0000000076B80000-memory.dmpFilesize
960KB
-
memory/348-27-0x0000000000D00000-0x0000000000D16000-memory.dmpFilesize
88KB
-
memory/1152-83-0x0000000000290000-0x0000000001248000-memory.dmpFilesize
15.7MB
-
memory/1152-59-0x0000000000290000-0x0000000001248000-memory.dmpFilesize
15.7MB
-
memory/1152-86-0x0000000000290000-0x0000000001248000-memory.dmpFilesize
15.7MB
-
memory/1152-111-0x0000000000290000-0x0000000001248000-memory.dmpFilesize
15.7MB
-
memory/2576-109-0x0000000000290000-0x0000000001248000-memory.dmpFilesize
15.7MB
-
memory/2576-115-0x0000000000290000-0x0000000001248000-memory.dmpFilesize
15.7MB
-
memory/2576-116-0x0000000000290000-0x0000000001248000-memory.dmpFilesize
15.7MB
-
memory/2804-79-0x0000000005050000-0x00000000050E2000-memory.dmpFilesize
584KB
-
memory/2804-78-0x0000000005420000-0x00000000059C4000-memory.dmpFilesize
5.6MB
-
memory/2804-85-0x00000000051E0000-0x00000000051EA000-memory.dmpFilesize
40KB
-
memory/3924-14-0x0000000005C10000-0x0000000005CAC000-memory.dmpFilesize
624KB
-
memory/3924-13-0x0000000000290000-0x0000000001248000-memory.dmpFilesize
15.7MB
-
memory/3924-1-0x0000000076AB0000-0x0000000076AB1000-memory.dmpFilesize
4KB
-
memory/3924-2-0x0000000076A90000-0x0000000076B80000-memory.dmpFilesize
960KB
-
memory/3924-3-0x0000000076A90000-0x0000000076B80000-memory.dmpFilesize
960KB
-
memory/3924-39-0x0000000000290000-0x0000000001248000-memory.dmpFilesize
15.7MB
-
memory/3924-36-0x0000000000290000-0x0000000001248000-memory.dmpFilesize
15.7MB
-
memory/3924-38-0x0000000076A90000-0x0000000076B80000-memory.dmpFilesize
960KB
-
memory/3924-7-0x0000000076A90000-0x0000000076B80000-memory.dmpFilesize
960KB
-
memory/3924-6-0x0000000076A90000-0x0000000076B80000-memory.dmpFilesize
960KB
-
memory/3924-0-0x0000000000290000-0x0000000001248000-memory.dmpFilesize
15.7MB
-
memory/3924-5-0x0000000076A90000-0x0000000076B80000-memory.dmpFilesize
960KB
-
memory/3924-12-0x0000000000290000-0x0000000001248000-memory.dmpFilesize
15.7MB
-
memory/3924-8-0x0000000076A90000-0x0000000076B80000-memory.dmpFilesize
960KB
-
memory/3924-4-0x0000000076A90000-0x0000000076B80000-memory.dmpFilesize
960KB
-
memory/4564-58-0x0000000076A90000-0x0000000076B80000-memory.dmpFilesize
960KB
-
memory/4564-33-0x0000000000290000-0x0000000001248000-memory.dmpFilesize
15.7MB
-
memory/4564-37-0x0000000076A90000-0x0000000076B80000-memory.dmpFilesize
960KB
-
memory/4564-60-0x0000000000290000-0x0000000001248000-memory.dmpFilesize
15.7MB
-
memory/4564-44-0x0000000000290000-0x0000000001248000-memory.dmpFilesize
15.7MB
-
memory/4564-45-0x0000000000290000-0x0000000001248000-memory.dmpFilesize
15.7MB