Overview

overview

10

Static

static

7a2e8d3fe9...ee.exe

windows7_x64

10

7a2e8d3fe9...ee.exe

windows10_x64

3

Analysis

  • max time kernel
    149s
  • max time network
    157s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    31-07-2020 11:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7a2e8d3fe9752412bf4de2e369d212ee.exe

  • Size

    288KB

  • MD5

    7a2e8d3fe9752412bf4de2e369d212ee

  • SHA1

    02be732190a9828c1900659817f6a3db899fb3a0

  • SHA256

    d9439aa56b6280ff50bc666ae94cdbfd6d174dda46187dbd0de25e9aeb6edbfb

  • SHA512

    ba9cc252858e8c30dc6bd146e85d7a253cc8e391d4d50bd249ee65b1da5c4789bb354179788958add0dbea21801a2070fdd7870db2beaef60906645c10145a8e

Score
10/10
asyncratrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

giuseppe.ug:6970

asdxcvxdfgdnbvrwe.ru:6970
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • aes_key

    wmNKpUVCpNWhhJQblim2nnNgKrbxeGKV

  • anti_detection

    false

  • autorun

    false

  • bdos

    false

  • delay

    Default

  • host

    giuseppe.ug,asdxcvxdfgdnbvrwe.ru

  • hwid

    3

  • install_file

  • install_folder

    %AppData%

  • mutex

    AsyncMutex_6SI8OkPnk

  • pastebin_config

    null

  • port

    6970

  • version

    0.5.7B

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 4 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7a2e8d3fe9752412bf4de2e369d212ee.exe
    "C:\Users\Admin\AppData\Local\Temp\7a2e8d3fe9752412bf4de2e369d212ee.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1072
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAFED.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1496
    • C:\Users\Admin\AppData\Local\Temp\7a2e8d3fe9752412bf4de2e369d212ee.exe
      "{path}"
      2⤵
        PID:1628
      • C:\Users\Admin\AppData\Local\Temp\7a2e8d3fe9752412bf4de2e369d212ee.exe
        "{path}"
        2⤵
          PID:340

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmpAFED.tmp
        MD5

        77fb853e8f745f44d1f5fd3577ce772f

        SHA1

        7ffc71dfb041c0e963f683674e36301e362b723e

        SHA256

        0e57ac65e9146f47af2721b6824882ff549df9106874faf0e2f417eb555476e4

        SHA512

        6a2963e9df68e0ec62c19d93ca56bd4086f11aca6249e333bddf1254149ad3b09077e0d67e77ed2dffd5ab8cedbbe26e643a2d8c50fba79994d4305b630b091a

        Download Submit
      • memory/340-7-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/340-8-0x000000000040C77E-mapping.dmp
        Download
      • memory/340-9-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/340-10-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1072-1-0x0000000000000000-0x0000000000000000-disk.dmp
        Download
      • memory/1496-3-0x0000000000000000-mapping.dmp
        Download