asyncrat | b353116f931196bc449483113b61ac01a50bd35b24569cb79919cec26dc6d535 | Triage

Submit
Reports

Overview

overview

Static

static

8

PROFORMA I...-1.xls

windows7_x64

PROFORMA I...-1.xls

windows10_x64

Sharing

General

Target

PROFORMA INVOICE INV-1.xls
Size

66KB
Sample

201026-c5fx43tvte
MD5

53a8387449c7201a5d07f1a065d9e789
SHA1

7fb04159123617c551cbe189cccd6d0c9fe179ae
SHA256

b353116f931196bc449483113b61ac01a50bd35b24569cb79919cec26dc6d535
SHA512

fc54e553c2299eaf386bbad998b2d3a11f7cd613e2807958f5e2c5631b3e8a05531f2c3bf21d02efbbe21bb23e4703e27d49c1d018e8ca919c16df6b1f9ee8ee

Score

10^/10

asyncrat macro rat

Static task

static1

Behavioral task

behavioral1

Sample

PROFORMA INVOICE INV-1.xls

Resource

win7

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

PROFORMA INVOICE INV-1.xls

Resource

win10

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://tinyurl.com/yxbf64lf

Extracted

Family

asyncrat

Version

0.5.7B

C2

185.165.153.249:4371

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
4lpLfCzV6wCkayaT0MjD3qp2ZVBd759O
anti_detection
false
autorun
false
bdos
false
delay
Default
host
185.165.153.249
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
4371
version
0.5.7B

aes.plain

Targets

- Target
  
  PROFORMA INVOICE INV-1.xls
- Size
  
  66KB
- MD5
  
  53a8387449c7201a5d07f1a065d9e789
- SHA1
  
  7fb04159123617c551cbe189cccd6d0c9fe179ae
- SHA256
  
  b353116f931196bc449483113b61ac01a50bd35b24569cb79919cec26dc6d535
- SHA512
  
  fc54e553c2299eaf386bbad998b2d3a11f7cd613e2807958f5e2c5631b3e8a05531f2c3bf21d02efbbe21bb23e4703e27d49c1d018e8ca919c16df6b1f9ee8ee
Score

10^/10

rat asyncrat
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers.
  rat asyncrat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- ServiceHost packer
  Detects ServiceHost packer used for .NET malware
- Blacklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

© 2018-2024

Terms | Privacy