Overview

overview

10

Static

static

7ULTITEC83...pD.exe

windows7_x64

10

7ULTITEC83...pD.exe

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    09-11-2020 19:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7ULTITEC83NKhdk99RELIEF803nkdItemsWCxjmkE3z1gxpD.exe

  • Size

    544KB

  • MD5

    8d73b7150b4223e50844ab7d4208e90c

  • SHA1

    ba6c181a69f08fdb8d543fc74e5e810e6e24f93a

  • SHA256

    392a8c8200cb1a9ad78682665a1a7210e35b16755f1476d307f4de6892a38560

  • SHA512

    6b6f556fdda2331be18ee31b07383696404706dbf85a6cee6455c76d4814ced431c6eca29c4b8a1049cb9c5db2d613e6b821d963465a27369d2fe6003dfda364

Score
10/10
asyncratratrezer0

Malware Config

Extracted

Family

asyncrat

Version

0.5.6D

C2

185.165.153.215:6606

Mutex

uqeolevmck

Attributes
  • aes_key

    5eoiILw5GAY7OkbkZoi8uQvz2qpV60Nt

  • anti_detection

    false

  • autorun

    false

  • bdos

    false

  • delay

    sunday

  • host

    185.165.153.215

  • hwid

    1

  • install_file

  • install_folder

    %AppData%

  • mutex

    uqeolevmck

  • pastebin_config

    null

  • port

    6606

  • version

    0.5.6D

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 2 IoCs
    rat
  • rezer0 1 IoCs

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    rezer0
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7ULTITEC83NKhdk99RELIEF803nkdItemsWCxjmkE3z1gxpD.exe
    "C:\Users\Admin\AppData\Local\Temp\7ULTITEC83NKhdk99RELIEF803nkdItemsWCxjmkE3z1gxpD.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4684
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tQUlrsJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8458.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3804
    • C:\Users\Admin\AppData\Local\Temp\7ULTITEC83NKhdk99RELIEF803nkdItemsWCxjmkE3z1gxpD.exe
      "{path}"
      2⤵
        PID:3096

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp8458.tmp
      MD5

      a5dbe67b69039ecac35fde3a15a03065

      SHA1

      8b6586aacd3d95358f399dc1d5d217cc57245fd7

      SHA256

      640b77626129b80d5deba7f244864584ff4ac9926c0fa3a8b59272039c7b0058

      SHA512

      44935fe822430addc244347464d73cb4fde1862aeff98808322c3d3f1c79ab3e5e31a7ed6fa8f4a103e78ec3ff384f4b98a4e3bfd61ccf5ea3d9969c67488eb7

      Download Submit
    • memory/3096-19-0x0000000073430000-0x0000000073B1E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/3096-18-0x000000000040C60E-mapping.dmp
      Download
    • memory/3096-17-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3804-15-0x0000000000000000-mapping.dmp
      Download
    • memory/4684-5-0x0000000005B70000-0x0000000005B71000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4684-9-0x0000000005B10000-0x0000000005B11000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4684-10-0x0000000005D70000-0x0000000005D71000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4684-11-0x00000000063D0000-0x00000000063D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4684-12-0x0000000005E80000-0x0000000005E83000-memory.dmp
      Filesize

      12KB

      Download
    • memory/4684-13-0x0000000007CF0000-0x0000000007CF1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4684-14-0x0000000007E10000-0x0000000007E23000-memory.dmp
      Filesize

      76KB

      Download
    • memory/4684-8-0x0000000005AD0000-0x0000000005AE0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4684-0-0x0000000073430000-0x0000000073B1E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/4684-4-0x0000000005ED0000-0x0000000005ED1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4684-3-0x0000000005800000-0x0000000005816000-memory.dmp
      Filesize

      88KB

      Download
    • memory/4684-1-0x0000000000CB0000-0x0000000000CB1000-memory.dmp
      Filesize

      4KB

      Download