Overview

overview

10

Static

static

10

ULTITECJOR...K9.exe

windows7_x64

10

ULTITECJOR...K9.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    09-11-2020 19:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ULTITECJORO8368Ngdkdvk0cCe8TdQhhzpOK9.exe

  • Size

    422KB

  • MD5

    0ada41553c85e51d2323a64add3ec6de

  • SHA1

    bef7bd18a545427bfb834e7650b02926e99181ab

  • SHA256

    6b09f1cfc05625cdd9c328e7ac8c67ade7fcc234cd0631999d8996b54c3da722

  • SHA512

    39c56c7fd174bbdf8cdb24c9cac8f0b5a9bf2415d85e0f5aacb82e86b0bdf3622bc1105ac5528f16db4553226052085144d9b258fbf180917e79d0bb63c2466e

Score
10/10
asyncratcoreentityratrezer0

Malware Config

Extracted

Family

asyncrat

Version

0.5.6D

C2

185.165.153.215:6606

Mutex

uqeolevmck

Attributes
  • aes_key

    5eoiILw5GAY7OkbkZoi8uQvz2qpV60Nt

  • anti_detection

    false

  • autorun

    false

  • bdos

    false

  • delay

    sunday

  • host

    185.165.153.215

  • hwid

    1

  • install_file

  • install_folder

    %AppData%

  • mutex

    uqeolevmck

  • pastebin_config

    null

  • port

    6606

  • version

    0.5.6D

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • CoreEntity .NET Packer 1 IoCs

    A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

    coreentity
  • Async RAT payload 2 IoCs
    rat
  • rezer0 1 IoCs

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    rezer0
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ULTITECJORO8368Ngdkdvk0cCe8TdQhhzpOK9.exe
    "C:\Users\Admin\AppData\Local\Temp\ULTITECJORO8368Ngdkdvk0cCe8TdQhhzpOK9.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4636
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LDCESp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5B06.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:440
    • C:\Users\Admin\AppData\Local\Temp\ULTITECJORO8368Ngdkdvk0cCe8TdQhhzpOK9.exe
      "{path}"
      2⤵
        PID:2168

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ULTITECJORO8368Ngdkdvk0cCe8TdQhhzpOK9.exe.log
      MD5

      b4f7a6a57cb46d94b72410eb6a6d45a9

      SHA1

      69f3596ffa027202d391444b769ceea0ae14c5f7

      SHA256

      23994ebe221a48ea16ebad51ae0d4b47ccd415ae10581f9405e588d4f6c2523b

      SHA512

      be6da516e54c3a5b33ac2603137a2f8cf8445ff5961dd266faedf3627bae8979953d7ef305538df0151c609917a5b99bf5d023bdd32de50fd5c723950f90db5c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmp5B06.tmp
      MD5

      0d0ab56d8936ff894e452d51174369df

      SHA1

      ea0949e92de9354fe94dec774aa48f6aa9b836f4

      SHA256

      abb6d4dadf1994d102bd92faf9986edc1f1d5f2ed788aae0b87221fc14023dee

      SHA512

      8a1da50c2ca6ede6c11fd5458e76e1752f59b48659b2f87377a0505c4778f7762a140dc3d3649e7a4a30d35d4942078014880aa6ce08c210def7c0e42c35e70c

      Download Submit
    • memory/440-9-0x0000000000000000-mapping.dmp
      Download
    • memory/2168-14-0x0000000073D60000-0x000000007444E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2168-12-0x000000000040C60E-mapping.dmp
      Download
    • memory/2168-11-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

      Download
    • memory/4636-4-0x0000000006E60000-0x0000000006E61000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4636-8-0x000000000AA00000-0x000000000AA01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4636-7-0x000000000A930000-0x000000000A943000-memory.dmp
      Filesize

      76KB

      Download
    • memory/4636-6-0x00000000043B0000-0x00000000043B3000-memory.dmp
      Filesize

      12KB

      Download
    • memory/4636-5-0x0000000006DE0000-0x0000000006DE1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4636-0-0x0000000073D60000-0x000000007444E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/4636-3-0x00000000072C0000-0x00000000072C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4636-1-0x0000000000060000-0x0000000000061000-memory.dmp
      Filesize

      4KB

      Download