Overview

overview

10

Static

static

6d01213c51...20.exe

windows7_x64

10

6d01213c51...20.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    11-11-2020 16:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6d01213c51ed2570b263b28fa4b9f320.exe

  • Size

    1.1MB

  • MD5

    6d01213c51ed2570b263b28fa4b9f320

  • SHA1

    aa5aa4142ff6de7e5560424d252c2bf234f14651

  • SHA256

    b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261

  • SHA512

    0ca8354473740c4f6212159f98571eaf3041ea895a3e067b52c9b5e380c948cc5df0fa18171674c35afd5f0bdeb75e676b41a548be1a3e05ed5f7906a8365766

Score
10/10
asyncratazorultmodiloaderdiscoveryevasioninfostealerpersistenceratspywaretrojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

agentttt.ac.ug:6970

agentpurple.ac.ug:6970
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • aes_key

    16dw6EDbQkYZp5BTs7cmLUicVtOA4UQr

  • anti_detection

    false

  • autorun

    false

  • bdos

    false

  • delay

    Default

  • host

    agentttt.ac.ug,agentpurple.ac.ug

  • hwid

    3

  • install_file

  • install_folder

    %AppData%

  • mutex

    AsyncMutex_6SI8OkPnk

  • pastebin_config

    null

  • port

    6970

  • version

    0.5.7B

aes.plain

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Contains code to disable Windows Defender 8 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Async RAT payload 4 IoCs
    rat
  • ModiLoader First Stage 1 IoCs
  • ModiLoader Second Stage 1 IoCs
  • Executes dropped EXE 10 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 19 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops desktop.ini file(s) 2 IoCs
  • JavaScript code in executable 1 IoCs
  • Modifies service 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 5 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 1827 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 329 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6d01213c51ed2570b263b28fa4b9f320.exe
    "C:\Users\Admin\AppData\Local\Temp\6d01213c51ed2570b263b28fa4b9f320.exe"
    1⤵
    • Loads dropped DLL
    • Modifies service
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:684
    • C:\Users\Admin\AppData\Local\Temp\axcjgfhwvvas.exe
      "C:\Users\Admin\AppData\Local\Temp\axcjgfhwvvas.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies service
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      PID:400
      • C:\Users\Admin\AppData\Local\Temp\oscjgfhwvvas.exe
        "C:\Users\Admin\AppData\Local\Temp\oscjgfhwvvas.exe"
        3⤵
        • Executes dropped EXE
        • Modifies service
        PID:2040
      • C:\Users\Admin\AppData\Local\Temp\axcjgfhwvvas.exe
        "{path}"
        3⤵
        • Executes dropped EXE
        PID:1428
    • C:\Users\Admin\AppData\Local\Temp\6d01213c51ed2570b263b28fa4b9f320.exe
      "{path}"
      2⤵
      • Loads dropped DLL
      • Drops desktop.ini file(s)
      • Modifies system certificate store
      • Suspicious use of WriteProcessMemory
      PID:348
      • C:\Users\Admin\AppData\Local\Temp\PuIPnx9Eu8.exe
        "C:\Users\Admin\AppData\Local\Temp\PuIPnx9Eu8.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1684
        • C:\Users\Admin\AppData\Local\Temp\PuIPnx9Eu8.exe
          "C:\Users\Admin\AppData\Local\Temp\PuIPnx9Eu8.exe"
          4⤵
          • Executes dropped EXE
          PID:696
      • C:\Users\Admin\AppData\Local\Temp\rZGiGhDYom.exe
        "C:\Users\Admin\AppData\Local\Temp\rZGiGhDYom.exe"
        3⤵
        • Executes dropped EXE
        • Modifies system certificate store
        PID:916
        • C:\Windows\SysWOW64\Notepad.exe
          "C:\Windows\System32\Notepad.exe"
          4⤵
            PID:2012
        • C:\Users\Admin\AppData\Local\Temp\h9ACSOo9kX.exe
          "C:\Users\Admin\AppData\Local\Temp\h9ACSOo9kX.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:952
          • C:\Users\Admin\AppData\Local\Temp\h9ACSOo9kX.exe
            "C:\Users\Admin\AppData\Local\Temp\h9ACSOo9kX.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:1596
            • \??\c:\windows\SysWOW64\cmstp.exe
              "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\24omtk52.inf
              5⤵
                PID:1856
          • C:\Users\Admin\AppData\Local\Temp\N13C2pWomx.exe
            "C:\Users\Admin\AppData\Local\Temp\N13C2pWomx.exe"
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2044
            • C:\Users\Admin\AppData\Local\Temp\N13C2pWomx.exe
              "C:\Users\Admin\AppData\Local\Temp\N13C2pWomx.exe"
              4⤵
              • Executes dropped EXE
              • Windows security modification
              PID:1580
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                "powershell" Get-MpPreference -verbose
                5⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1304
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\6d01213c51ed2570b263b28fa4b9f320.exe"
            3⤵
            • Deletes itself
            • Suspicious use of WriteProcessMemory
            PID:548
            • C:\Windows\SysWOW64\timeout.exe
              timeout /T 10 /NOBREAK
              4⤵
              • Delays execution with timeout.exe
              PID:2012

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/348-29-0x0000000000400000-0x0000000000493000-memory.dmp

        Filesize

        588KB

        Download

      • memory/348-26-0x0000000000400000-0x0000000000493000-memory.dmp

        Filesize

        588KB

        Download

      • memory/400-153-0x0000000004A80000-0x0000000004AC7000-memory.dmp

        Filesize

        284KB

        Download

      • memory/400-30-0x0000000000560000-0x00000000005B2000-memory.dmp

        Filesize

        328KB

        Download

      • memory/400-23-0x0000000073D30000-0x000000007441E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/400-25-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/684-3-0x00000000022E0000-0x00000000023A8000-memory.dmp

        Filesize

        800KB

        Download

      • memory/684-14-0x0000000004DD0000-0x0000000004E8A000-memory.dmp

        Filesize

        744KB

        Download

      • memory/684-13-0x00000000005D0000-0x00000000005E4000-memory.dmp

        Filesize

        80KB

        Download

      • memory/684-0-0x0000000073D30000-0x000000007441E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/684-1-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/696-103-0x0000000073D30000-0x000000007441E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/696-100-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/696-99-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/696-90-0x0000000000400000-0x0000000000412000-memory.dmp

        Filesize

        72KB

        Download

      • memory/916-177-0x0000000004CB0000-0x0000000004CFD000-memory.dmp

        Filesize

        308KB

        Download

      • memory/916-120-0x0000000003D50000-0x0000000003DAC000-memory.dmp

        Filesize

        368KB

        Download

      • memory/952-78-0x0000000000680000-0x00000000006B1000-memory.dmp

        Filesize

        196KB

        Download

      • memory/952-65-0x0000000073D30000-0x000000007441E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/952-68-0x0000000000050000-0x0000000000051000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1304-137-0x0000000005630000-0x0000000005631000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1304-151-0x0000000006320000-0x0000000006321000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1304-136-0x00000000062A0000-0x00000000062A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1304-117-0x00000000049E0000-0x00000000049E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1304-129-0x00000000061B0000-0x00000000061B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1304-128-0x0000000006100000-0x0000000006101000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1304-123-0x0000000005670000-0x0000000005671000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1304-116-0x0000000001E80000-0x0000000001E81000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1304-115-0x0000000073D30000-0x000000007441E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/1304-152-0x0000000006330000-0x0000000006331000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1304-119-0x0000000004970000-0x0000000004971000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1304-118-0x00000000024D0000-0x00000000024D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1428-166-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/1428-162-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/1580-102-0x0000000073D30000-0x000000007441E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/1580-96-0x0000000000400000-0x0000000000408000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1580-94-0x0000000000400000-0x0000000000408000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1580-85-0x0000000000400000-0x0000000000408000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1596-101-0x0000000073D30000-0x000000007441E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/1596-86-0x0000000000400000-0x000000000040C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1596-98-0x0000000000400000-0x000000000040C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1596-95-0x0000000000400000-0x000000000040C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1684-54-0x0000000073D30000-0x000000007441E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/1684-77-0x00000000002A0000-0x00000000002E0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1684-55-0x0000000001330000-0x0000000001331000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1748-42-0x000007FEF6050000-0x000007FEF62CA000-memory.dmp

        Filesize

        2.5MB

        Download

      • memory/2012-180-0x00000000000E0000-0x00000000000E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2012-178-0x00000000000A0000-0x00000000000A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2040-169-0x00000000004A0000-0x00000000004FB000-memory.dmp

        Filesize

        364KB

        Download

      • memory/2040-167-0x0000000001260000-0x0000000001261000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2040-161-0x0000000073D30000-0x000000007441E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2044-71-0x0000000073D30000-0x000000007441E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2044-73-0x0000000000A70000-0x0000000000A71000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2044-79-0x0000000000430000-0x0000000000468000-memory.dmp

        Filesize

        224KB

        Download

      • memory/2044-80-0x00000000009B0000-0x00000000009C6000-memory.dmp

        Filesize

        88KB

        Download