Overview

overview

10

Static

static

b99d5d0e6e...61.exe

windows7_x64

10

b99d5d0e6e...61.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    11-11-2020 18:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe

  • Size

    1.1MB

  • MD5

    6d01213c51ed2570b263b28fa4b9f320

  • SHA1

    aa5aa4142ff6de7e5560424d252c2bf234f14651

  • SHA256

    b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261

  • SHA512

    0ca8354473740c4f6212159f98571eaf3041ea895a3e067b52c9b5e380c948cc5df0fa18171674c35afd5f0bdeb75e676b41a548be1a3e05ed5f7906a8365766

Score
10/10
asyncratazorultmodiloaderdiscoveryevasioninfostealerratspywaretrojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

agentttt.ac.ug:6970

agentpurple.ac.ug:6970
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • aes_key

    16dw6EDbQkYZp5BTs7cmLUicVtOA4UQr

  • anti_detection

    false

  • autorun

    false

  • bdos

    false

  • delay

    Default

  • host

    agentttt.ac.ug,agentpurple.ac.ug

  • hwid

    3

  • install_file

  • install_folder

    %AppData%

  • mutex

    AsyncMutex_6SI8OkPnk

  • pastebin_config

    null

  • port

    6970

  • version

    0.5.7B

aes.plain

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Contains code to disable Windows Defender 6 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Async RAT payload 2 IoCs
    rat
  • ModiLoader First Stage 1 IoCs
  • ModiLoader Second Stage 1 IoCs
  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 8 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops desktop.ini file(s) 1 IoCs
  • JavaScript code in executable 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 418 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 90 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe
    "C:\Users\Admin\AppData\Local\Temp\b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:412
    • C:\Users\Admin\AppData\Local\Temp\axcjgfhwvvas.exe
      "C:\Users\Admin\AppData\Local\Temp\axcjgfhwvvas.exe"
      2⤵
      • Executes dropped EXE
      PID:196
    • C:\Users\Admin\AppData\Local\Temp\b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe
      "{path}"
      2⤵
      • Loads dropped DLL
      • Drops desktop.ini file(s)
      • Suspicious use of WriteProcessMemory
      PID:2320
      • C:\Users\Admin\AppData\Local\Temp\PI7wkan2Gv.exe
        "C:\Users\Admin\AppData\Local\Temp\PI7wkan2Gv.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1636
        • C:\Users\Admin\AppData\Local\Temp\PI7wkan2Gv.exe
          "C:\Users\Admin\AppData\Local\Temp\PI7wkan2Gv.exe"
          4⤵
          • Executes dropped EXE
          PID:3948
      • C:\Users\Admin\AppData\Local\Temp\kXoQVCYVve.exe
        "C:\Users\Admin\AppData\Local\Temp\kXoQVCYVve.exe"
        3⤵
        • Executes dropped EXE
        PID:2088
      • C:\Users\Admin\AppData\Local\Temp\frPmSluK4y.exe
        "C:\Users\Admin\AppData\Local\Temp\frPmSluK4y.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1220
        • C:\Users\Admin\AppData\Local\Temp\frPmSluK4y.exe
          "C:\Users\Admin\AppData\Local\Temp\frPmSluK4y.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4048
          • \??\c:\windows\SysWOW64\cmstp.exe
            "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\fffjj0dd.inf
            5⤵
              PID:744
        • C:\Users\Admin\AppData\Local\Temp\UKpa3F9fnz.exe
          "C:\Users\Admin\AppData\Local\Temp\UKpa3F9fnz.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2360
          • C:\Users\Admin\AppData\Local\Temp\UKpa3F9fnz.exe
            "C:\Users\Admin\AppData\Local\Temp\UKpa3F9fnz.exe"
            4⤵
            • Executes dropped EXE
            • Windows security modification
            • Suspicious use of WriteProcessMemory
            PID:204
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "powershell" Get-MpPreference -verbose
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1856
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2208
          • C:\Windows\SysWOW64\timeout.exe
            timeout /T 10 /NOBREAK
            4⤵
            • Delays execution with timeout.exe
            PID:2232
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:528
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c start C:\Windows\temp\jqf5mjcv.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:352
        • C:\Windows\temp\jqf5mjcv.exe
          C:\Windows\temp\jqf5mjcv.exe
          3⤵
          • Executes dropped EXE
          PID:1512
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" Get-MpPreference -verbose
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2920
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableArchiveScanning $true
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3968
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3956
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3696
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:692
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1200
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3888
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
            4⤵
              PID:2128
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
              4⤵
                PID:4148
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
                4⤵
                  PID:4272
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
                  4⤵
                    PID:4372
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /IM cmstp.exe /F
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2248

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/196-18-0x0000000073D50000-0x000000007443E000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/196-22-0x0000000000D40000-0x0000000000D41000-memory.dmp

              Filesize

              4KB

              Download

            • memory/196-24-0x00000000055C0000-0x0000000005612000-memory.dmp

              Filesize

              328KB

              Download

            • memory/196-185-0x0000000006350000-0x0000000006397000-memory.dmp

              Filesize

              284KB

              Download

            • memory/204-97-0x0000000000400000-0x0000000000408000-memory.dmp

              Filesize

              32KB

              Download

            • memory/204-102-0x0000000073D50000-0x000000007443E000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/412-0-0x0000000073D50000-0x000000007443E000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/412-11-0x00000000059C0000-0x0000000005A7A000-memory.dmp

              Filesize

              744KB

              Download

            • memory/412-5-0x000000000AE10000-0x000000000AE11000-memory.dmp

              Filesize

              4KB

              Download

            • memory/412-1-0x0000000000F60000-0x0000000000F61000-memory.dmp

              Filesize

              4KB

              Download

            • memory/412-12-0x0000000005B20000-0x0000000005B21000-memory.dmp

              Filesize

              4KB

              Download

            • memory/412-9-0x000000000D6A0000-0x000000000D6A1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/412-10-0x000000000D350000-0x000000000D364000-memory.dmp

              Filesize

              80KB

              Download

            • memory/412-3-0x0000000007D40000-0x0000000007E08000-memory.dmp

              Filesize

              800KB

              Download

            • memory/412-8-0x0000000001B10000-0x0000000001B11000-memory.dmp

              Filesize

              4KB

              Download

            • memory/412-4-0x000000000B310000-0x000000000B311000-memory.dmp

              Filesize

              4KB

              Download

            • memory/692-152-0x00007FFAB4FA0000-0x00007FFAB598C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/744-96-0x0000000004590000-0x0000000004691000-memory.dmp

              Filesize

              1.0MB

              Download

            • memory/860-196-0x0000000000400000-0x0000000000420000-memory.dmp

              Filesize

              128KB

              Download

            • memory/860-201-0x0000000000400000-0x0000000000420000-memory.dmp

              Filesize

              128KB

              Download

            • memory/1200-154-0x00007FFAB4FA0000-0x00007FFAB598C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/1220-55-0x0000000073D50000-0x000000007443E000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/1220-81-0x0000000006D90000-0x0000000006DC1000-memory.dmp

              Filesize

              196KB

              Download

            • memory/1220-61-0x0000000000A10000-0x0000000000A11000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1512-122-0x0000000000C30000-0x0000000000C31000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1512-120-0x00007FFAB4FA0000-0x00007FFAB598C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/1636-72-0x0000000004E50000-0x0000000004E90000-memory.dmp

              Filesize

              256KB

              Download

            • memory/1636-44-0x00000000000E0000-0x00000000000E1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1636-43-0x0000000073D50000-0x000000007443E000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/1636-73-0x0000000006530000-0x0000000006546000-memory.dmp

              Filesize

              88KB

              Download

            • memory/1856-106-0x0000000073D50000-0x000000007443E000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/1856-127-0x00000000084E0000-0x00000000084E1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1856-113-0x0000000007BD0000-0x0000000007BD1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1856-112-0x00000000073B0000-0x00000000073B1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1856-117-0x0000000007D70000-0x0000000007D71000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1856-146-0x0000000009350000-0x0000000009351000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1856-109-0x00000000075A0000-0x00000000075A1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1856-143-0x00000000091F0000-0x00000000091F1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1856-107-0x0000000004940000-0x0000000004941000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1856-189-0x00000000085B0000-0x00000000085B1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1856-126-0x0000000007CC0000-0x0000000007CC1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1856-114-0x0000000007D00000-0x0000000007D01000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1856-191-0x0000000007050000-0x0000000007051000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1856-129-0x0000000008440000-0x0000000008441000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1856-155-0x0000000009710000-0x0000000009711000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1856-134-0x0000000009210000-0x0000000009243000-memory.dmp

              Filesize

              204KB

              Download

            • memory/2088-131-0x0000000004BE0000-0x0000000004C3C000-memory.dmp

              Filesize

              368KB

              Download

            • memory/2088-216-0x00000000054E0000-0x000000000552D000-memory.dmp

              Filesize

              308KB

              Download

            • memory/2128-161-0x00007FFAB4FA0000-0x00007FFAB598C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/2320-19-0x0000000000400000-0x0000000000493000-memory.dmp

              Filesize

              588KB

              Download

            • memory/2320-21-0x0000000000400000-0x0000000000493000-memory.dmp

              Filesize

              588KB

              Download

            • memory/2360-60-0x0000000073D50000-0x000000007443E000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/2360-64-0x00000000007F0000-0x00000000007F1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2360-93-0x0000000005560000-0x0000000005598000-memory.dmp

              Filesize

              224KB

              Download

            • memory/2444-219-0x00000000002F0000-0x00000000002F1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2444-221-0x00000000003B0000-0x00000000003B1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2920-125-0x00007FFAB4FA0000-0x00007FFAB598C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/2920-130-0x0000020C72D80000-0x0000020C72D81000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2920-128-0x0000020C72BD0000-0x0000020C72BD1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3300-298-0x0000000000400000-0x0000000000434000-memory.dmp

              Filesize

              208KB

              Download

            • memory/3696-150-0x00007FFAB4FA0000-0x00007FFAB598C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/3704-198-0x0000000073D50000-0x000000007443E000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/3704-205-0x0000000005620000-0x000000000567B000-memory.dmp

              Filesize

              364KB

              Download

            • memory/3704-202-0x0000000000D70000-0x0000000000D71000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3704-288-0x0000000006700000-0x0000000006759000-memory.dmp

              Filesize

              356KB

              Download

            • memory/3888-159-0x00007FFAB4FA0000-0x00007FFAB598C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/3948-74-0x0000000000400000-0x0000000000412000-memory.dmp

              Filesize

              72KB

              Download

            • memory/3948-78-0x0000000073D50000-0x000000007443E000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/3956-148-0x00007FFAB4FA0000-0x00007FFAB598C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/3968-145-0x00007FFAB4FA0000-0x00007FFAB598C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/4048-83-0x0000000000400000-0x000000000040C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/4048-87-0x0000000073D50000-0x000000007443E000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/4148-164-0x00007FFAB4FA0000-0x00007FFAB598C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/4272-167-0x00007FFAB4FA0000-0x00007FFAB598C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/4372-169-0x00007FFAB4FA0000-0x00007FFAB598C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/4480-173-0x00007FFAB4FA0000-0x00007FFAB598C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/4644-176-0x00007FFAB4FA0000-0x00007FFAB598C000-memory.dmp

              Filesize

              9.9MB

              Download