Overview

overview

10

Static

static

IMG 01-06-...83.exe

windows7_x64

10

IMG 01-06-...83.exe

windows10_x64

10

Analysis

  • max time kernel
    41s
  • max time network
    112s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    06-01-2021 08:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    IMG 01-06-2021 93899283.exe

  • Size

    219KB

  • MD5

    dd319982f0f20d472f466d7e3598d18b

  • SHA1

    de92836d855354abcf1a1c88093d6c3cbf009545

  • SHA256

    fcfda22e8938ce7846eb3494af9778f601b676df3446a0b5b1a710c08d632010

  • SHA512

    6d55f84ed9ac2c01f8bb47fababbd6a99297776633531049793a4970f57dff2cfa3ce54a536facd64163ebda48f50b9a620b0046a596c818dc434caef36c921c

Score
10/10
asyncratrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.6A

C2

194.5.97.177:10011

Mutex

zsmnadpzmacboobggxc

Attributes
  • aes_key

    oY4R2ZxJTae5ZkR4Z3caW1vvsIe5MAmF

  • anti_detection

    false

  • autorun

    false

  • bdos

    false

  • delay

  • host

    194.5.97.177

  • hwid

    5

  • install_file

  • install_folder

    %AppData%

  • mutex

    zsmnadpzmacboobggxc

  • pastebin_config

    null

  • port

    10011

  • version

    0.5.6A

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 2 IoCs
    rat
  • Drops startup file 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 51 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\IMG 01-06-2021 93899283.exe
    "C:\Users\Admin\AppData\Local\Temp\IMG 01-06-2021 93899283.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3992
    • C:\Users\Admin\AppData\Local\Temp\IMG 01-06-2021 93899283.exe
      "C:\Users\Admin\AppData\Local\Temp\IMG 01-06-2021 93899283.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1864

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1864-11-0x0000000000400000-0x0000000000412000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1864-12-0x000000000040C39E-mapping.dmp
    Download
  • memory/1864-13-0x00000000738E0000-0x0000000073FCE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/3992-2-0x00000000738E0000-0x0000000073FCE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/3992-3-0x0000000000BE0000-0x0000000000BE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3992-5-0x0000000005A50000-0x0000000005A51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3992-6-0x0000000005440000-0x0000000005441000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3992-7-0x0000000005500000-0x0000000005501000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3992-8-0x0000000005510000-0x0000000005537000-memory.dmp
    Filesize

    156KB

    Download
  • memory/3992-9-0x0000000005770000-0x0000000005771000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3992-10-0x0000000006150000-0x0000000006151000-memory.dmp
    Filesize

    4KB

    Download