Overview

overview

10

Static

static

bandock.exe

windows7_x64

10

bandock.exe

windows10_x64

10

Analysis

  • max time kernel
    129s
  • max time network
    140s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    08-01-2021 18:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bandock.exe

  • Size

    528KB

  • MD5

    b60a17c36afd3bac3b1c632d28bdb2a3

  • SHA1

    a29a45c08ce68d7fbc3c63bb84ac48e554df9a52

  • SHA256

    d79662a8895ef702fff42208228c9dadb87cad7fe14f2e95607cacd543537ff1

  • SHA512

    fae2d3c2934a636151ab8c5b2eef3ffea1dda0dd2c9bf1bd601e41db995cea04a61343922fc1e4b3b145a69fa8e048b3c7634d4b1b77653855e013271edd7f93

Score
10/10
asyncratrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

sammiyoyo.linkpc.net:2552

sammiyoyo.linkpc.net:8805

sammiyoyo.linkpc.net:4795

egoyibouda.linkpc.net:2552

egoyibouda.linkpc.net:8805

egoyibouda.linkpc.net:4795

ifemelumma.linkpc.net:2552

ifemelumma.linkpc.net:8805

ifemelumma.linkpc.net:4795
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • aes_key

    3k25awwPIyvGavUCHtSeJIcvbGI4RVWY

  • anti_detection

    false

  • autorun

    false

  • bdos

    false

  • delay

    Default

  • host

    sammiyoyo.linkpc.net,egoyibouda.linkpc.net,ifemelumma.linkpc.net

  • hwid

    3

  • install_file

  • install_folder

    %AppData%

  • mutex

    AsyncMutex_6SI8OkPnk

  • pastebin_config

    null

  • port

    2552,8805,4795

  • version

    0.5.7B

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 2 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bandock.exe
    "C:\Users\Admin\AppData\Local\Temp\bandock.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4092
    • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
      2⤵
      • Executes dropped EXE
      PID:1444

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
    MD5

    91c9ae9c9a17a9db5e08b120e668c74c

    SHA1

    50770954c1ceb0bb6f1d5d3f2de2a0a065773723

    SHA256

    e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

    SHA512

    ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
    MD5

    91c9ae9c9a17a9db5e08b120e668c74c

    SHA1

    50770954c1ceb0bb6f1d5d3f2de2a0a065773723

    SHA256

    e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

    SHA512

    ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

    Download Submit
  • memory/1444-11-0x0000000000400000-0x0000000000412000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1444-15-0x00000000739A0000-0x000000007408E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1444-12-0x000000000040C7BE-mapping.dmp
    Download
  • memory/4092-6-0x0000000002580000-0x000000000259E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/4092-9-0x0000000004E00000-0x0000000004E0B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/4092-10-0x0000000004E10000-0x0000000004E11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4092-8-0x00000000075E0000-0x00000000075E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4092-7-0x0000000004BC0000-0x0000000004BC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4092-2-0x00000000739A0000-0x000000007408E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/4092-5-0x0000000004C20000-0x0000000004C21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4092-3-0x0000000000310000-0x0000000000311000-memory.dmp
    Filesize

    4KB

    Download