Analysis
-
max time kernel
43s -
max time network
145s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-01-2021 19:16
General
-
Target
e281b55b7d6a2a16085b8ca7ac83b8ed.exe
-
Size
743KB
-
MD5
e281b55b7d6a2a16085b8ca7ac83b8ed
-
SHA1
27354196d6177fac29c73d67efe96541ee1147e8
-
SHA256
14ff0b81b02f1f3cd9af26b167c5040f57e280aaa51dd923f7e59c969ac52713
-
SHA512
22190a3539a0537006c7366a5841b2cf9c70b903793c45c7492122657707442948ff70e60d22a055aa321649804017114322916d5a0405cbb0c067febc7fc64c
Malware Config
Extracted
asyncrat
0.5.7B
zaza99.duckdns.org:1000
AsyncMutex_6SI8OkPnk
-
aes_key
jodSpTuMpUujBOX7B1o0jb7cIVSuyPFB
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Default
-
host
zaza99.duckdns.org
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
1000
-
version
0.5.7B
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
Async RAT payload 4 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e281b55b7d6a2a16085b8ca7ac83b8ed.exe"C:\Users\Admin\AppData\Local\Temp\e281b55b7d6a2a16085b8ca7ac83b8ed.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pKmvgoFB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp91A5.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\e281b55b7d6a2a16085b8ca7ac83b8ed.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp91A5.tmpMD5
611e6781da61568ab0aa871777d87828
SHA1d0527e0dba6f466db545e72860f1a69678144b62
SHA2561b71507e1b24fa8c22c66f8628f8454b7e1173818e2b3701ecf3427c3e79e9fe
SHA512448c167045145ce9191d13f83a378d0bf8f3d2c2bff369f458e7c193abb4235230714a63541394780cbc01eb7c3a12db2c241c13c9a63b04a761f4ae70c8e6e0
-
memory/768-9-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/768-10-0x000000000040C73E-mapping.dmp
-
memory/768-11-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/768-12-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/768-13-0x00000000745B0000-0x0000000074C9E000-memory.dmpFilesize
6.9MB
-
memory/1760-7-0x0000000000000000-mapping.dmp
-
memory/1908-2-0x00000000745B0000-0x0000000074C9E000-memory.dmpFilesize
6.9MB
-
memory/1908-3-0x00000000010A0000-0x00000000010A1000-memory.dmpFilesize
4KB
-
memory/1908-5-0x0000000000520000-0x000000000052E000-memory.dmpFilesize
56KB
-
memory/1908-6-0x0000000005BF0000-0x0000000005C71000-memory.dmpFilesize
516KB