Overview

overview

10

Static

static

e281b55b7d...ed.exe

windows7_x64

10

e281b55b7d...ed.exe

windows10_x64

10

Analysis

  • max time kernel
    48s
  • max time network
    145s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    14-01-2021 19:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e281b55b7d6a2a16085b8ca7ac83b8ed.exe

  • Size

    743KB

  • MD5

    e281b55b7d6a2a16085b8ca7ac83b8ed

  • SHA1

    27354196d6177fac29c73d67efe96541ee1147e8

  • SHA256

    14ff0b81b02f1f3cd9af26b167c5040f57e280aaa51dd923f7e59c969ac52713

  • SHA512

    22190a3539a0537006c7366a5841b2cf9c70b903793c45c7492122657707442948ff70e60d22a055aa321649804017114322916d5a0405cbb0c067febc7fc64c

Score
10/10
asyncratrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

zaza99.duckdns.org:1000

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • aes_key

    jodSpTuMpUujBOX7B1o0jb7cIVSuyPFB

  • anti_detection

    false

  • autorun

    false

  • bdos

    false

  • delay

    Default

  • host

    zaza99.duckdns.org

  • hwid

    3

  • install_file

  • install_folder

    %AppData%

  • mutex

    AsyncMutex_6SI8OkPnk

  • pastebin_config

    null

  • port

    1000

  • version

    0.5.7B

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e281b55b7d6a2a16085b8ca7ac83b8ed.exe
    "C:\Users\Admin\AppData\Local\Temp\e281b55b7d6a2a16085b8ca7ac83b8ed.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:648
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pKmvgoFB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp18F7.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2532
    • C:\Users\Admin\AppData\Local\Temp\e281b55b7d6a2a16085b8ca7ac83b8ed.exe
      "{path}"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:748

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e281b55b7d6a2a16085b8ca7ac83b8ed.exe.log
    MD5

    0c2899d7c6746f42d5bbe088c777f94c

    SHA1

    622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

    SHA256

    5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

    SHA512

    ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp18F7.tmp
    MD5

    767bc2d3a987e17fc28258591decbd6b

    SHA1

    532471f2c730acfe959269a681d510fe77e6ba51

    SHA256

    f3a17ac56c337b4126e4c50c0c4a931c1177ba021adac5a4931951b2792ebfcf

    SHA512

    6ef87e9ebdd3bb3585d3cdf923f1259f7a809c6b37fd044a768cfedea51379ef3d59df32b3ddd2fa3b1dff42c6cf9010cb82072accf6c3c639f0112c78cc5a8b

    Download Submit
  • memory/648-6-0x00000000057E0000-0x00000000057E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/648-2-0x0000000073F80000-0x000000007466E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/648-7-0x0000000005770000-0x0000000005771000-memory.dmp
    Filesize

    4KB

    Download
  • memory/648-8-0x0000000005C30000-0x0000000005C3E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/648-9-0x0000000008EA0000-0x0000000008F21000-memory.dmp
    Filesize

    516KB

    Download
  • memory/648-10-0x0000000008FD0000-0x0000000008FD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/648-5-0x0000000005C40000-0x0000000005C41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/648-3-0x0000000000D20000-0x0000000000D21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/748-13-0x0000000000400000-0x0000000000412000-memory.dmp
    Filesize

    72KB

    Download
  • memory/748-14-0x000000000040C73E-mapping.dmp
    Download
  • memory/748-16-0x0000000073F80000-0x000000007466E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/748-21-0x0000000005FB0000-0x0000000005FB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2532-11-0x0000000000000000-mapping.dmp
    Download