Overview

overview

10

Static

static

Production...df.exe

windows7_x64

10

Production...df.exe

windows10_x64

1

Analysis

  • max time kernel
    44s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    15-01-2021 07:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Production order List Quotation.pdf.exe

  • Size

    924KB

  • MD5

    bc078bc0b438d5186ff9a7580412a532

  • SHA1

    25730487e2562435cd053891ec689a9b8b380399

  • SHA256

    8f74c5871c33b4bf63b43f3e7e216dae1cc92e79cd0035422c8eb6768b98dc06

  • SHA512

    d85a642736695dbe8645773ea8fb20a14b6c44b1892a136d149c2aa839d2e8ac165362e94b879930945f416e42f9a29874970a998820008e050613f3267f213a

Score
10/10
asyncratrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

1.remcosagent.com:1993

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • aes_key

    zfpcQBbFjdAkORcbNZ0s5ioknjh7mjo2

  • anti_detection

    false

  • autorun

    false

  • bdos

    false

  • delay

    Default

  • host

    1.remcosagent.com

  • hwid

    3

  • install_file

  • install_folder

    %AppData%

  • mutex

    AsyncMutex_6SI8OkPnk

  • pastebin_config

    null

  • port

    1993

  • version

    0.5.7B

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 4 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Production order List Quotation.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Production order List Quotation.pdf.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:844
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Production.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Production.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1788
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Production.exe
        "{path}"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1384
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:1124

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Order.jpg
    MD5

    f2ff26db0c8cdad7840be73974c1ae11

    SHA1

    fc0270b0cf43b66274b5fa0b2cb9bf6a96e9cb43

    SHA256

    4153f7907b1e44f5bb4c9cc455504534a5025ce35d69cd1fa28ae1610efc383f

    SHA512

    e1fe938108f9c4400662d13eaa597e98728bbbaeef324ba4100b357ffceb133ae06c134809e4f22c2338003f89a888f1a3afcc81bb227f54d6515876c24c20c6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Production.exe
    MD5

    6e8a968b726212ff3e15dfb610ea73b1

    SHA1

    6e26a4cd55d6c7962b9e618174be4bc42ed064a2

    SHA256

    d45c910a95258d87e853b82baa1fdb6cba6ad727a6c57e2520cdb3ae882f9c98

    SHA512

    365e880a2dbf074b63b6b732777b86f57b8e9d82f05d1f82e82c8556b63f0916ef4723b10bb3d0b31c1d1451c6299ac93b100ec8496398011d2c0b934927b72e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Production.exe
    MD5

    6e8a968b726212ff3e15dfb610ea73b1

    SHA1

    6e26a4cd55d6c7962b9e618174be4bc42ed064a2

    SHA256

    d45c910a95258d87e853b82baa1fdb6cba6ad727a6c57e2520cdb3ae882f9c98

    SHA512

    365e880a2dbf074b63b6b732777b86f57b8e9d82f05d1f82e82c8556b63f0916ef4723b10bb3d0b31c1d1451c6299ac93b100ec8496398011d2c0b934927b72e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Production.exe
    MD5

    6e8a968b726212ff3e15dfb610ea73b1

    SHA1

    6e26a4cd55d6c7962b9e618174be4bc42ed064a2

    SHA256

    d45c910a95258d87e853b82baa1fdb6cba6ad727a6c57e2520cdb3ae882f9c98

    SHA512

    365e880a2dbf074b63b6b732777b86f57b8e9d82f05d1f82e82c8556b63f0916ef4723b10bb3d0b31c1d1451c6299ac93b100ec8496398011d2c0b934927b72e

    Download Submit
  • \Users\Admin\AppData\Local\Temp\RarSFX0\Production.exe
    MD5

    6e8a968b726212ff3e15dfb610ea73b1

    SHA1

    6e26a4cd55d6c7962b9e618174be4bc42ed064a2

    SHA256

    d45c910a95258d87e853b82baa1fdb6cba6ad727a6c57e2520cdb3ae882f9c98

    SHA512

    365e880a2dbf074b63b6b732777b86f57b8e9d82f05d1f82e82c8556b63f0916ef4723b10bb3d0b31c1d1451c6299ac93b100ec8496398011d2c0b934927b72e

    Download Submit
  • \Users\Admin\AppData\Local\Temp\RarSFX0\Production.exe
    MD5

    6e8a968b726212ff3e15dfb610ea73b1

    SHA1

    6e26a4cd55d6c7962b9e618174be4bc42ed064a2

    SHA256

    d45c910a95258d87e853b82baa1fdb6cba6ad727a6c57e2520cdb3ae882f9c98

    SHA512

    365e880a2dbf074b63b6b732777b86f57b8e9d82f05d1f82e82c8556b63f0916ef4723b10bb3d0b31c1d1451c6299ac93b100ec8496398011d2c0b934927b72e

    Download Submit
  • \Users\Admin\AppData\Local\Temp\RarSFX0\Production.exe
    MD5

    6e8a968b726212ff3e15dfb610ea73b1

    SHA1

    6e26a4cd55d6c7962b9e618174be4bc42ed064a2

    SHA256

    d45c910a95258d87e853b82baa1fdb6cba6ad727a6c57e2520cdb3ae882f9c98

    SHA512

    365e880a2dbf074b63b6b732777b86f57b8e9d82f05d1f82e82c8556b63f0916ef4723b10bb3d0b31c1d1451c6299ac93b100ec8496398011d2c0b934927b72e

    Download Submit
  • \Users\Admin\AppData\Local\Temp\RarSFX0\Production.exe
    MD5

    6e8a968b726212ff3e15dfb610ea73b1

    SHA1

    6e26a4cd55d6c7962b9e618174be4bc42ed064a2

    SHA256

    d45c910a95258d87e853b82baa1fdb6cba6ad727a6c57e2520cdb3ae882f9c98

    SHA512

    365e880a2dbf074b63b6b732777b86f57b8e9d82f05d1f82e82c8556b63f0916ef4723b10bb3d0b31c1d1451c6299ac93b100ec8496398011d2c0b934927b72e

    Download Submit
  • \Users\Admin\AppData\Local\Temp\RarSFX0\Production.exe
    MD5

    6e8a968b726212ff3e15dfb610ea73b1

    SHA1

    6e26a4cd55d6c7962b9e618174be4bc42ed064a2

    SHA256

    d45c910a95258d87e853b82baa1fdb6cba6ad727a6c57e2520cdb3ae882f9c98

    SHA512

    365e880a2dbf074b63b6b732777b86f57b8e9d82f05d1f82e82c8556b63f0916ef4723b10bb3d0b31c1d1451c6299ac93b100ec8496398011d2c0b934927b72e

    Download Submit
  • memory/1384-21-0x00000000737A0000-0x0000000073E8E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1384-20-0x0000000000400000-0x0000000000412000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1384-19-0x0000000000400000-0x0000000000412000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1384-17-0x000000000040C75E-mapping.dmp
    Download
  • memory/1384-16-0x0000000000400000-0x0000000000412000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1788-6-0x0000000000000000-mapping.dmp
    Download
  • memory/1788-14-0x00000000007D0000-0x00000000007F9000-memory.dmp
    Filesize

    164KB

    Download
  • memory/1788-12-0x00000000003F0000-0x00000000003FE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1788-10-0x0000000000160000-0x0000000000161000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1788-9-0x00000000737A0000-0x0000000073E8E000-memory.dmp
    Filesize

    6.9MB

    Download