Overview

overview

10

Static

static

PAYMENT_CO...DF.exe

windows7_x64

10

PAYMENT_CO...DF.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    144s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    15-01-2021 15:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PAYMENT_COPIER-PDF.exe

  • Size

    614KB

  • MD5

    420b8126273bae41ebcf03c1d90ff581

  • SHA1

    d30d32a0993778df3823e8a7a896ddcab8fd8c94

  • SHA256

    5cefff6712f29c6f7fe30bfd3f7d1e790e5474ef242304a91348369b3c1afcab

  • SHA512

    5809f09897dc4fa94c15f29f5942ca873ad74a4509e5e28db54dd739fd171cf68046321bb61afc54a9795d315962822afdc9dfe99d9a9b8612e1b98a7cffb7da

Score
10/10
asyncratrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.6D

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

79.134.225.22:6606

79.134.225.22:7707

79.134.225.22:8808

91.193.75.122:6606

91.193.75.122:7707

91.193.75.122:8808
Mutex

zvnqorsaslyyrhro

Attributes
  • aes_key

    RqLMDJRwW683DhbzEvUdl4n3FCMZGQW8

  • anti_detection

    false

  • autorun

    false

  • bdos

    false

  • delay

    NEWFILE

  • host

    127.0.0.1,79.134.225.22,91.193.75.122

  • hwid

    10

  • install_file

  • install_folder

    %AppData%

  • mutex

    zvnqorsaslyyrhro

  • pastebin_config

    null

  • port

    6606,7707,8808

  • version

    0.5.6D

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PAYMENT_COPIER-PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\PAYMENT_COPIER-PDF.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:576
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oiNZSLSVfD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9E25.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3560
    • C:\Users\Admin\AppData\Local\Temp\PAYMENT_COPIER-PDF.exe
      "C:\Users\Admin\AppData\Local\Temp\PAYMENT_COPIER-PDF.exe"
      2⤵
        PID:2388

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PAYMENT_COPIER-PDF.exe.log
      MD5

      90acfd72f14a512712b1a7380c0faf60

      SHA1

      40ba4accb8faa75887e84fb8e38d598dc8cf0f12

      SHA256

      20806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86

      SHA512

      29dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmp9E25.tmp
      MD5

      fec01f60d770202947730922b0a3ac46

      SHA1

      1424a93436287d600ec1fb96152e949c2cce0477

      SHA256

      304622e0981f58ff4f4bfbc1c32efec126269d7b9cfab526bf3b925ba8f7bec0

      SHA512

      46a0f6b4ea0a86600dbc324a8387d0369ddbf1a0e2a6b8a69912334975b6fe795bfe9ec883368631b3e4d32cb728f07599eb80b58b95323681538f2e6bffbe32

      Download Submit
    • memory/576-9-0x0000000004DB0000-0x0000000004DB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/576-6-0x0000000005150000-0x0000000005151000-memory.dmp
      Filesize

      4KB

      Download
    • memory/576-7-0x0000000004C50000-0x0000000004C51000-memory.dmp
      Filesize

      4KB

      Download
    • memory/576-8-0x0000000004AA0000-0x0000000004AA1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/576-2-0x0000000073560000-0x0000000073C4E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/576-10-0x0000000004AE0000-0x0000000004AF2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/576-11-0x0000000005820000-0x0000000005864000-memory.dmp
      Filesize

      272KB

      Download
    • memory/576-5-0x0000000004BB0000-0x0000000004BB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/576-3-0x0000000000200000-0x0000000000201000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2388-14-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2388-15-0x000000000040C67E-mapping.dmp
      Download
    • memory/2388-17-0x0000000073560000-0x0000000073C4E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/3560-12-0x0000000000000000-mapping.dmp
      Download