Analysis
-
max time kernel
151s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
16-01-2021 07:35
Static task
static1
Behavioral task
behavioral1
Sample
FedEx Invoice 202116435.exe
Resource
win7v20201028
General
-
Target
FedEx Invoice 202116435.exe
-
Size
766KB
-
MD5
fd3988d887f5e982384dca104ea49001
-
SHA1
d3ad5fa2af44707e5e27b76fdbebf5a9ae28b457
-
SHA256
aa0399675c53f77a7996102b5301ea24814642e9eee30648c9ac75b3b1052235
-
SHA512
868c4795ae2fea9aaa98ad069c97564bc051ee73e728bdd61ba7f250b8b9d9b41013b4446a61a364c71f6f4105f25790938a1cbeaba64850159f69ad4836811c
Malware Config
Extracted
asyncrat
0.5.7B
79.134.225.45:2233
AsyncMutex_6SI8OkPnk
-
aes_key
yCFT3D6MMz3qsbxnPTBTTSsUCB2B6gqZ
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Default
-
host
79.134.225.45
-
hwid
5
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
2233
-
version
0.5.7B
Signatures
-
Async RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4064-14-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral2/memory/4064-15-0x000000000040C70E-mapping.dmp asyncrat -
Suspicious use of SetThreadContext 1 IoCs
Processes:
FedEx Invoice 202116435.exedescription pid process target process PID 576 set thread context of 4064 576 FedEx Invoice 202116435.exe FedEx Invoice 202116435.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
FedEx Invoice 202116435.exepid process 576 FedEx Invoice 202116435.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
FedEx Invoice 202116435.exedescription pid process Token: SeDebugPrivilege 576 FedEx Invoice 202116435.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
FedEx Invoice 202116435.exedescription pid process target process PID 576 wrote to memory of 932 576 FedEx Invoice 202116435.exe schtasks.exe PID 576 wrote to memory of 932 576 FedEx Invoice 202116435.exe schtasks.exe PID 576 wrote to memory of 932 576 FedEx Invoice 202116435.exe schtasks.exe PID 576 wrote to memory of 4064 576 FedEx Invoice 202116435.exe FedEx Invoice 202116435.exe PID 576 wrote to memory of 4064 576 FedEx Invoice 202116435.exe FedEx Invoice 202116435.exe PID 576 wrote to memory of 4064 576 FedEx Invoice 202116435.exe FedEx Invoice 202116435.exe PID 576 wrote to memory of 4064 576 FedEx Invoice 202116435.exe FedEx Invoice 202116435.exe PID 576 wrote to memory of 4064 576 FedEx Invoice 202116435.exe FedEx Invoice 202116435.exe PID 576 wrote to memory of 4064 576 FedEx Invoice 202116435.exe FedEx Invoice 202116435.exe PID 576 wrote to memory of 4064 576 FedEx Invoice 202116435.exe FedEx Invoice 202116435.exe PID 576 wrote to memory of 4064 576 FedEx Invoice 202116435.exe FedEx Invoice 202116435.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FedEx Invoice 202116435.exe"C:\Users\Admin\AppData\Local\Temp\FedEx Invoice 202116435.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pVJgNVIylS" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD226.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\FedEx Invoice 202116435.exe"C:\Users\Admin\AppData\Local\Temp\FedEx Invoice 202116435.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FedEx Invoice 202116435.exe.logMD5
90acfd72f14a512712b1a7380c0faf60
SHA140ba4accb8faa75887e84fb8e38d598dc8cf0f12
SHA25620806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86
SHA51229dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9
-
C:\Users\Admin\AppData\Local\Temp\tmpD226.tmpMD5
8ede796c7c1deaaad605c973ce63e013
SHA152f0f548e32058e587bbe751f8f73976e0cd08f6
SHA256361e97d89b0c624e51a2f0f079f31273d7e16c675c199468554fe4f1ff80c78c
SHA5128fabcf7b3506df737804eeba5cb4bbb2c53663ab8dae19c4be3a66f46b5de3894eb4bdbf4330d9faa46e7ae332a2cd0c159fff01517b740094ce30e042a5b86b
-
memory/576-9-0x0000000004EE0000-0x0000000004EE1000-memory.dmpFilesize
4KB
-
memory/576-6-0x0000000005280000-0x0000000005281000-memory.dmpFilesize
4KB
-
memory/576-7-0x0000000004D80000-0x0000000004D81000-memory.dmpFilesize
4KB
-
memory/576-8-0x00000000026C0000-0x00000000026C1000-memory.dmpFilesize
4KB
-
memory/576-2-0x0000000073560000-0x0000000073C4E000-memory.dmpFilesize
6.9MB
-
memory/576-10-0x0000000005250000-0x0000000005263000-memory.dmpFilesize
76KB
-
memory/576-11-0x0000000000A50000-0x0000000000A98000-memory.dmpFilesize
288KB
-
memory/576-5-0x0000000004CC0000-0x0000000004CC1000-memory.dmpFilesize
4KB
-
memory/576-3-0x0000000000200000-0x0000000000201000-memory.dmpFilesize
4KB
-
memory/932-12-0x0000000000000000-mapping.dmp
-
memory/4064-14-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4064-15-0x000000000040C70E-mapping.dmp
-
memory/4064-17-0x0000000073560000-0x0000000073C4E000-memory.dmpFilesize
6.9MB