Overview

overview

10

Static

static

Halkbank_E...71.exe

windows7_x64

10

Halkbank_E...71.exe

windows10_x64

10

Analysis

  • max time kernel
    127s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    18-01-2021 08:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Halkbank_Ekstre_20210118_162356_389771.exe

  • Size

    1003KB

  • MD5

    84217fc5c07aabf3321ed2c0feed1cba

  • SHA1

    4ba652be61d9185a8ae35f12a951d315f2c5dec5

  • SHA256

    cdcc8531c42e3ede33c0ecbcb82f7a6e5445e959eee3796475258df830a18813

  • SHA512

    923d5fb3e3879837e338d0437a8751074a8114f8e6d7f8c0e4c960109b00bafe9d92be41db9ed46f20249cf6b5d4f90f5b8ed173f7d0a6b1df16c046e7f50f13

Score
10/10
asyncratrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:1604

91.193.75.189:6606

91.193.75.189:7707

91.193.75.189:8808

91.193.75.189:1604
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • aes_key

    mfafeIQA2jA2dXxxjBmJHl3XAeFPQwQb

  • anti_detection

    false

  • autorun

    false

  • bdos

    false

  • delay

    Default

  • host

    127.0.0.1,91.193.75.189

  • hwid

    10

  • install_file

  • install_folder

    %AppData%

  • mutex

    AsyncMutex_6SI8OkPnk

  • pastebin_config

    null

  • port

    6606,7707,8808,1604

  • version

    0.5.7B

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210118_162356_389771.exe
    "C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210118_162356_389771.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1740
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JsghWrfn" /XML "C:\Users\Admin\AppData\Local\Temp\tmp71D6.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1504
    • C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210118_162356_389771.exe
      "C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210118_162356_389771.exe"
      2⤵
        PID:924
      • C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210118_162356_389771.exe
        "C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_20210118_162356_389771.exe"
        2⤵
          PID:1520

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp71D6.tmp
        MD5

        a52ddbf195b50c4b79d5a2c80f2a9412

        SHA1

        229e9b8a3c29899f8d9dd5d834df3b447e3268d8

        SHA256

        84e6c3fc9b3edd2516c3aa21df2f259175b601e8c3dfddcd48c3d4cb57af948d

        SHA512

        2b5f3c7b69b864453d01281fec64c1a73c8bc31029bf3c4771498e73e15ade495caa83cfc960a96b5446ec007ddb055feda955c1052e24d58fbe4b09cac29d6f

        Download Submit
      • memory/1504-8-0x0000000000000000-mapping.dmp
        Download
      • memory/1520-12-0x00000000741A0000-0x000000007488E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/1520-10-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1520-11-0x000000000040D0AE-mapping.dmp
        Download
      • memory/1520-13-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1520-15-0x00000000766F1000-0x00000000766F3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1520-16-0x0000000004E90000-0x0000000004E91000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1740-6-0x0000000000480000-0x0000000000493000-memory.dmp
        Filesize

        76KB

        Download
      • memory/1740-7-0x0000000005230000-0x00000000052BB000-memory.dmp
        Filesize

        556KB

        Download
      • memory/1740-5-0x0000000004CC0000-0x0000000004CC1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1740-3-0x0000000000A30000-0x0000000000A31000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1740-2-0x00000000741A0000-0x000000007488E000-memory.dmp
        Filesize

        6.9MB

        Download