Analysis
-
max time kernel
128s -
max time network
136s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-01-2021 08:29
Static task
static1
Behavioral task
behavioral1
Sample
payment confirmation_16.01.2021.exe
Resource
win7v20201028
General
-
Target
payment confirmation_16.01.2021.exe
-
Size
1.4MB
-
MD5
e3aea83c2ae72dfbaf7d887baa9d40da
-
SHA1
63b622b74f1e7ede93634c73d61384d431fbf199
-
SHA256
60f80dde8a53609fc7411854b9400a613c6978386ef05aa1bbedbfd2fc51814e
-
SHA512
100a267444667abf6e5ceb47157c92de523c6236fcdc07703c3b274f3e06ed35ab3a6040a87483e22d94758b35d71859df3dd2a22649cee9d41c2b05d6030eaa
Malware Config
Extracted
asyncrat
0.5.7B
bigman2021.duckdns.org:6606
bigman2021.duckdns.org:7707
bigman2021.duckdns.org:8808
79.134.225.18:6606
79.134.225.18:7707
79.134.225.18:8808
AsyncMutex_6SI8OkPnk
-
aes_key
8HLIxjjLl31oyeuCdupeIJlMgShc597W
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Default
-
host
bigman2021.duckdns.org,79.134.225.18
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
6606,7707,8808
-
version
0.5.7B
Signatures
-
Async RAT payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/396-8-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/396-9-0x000000000040C76E-mapping.dmp asyncrat behavioral1/memory/396-11-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Suspicious use of SetThreadContext 1 IoCs
Processes:
payment confirmation_16.01.2021.exedescription pid process target process PID 292 set thread context of 396 292 payment confirmation_16.01.2021.exe payment confirmation_16.01.2021.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
payment confirmation_16.01.2021.exedescription pid process target process PID 292 wrote to memory of 396 292 payment confirmation_16.01.2021.exe payment confirmation_16.01.2021.exe PID 292 wrote to memory of 396 292 payment confirmation_16.01.2021.exe payment confirmation_16.01.2021.exe PID 292 wrote to memory of 396 292 payment confirmation_16.01.2021.exe payment confirmation_16.01.2021.exe PID 292 wrote to memory of 396 292 payment confirmation_16.01.2021.exe payment confirmation_16.01.2021.exe PID 292 wrote to memory of 396 292 payment confirmation_16.01.2021.exe payment confirmation_16.01.2021.exe PID 292 wrote to memory of 396 292 payment confirmation_16.01.2021.exe payment confirmation_16.01.2021.exe PID 292 wrote to memory of 396 292 payment confirmation_16.01.2021.exe payment confirmation_16.01.2021.exe PID 292 wrote to memory of 396 292 payment confirmation_16.01.2021.exe payment confirmation_16.01.2021.exe PID 292 wrote to memory of 396 292 payment confirmation_16.01.2021.exe payment confirmation_16.01.2021.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\payment confirmation_16.01.2021.exe"C:\Users\Admin\AppData\Local\Temp\payment confirmation_16.01.2021.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\payment confirmation_16.01.2021.exe"C:\Users\Admin\AppData\Local\Temp\payment confirmation_16.01.2021.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/292-2-0x00000000748A0000-0x0000000074F8E000-memory.dmpFilesize
6.9MB
-
memory/292-3-0x0000000000E60000-0x0000000000E61000-memory.dmpFilesize
4KB
-
memory/292-5-0x0000000004900000-0x0000000004901000-memory.dmpFilesize
4KB
-
memory/292-6-0x0000000000880000-0x0000000000893000-memory.dmpFilesize
76KB
-
memory/292-7-0x0000000004E70000-0x0000000004EF1000-memory.dmpFilesize
516KB
-
memory/396-8-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/396-9-0x000000000040C76E-mapping.dmp
-
memory/396-10-0x00000000748A0000-0x0000000074F8E000-memory.dmpFilesize
6.9MB
-
memory/396-11-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/396-13-0x0000000076861000-0x0000000076863000-memory.dmpFilesize
8KB
-
memory/396-14-0x0000000000CC0000-0x0000000000CC1000-memory.dmpFilesize
4KB