Overview

overview

10

Static

static

payment co...21.exe

windows7_x64

10

payment co...21.exe

windows10_x64

10

Analysis

  • max time kernel
    131s
  • max time network
    140s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    18-01-2021 08:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    payment confirmation_16.01.2021.exe

  • Size

    1.4MB

  • MD5

    e3aea83c2ae72dfbaf7d887baa9d40da

  • SHA1

    63b622b74f1e7ede93634c73d61384d431fbf199

  • SHA256

    60f80dde8a53609fc7411854b9400a613c6978386ef05aa1bbedbfd2fc51814e

  • SHA512

    100a267444667abf6e5ceb47157c92de523c6236fcdc07703c3b274f3e06ed35ab3a6040a87483e22d94758b35d71859df3dd2a22649cee9d41c2b05d6030eaa

Score
10/10
asyncratrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

bigman2021.duckdns.org:6606

bigman2021.duckdns.org:7707

bigman2021.duckdns.org:8808

79.134.225.18:6606

79.134.225.18:7707

79.134.225.18:8808
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • aes_key

    8HLIxjjLl31oyeuCdupeIJlMgShc597W

  • anti_detection

    false

  • autorun

    false

  • bdos

    false

  • delay

    Default

  • host

    bigman2021.duckdns.org,79.134.225.18

  • hwid

    3

  • install_file

  • install_folder

    %AppData%

  • mutex

    AsyncMutex_6SI8OkPnk

  • pastebin_config

    null

  • port

    6606,7707,8808

  • version

    0.5.7B

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\payment confirmation_16.01.2021.exe
    "C:\Users\Admin\AppData\Local\Temp\payment confirmation_16.01.2021.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3132
    • C:\Users\Admin\AppData\Local\Temp\payment confirmation_16.01.2021.exe
      "C:\Users\Admin\AppData\Local\Temp\payment confirmation_16.01.2021.exe"
      2⤵
        PID:4048
      • C:\Users\Admin\AppData\Local\Temp\payment confirmation_16.01.2021.exe
        "C:\Users\Admin\AppData\Local\Temp\payment confirmation_16.01.2021.exe"
        2⤵
          PID:2640

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\payment confirmation_16.01.2021.exe.log
        MD5

        65f1f0c7993639f9f9e1d524224a2c93

        SHA1

        5b51a6a56f3041dbc2d3f510252bbe68ffbbc59c

        SHA256

        e582e80a644a998d1b2958bdcb0cd1e899076befa7c5e868d033b3fe75a2ca93

        SHA512

        3e8953968bbc31f3105a0df28b95edfb4cee8af78ec527d47707b82e3d5fc2aa725fca574de3c963da53614e60d282408b21d075eed007be25679e9458bf1c23

        Download Submit
      • memory/2640-14-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/2640-20-0x0000000005870000-0x0000000005871000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2640-17-0x0000000073820000-0x0000000073F0E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/2640-15-0x000000000040C76E-mapping.dmp
        Download
      • memory/3132-7-0x0000000006FC0000-0x0000000006FC1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3132-9-0x0000000007180000-0x0000000007181000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3132-10-0x00000000071F0000-0x00000000071F1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3132-11-0x00000000079C0000-0x00000000079C1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3132-12-0x00000000022A0000-0x00000000022B3000-memory.dmp
        Filesize

        76KB

        Download
      • memory/3132-13-0x0000000004B00000-0x0000000004B81000-memory.dmp
        Filesize

        516KB

        Download
      • memory/3132-8-0x0000000006EE0000-0x0000000006EE1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3132-2-0x0000000073820000-0x0000000073F0E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/3132-6-0x00000000074C0000-0x00000000074C1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3132-5-0x0000000006F20000-0x0000000006F21000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3132-3-0x0000000000070000-0x0000000000071000-memory.dmp
        Filesize

        4KB

        Download