Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
26-05-2021 16:59
Static task
static1
Behavioral task
behavioral1
Sample
ddbe0b6cfc27b0097acd8f283252dfcb.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
ddbe0b6cfc27b0097acd8f283252dfcb.exe
Resource
win10v20210410
General
-
Target
ddbe0b6cfc27b0097acd8f283252dfcb.exe
-
Size
135KB
-
MD5
ddbe0b6cfc27b0097acd8f283252dfcb
-
SHA1
e90502f54a4f4de77ab3b60dc03f70074b63b1f4
-
SHA256
27c142fcc7e6f2e56c80feba0c8070678987a51f1606c47afd67977db02aefa6
-
SHA512
49801b358571f675d52e2b0f2698052a8b21e43f0f6eddaf5b2c63c9ff4847c8a68d61ecbe6f3362819e8731c8a84f7dee494f7a921fb52ff52e0535aa00e0f0
Malware Config
Extracted
asyncrat
0.5.7B
216.250.249.156:6606
216.250.249.156:7707
216.250.249.156:8808
AsyncMutex_6SI8OkPnk
-
aes_key
hOzT6yCwaW9Q3G7rmnJbuCiKhc4IgWpi
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Default
-
host
216.250.249.156
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
6606,7707,8808
-
version
0.5.7B
Signatures
-
Async RAT payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1420-63-0x0000000002160000-0x0000000002184000-memory.dmp asyncrat behavioral1/memory/1420-64-0x00000000007E0000-0x00000000007EC000-memory.dmp asyncrat -
Core1 .NET packer 1 IoCs
Detects packer/loader used by .NET malware.
Processes:
resource yara_rule behavioral1/memory/1420-63-0x0000000002160000-0x0000000002184000-memory.dmp Core1 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ddbe0b6cfc27b0097acd8f283252dfcb.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\outlookMS.exe = "C:\\Users\\Admin\\AppData\\Local\\Programs\\msOffice365\\outlookMS.exe" ddbe0b6cfc27b0097acd8f283252dfcb.exe