Overview

overview

10

Static

static

4

8a2abab20b...9d.exe

windows7_x64

10

8a2abab20b...9d.exe

windows10_x64

10

Resubmissions

21-01-2025 11:37

250121-nrfehs1pby 10

12-07-2021 19:05

210712-p4pm4lvw8x 10

Analysis

  • max time kernel
    135s
  • max time network
    155s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    12-07-2021 19:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8a2abab20bf75ac19eaa73be3b09219d.exe

  • Size

    455KB

  • MD5

    8a2abab20bf75ac19eaa73be3b09219d

  • SHA1

    c0fa652bb151644bf76b55f3c9d68cb5e8d7faf3

  • SHA256

    866ac65940057d6e1a125eda23a12d6743d75e6ff3a74ff6d53debb3fe90a368

  • SHA512

    e8842b9f47a5dce906ddca3dfbb608eba660c80364ed0b02b48c33e161df3e95226d713177733e7591cc7eccecb3f48e1a731576a90d6fbda194de98de5495c9

Score
10/10
asyncratlinkpdfpersistencerat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

sbmsbm20.duckdns.org:2020

sbmsbm20.duckdns.org:3040

sbmsbm20.duckdns.org:4040

hpdndbnb.duckdns.org:2020

hpdndbnb.duckdns.org:3040

hpdndbnb.duckdns.org:4040
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • aes_key

    Lvyod3VuSZyfscnKiu0YIwvTV1TQp7CD

  • anti_detection

    false

  • autorun

    true

  • bdos

    false

  • delay

    Default

  • host

    sbmsbm20.duckdns.org,hpdndbnb.duckdns.org

  • hwid

    3

  • install_file

  • install_folder

    %Temp%

  • mutex

    AsyncMutex_6SI8OkPnk

  • pastebin_config

    null

  • port

    2020,3040,4040

  • version

    0.5.7B

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Async RAT payload 4 IoCs
    rat
  • Nirsoft 10 IoCs
  • Executes dropped EXE 10 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • HTTP links in PDF interactive object 4 IoCs

    Detects HTTP links in interactive objects within PDF files.

    pdflink
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 53 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of WriteProcessMemory 58 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8a2abab20bf75ac19eaa73be3b09219d.exe
    "C:\Users\Admin\AppData\Local\Temp\8a2abab20bf75ac19eaa73be3b09219d.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1808
    • C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3864
      • C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
        "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 3864
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4056
    • C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3508
      • C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
        "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 3508
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1068
    • C:\Users\Admin\AppData\Local\Temp\8a2abab20bf75ac19eaa73be3b09219d.exe
      C:\Users\Admin\AppData\Local\Temp\8a2abab20bf75ac19eaa73be3b09219d.exe
      2⤵
        PID:3136
      • C:\Users\Admin\AppData\Local\Temp\8a2abab20bf75ac19eaa73be3b09219d.exe
        C:\Users\Admin\AppData\Local\Temp\8a2abab20bf75ac19eaa73be3b09219d.exe
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:416
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Acrobat Reader" /tr '"C:\Users\Admin\AppData\Local\Temp\Acrobat Reader.exe"' & exit
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:492
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /f /sc onlogon /rl highest /tn "Acrobat Reader" /tr '"C:\Users\Admin\AppData\Local\Temp\Acrobat Reader.exe"'
            4⤵
            • Creates scheduled task(s)
            PID:3328
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1D7C.tmp.bat""
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3928
          • C:\Windows\SysWOW64\timeout.exe
            timeout 3
            4⤵
            • Delays execution with timeout.exe
            PID:1972
          • C:\Users\Admin\AppData\Local\Temp\Acrobat Reader.exe
            "C:\Users\Admin\AppData\Local\Temp\Acrobat Reader.exe"
            4⤵
            • Modifies WinLogon for persistence
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3180
            • C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
              "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run
              5⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3772
              • C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
                "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 3772
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3992
            • C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
              "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
              5⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2344
              • C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
                "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 2344
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2792
            • C:\Users\Admin\AppData\Local\Temp\Acrobat Reader.exe
              "C:\Users\Admin\AppData\Local\Temp\Acrobat Reader.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:3508

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/416-141-0x0000000000400000-0x0000000000418000-memory.dmp

      Filesize

      96KB

      Download

    • memory/416-146-0x0000000005240000-0x0000000005241000-memory.dmp

      Filesize

      4KB

      Download

    • memory/416-147-0x0000000005350000-0x0000000005351000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1808-114-0x00000000006E0000-0x00000000006E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1808-122-0x0000000006C60000-0x0000000006C61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1808-116-0x0000000005500000-0x0000000005501000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1808-117-0x0000000005000000-0x0000000005001000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1808-118-0x0000000004EF0000-0x0000000004F82000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1808-119-0x0000000004F90000-0x0000000004F91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1808-120-0x0000000006BB0000-0x0000000006BF3000-memory.dmp

      Filesize

      268KB

      Download

    • memory/1808-121-0x0000000006C80000-0x0000000006C81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1808-127-0x0000000007590000-0x00000000075F9000-memory.dmp

      Filesize

      420KB

      Download

    • memory/3180-161-0x00000000053A0000-0x000000000589E000-memory.dmp

      Filesize

      5.0MB

      Download

    • memory/3508-190-0x0000000005190000-0x0000000005191000-memory.dmp

      Filesize

      4KB

      Download