Analysis
-
max time kernel
38s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-07-2021 13:05
Static task
static1
Behavioral task
behavioral1
Sample
net5.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
General
-
Target
net5.exe
-
Size
766KB
-
MD5
c094c57d960c5db1a798911c59cb9c91
-
SHA1
daa83187c52c8fd8349e2525cc0754ccdc023fd0
-
SHA256
4780ad66fe081922301a8a90ca01d2e30c6bd5cfcfbe3d768773e8cf86e864df
-
SHA512
c11437aa95c3588cca5cb6da12fb7a46b3c01b408d8673174f1df85e5bc29471d303adc997cd873d80045765a38c75daa0fc94217f6a25003cbbc160ea5a6f3b
Malware Config
Extracted
Family
asyncrat
Version
0.5.7A
C2
mysubdomain873.duckdns.org:600
Mutex
AsyncMutex_6SI8OkPnk
Attributes
-
aes_key
6ARSUbK1J7i0ZiDwHtKhtGLRoDs9BiV3
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Default
-
host
mysubdomain873.duckdns.org
-
hwid
1
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
600
-
version
0.5.7A
aes.plain
Signatures
-
Async RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1736-116-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral2/memory/1736-117-0x000000000040C74E-mapping.dmp asyncrat -
Suspicious use of SetThreadContext 1 IoCs
Processes:
net5.exedescription pid process target process PID 4016 set thread context of 1736 4016 net5.exe RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 1736 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
net5.exepid process 4016 net5.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
net5.exedescription pid process target process PID 4016 wrote to memory of 1736 4016 net5.exe RegSvcs.exe PID 4016 wrote to memory of 1736 4016 net5.exe RegSvcs.exe PID 4016 wrote to memory of 1736 4016 net5.exe RegSvcs.exe PID 4016 wrote to memory of 1736 4016 net5.exe RegSvcs.exe PID 4016 wrote to memory of 1736 4016 net5.exe RegSvcs.exe PID 4016 wrote to memory of 1736 4016 net5.exe RegSvcs.exe PID 4016 wrote to memory of 1736 4016 net5.exe RegSvcs.exe PID 4016 wrote to memory of 1736 4016 net5.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\net5.exe"C:\Users\Admin\AppData\Local\Temp\net5.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1736-116-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1736-117-0x000000000040C74E-mapping.dmp
-
memory/1736-120-0x0000000005170000-0x0000000005171000-memory.dmpFilesize
4KB
-
memory/1736-121-0x0000000005AD0000-0x0000000005AD1000-memory.dmpFilesize
4KB
-
memory/1736-122-0x0000000006070000-0x0000000006071000-memory.dmpFilesize
4KB
-
memory/1736-123-0x0000000005BE0000-0x0000000005BE1000-memory.dmpFilesize
4KB
-
memory/1736-124-0x0000000006B30000-0x0000000006B31000-memory.dmpFilesize
4KB
-
memory/1736-125-0x0000000006AB0000-0x0000000006B29000-memory.dmpFilesize
484KB
-
memory/1736-126-0x0000000006C10000-0x0000000006C11000-memory.dmpFilesize
4KB
-
memory/1736-127-0x0000000006D10000-0x0000000006D11000-memory.dmpFilesize
4KB
-
memory/1736-128-0x0000000006C80000-0x0000000006C84000-memory.dmpFilesize
16KB
-
memory/1736-129-0x00000000070D0000-0x000000000715D000-memory.dmpFilesize
564KB
-
memory/1736-130-0x0000000007260000-0x00000000072B9000-memory.dmpFilesize
356KB
-
memory/1736-131-0x00000000072C0000-0x00000000072C1000-memory.dmpFilesize
4KB