Analysis
-
max time kernel
97s -
max time network
180s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
26-07-2021 13:41
Static task
static1
Behavioral task
behavioral1
Sample
VZ8WSCNqI5hk6UO.exe
Resource
win7v20210408
General
-
Target
VZ8WSCNqI5hk6UO.exe
-
Size
1.1MB
-
MD5
5624c43315cd655ce3162930ca5feecf
-
SHA1
9fe4a649a4c12e15bb19157c11f166d811e8e56a
-
SHA256
46aaee021fec9564e323cbb46072b15696f53cb48e153a6575ec8abc8feba35e
-
SHA512
8ddd7f8bf8283af1c28a3ac55793b3e9f761531ad3d11d7a9548dc686082ec924beb8468b7644486df403a8447178aebc4b6048bd7083633342442ce3ece0a9c
Malware Config
Extracted
asyncrat
0.5.7B
wabbus02.duckdns.org:6606
wabbus02.duckdns.org:7707
wabbus02.duckdns.org:8808
AsyncMutex_6SI8OkPnk
-
aes_key
9qwxkQ2pkGzKNYyg3Ocjqt8oTvsTstZQ
-
anti_detection
false
-
autorun
false
-
bdos
false
-
delay
Default
-
host
wabbus02.duckdns.org
-
hwid
3
- install_file
-
install_folder
%AppData%
-
mutex
AsyncMutex_6SI8OkPnk
-
pastebin_config
null
-
port
6606,7707,8808
-
version
0.5.7B
Signatures
-
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
-
Async RAT payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1064-67-0x000000000040C73E-mapping.dmp asyncrat behavioral1/memory/1064-66-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1064-68-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
CustAttr .NET packer 1 IoCs
Detects CustAttr .NET packer in memory.
Processes:
resource yara_rule behavioral1/memory/748-63-0x00000000004B0000-0x00000000004BB000-memory.dmp CustAttr -
Suspicious use of SetThreadContext 1 IoCs
Processes:
VZ8WSCNqI5hk6UO.exedescription pid process target process PID 748 set thread context of 1064 748 VZ8WSCNqI5hk6UO.exe VZ8WSCNqI5hk6UO.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
VZ8WSCNqI5hk6UO.exedescription pid process Token: SeDebugPrivilege 1064 VZ8WSCNqI5hk6UO.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
VZ8WSCNqI5hk6UO.exedescription pid process target process PID 748 wrote to memory of 1064 748 VZ8WSCNqI5hk6UO.exe VZ8WSCNqI5hk6UO.exe PID 748 wrote to memory of 1064 748 VZ8WSCNqI5hk6UO.exe VZ8WSCNqI5hk6UO.exe PID 748 wrote to memory of 1064 748 VZ8WSCNqI5hk6UO.exe VZ8WSCNqI5hk6UO.exe PID 748 wrote to memory of 1064 748 VZ8WSCNqI5hk6UO.exe VZ8WSCNqI5hk6UO.exe PID 748 wrote to memory of 1064 748 VZ8WSCNqI5hk6UO.exe VZ8WSCNqI5hk6UO.exe PID 748 wrote to memory of 1064 748 VZ8WSCNqI5hk6UO.exe VZ8WSCNqI5hk6UO.exe PID 748 wrote to memory of 1064 748 VZ8WSCNqI5hk6UO.exe VZ8WSCNqI5hk6UO.exe PID 748 wrote to memory of 1064 748 VZ8WSCNqI5hk6UO.exe VZ8WSCNqI5hk6UO.exe PID 748 wrote to memory of 1064 748 VZ8WSCNqI5hk6UO.exe VZ8WSCNqI5hk6UO.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\VZ8WSCNqI5hk6UO.exe"C:\Users\Admin\AppData\Local\Temp\VZ8WSCNqI5hk6UO.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\VZ8WSCNqI5hk6UO.exe"C:\Users\Admin\AppData\Local\Temp\VZ8WSCNqI5hk6UO.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/748-60-0x00000000012D0000-0x00000000012D1000-memory.dmpFilesize
4KB
-
memory/748-62-0x0000000000DF0000-0x0000000000DF1000-memory.dmpFilesize
4KB
-
memory/748-63-0x00000000004B0000-0x00000000004BB000-memory.dmpFilesize
44KB
-
memory/748-64-0x0000000000D80000-0x0000000000DD7000-memory.dmpFilesize
348KB
-
memory/748-65-0x0000000000560000-0x0000000000572000-memory.dmpFilesize
72KB
-
memory/1064-67-0x000000000040C73E-mapping.dmp
-
memory/1064-66-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1064-68-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/1064-70-0x0000000075451000-0x0000000075453000-memory.dmpFilesize
8KB
-
memory/1064-71-0x0000000000450000-0x0000000000451000-memory.dmpFilesize
4KB