Overview

overview

10

Static

static

10

aba9ea59aa...6c.exe

windows7_x64

10

aba9ea59aa...6c.exe

windows10_x64

10

Analysis

  • max time kernel
    122s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    21-10-2021 05:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aba9ea59aab84849cf371965c19ef46c.exe

  • Size

    88KB

  • MD5

    aba9ea59aab84849cf371965c19ef46c

  • SHA1

    366050aca450a5d1ea67ea5b6b1902a60c721c01

  • SHA256

    99988371c15bd38fc947d898dc6eeb0d425c98f7bd471d040c24c8c667bd2b0b

  • SHA512

    f38d27e4a58492a59043cf8ee3df3eb317581f3fb98b59d6d1b32163acc83a403425a554e1974e60c857b3489cf1d49a0e6de8734a9a159fea4d6fe571302248

Score
10/10
asyncratratspywarestealersuricata

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

    suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

    suricata
  • Async RAT payload 1 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aba9ea59aab84849cf371965c19ef46c.exe
    "C:\Users\Admin\AppData\Local\Temp\aba9ea59aab84849cf371965c19ef46c.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\yipvnj.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1260
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\yipvnj.exe"'
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1448
        • C:\Users\Admin\AppData\Local\Temp\yipvnj.exe
          "C:\Users\Admin\AppData\Local\Temp\yipvnj.exe"
          4⤵
          • Executes dropped EXE
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1396

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\yipvnj.exe
    MD5

    c42164ad1b51e44d1ab913473a5d4111

    SHA1

    cc15753f958287c179941285878c569022934e18

    SHA256

    221c8d921fd6d429eb61902697f0ffaa5cc351b9d33f769990d50eaba05ed437

    SHA512

    1ea9dc418d12ffe290b96517d775e40f15abdea0a2e0a463a0bbc8e8675f3d0de87535a4bc8777730a879f15b5c964d44c4a43c93e0e2e5bee86c206cf7086c6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\yipvnj.exe
    MD5

    c42164ad1b51e44d1ab913473a5d4111

    SHA1

    cc15753f958287c179941285878c569022934e18

    SHA256

    221c8d921fd6d429eb61902697f0ffaa5cc351b9d33f769990d50eaba05ed437

    SHA512

    1ea9dc418d12ffe290b96517d775e40f15abdea0a2e0a463a0bbc8e8675f3d0de87535a4bc8777730a879f15b5c964d44c4a43c93e0e2e5bee86c206cf7086c6

    Download Submit
  • \Users\Admin\AppData\Local\Temp\yipvnj.exe
    MD5

    c42164ad1b51e44d1ab913473a5d4111

    SHA1

    cc15753f958287c179941285878c569022934e18

    SHA256

    221c8d921fd6d429eb61902697f0ffaa5cc351b9d33f769990d50eaba05ed437

    SHA512

    1ea9dc418d12ffe290b96517d775e40f15abdea0a2e0a463a0bbc8e8675f3d0de87535a4bc8777730a879f15b5c964d44c4a43c93e0e2e5bee86c206cf7086c6

    Download Submit
  • memory/1260-62-0x0000000000000000-mapping.dmp
    Download
  • memory/1396-74-0x000000001B340000-0x000000001B342000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1396-72-0x0000000000EC0000-0x0000000000EC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1396-70-0x0000000000000000-mapping.dmp
    Download
  • memory/1448-67-0x0000000002112000-0x0000000002114000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1448-63-0x0000000000000000-mapping.dmp
    Download
  • memory/1448-64-0x00000000759B1000-0x00000000759B3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1448-66-0x0000000002111000-0x0000000002112000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1448-65-0x0000000002110000-0x0000000002111000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2032-54-0x0000000000AF0000-0x0000000000AF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2032-61-0x0000000001F30000-0x0000000001F4B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/2032-60-0x0000000005AA0000-0x0000000005AF9000-memory.dmp
    Filesize

    356KB

    Download
  • memory/2032-59-0x0000000006820000-0x00000000068AD000-memory.dmp
    Filesize

    564KB

    Download
  • memory/2032-58-0x00000000009F0000-0x00000000009F4000-memory.dmp
    Filesize

    16KB

    Download
  • memory/2032-57-0x0000000005FF0000-0x0000000006069000-memory.dmp
    Filesize

    484KB

    Download
  • memory/2032-56-0x0000000004DD0000-0x0000000004DD1000-memory.dmp
    Filesize

    4KB

    Download