BL. NO. ANSMUNDAR3621.exe

General
Target

BL. NO. ANSMUNDAR3621.exe

Filesize

343KB

Completed

21-10-2021 12:40

Score
10/10
MD5

6e313f49084c58fcd006489103bac31a

SHA1

cfb76b45950b867da23054c1df26ce8e7a3f8274

SHA256

408e8ea1cbe31a44e822f1673cbfbe79dbd2938a1e449e61a661c1cceda8f322

Malware Config

Extracted

Family asyncrat
Version 0.5.7B
Botnet Default
C2

185.222.57.71:00783
Attributes
anti_vm
false
bsod
false
delay
3
install
false
install_folder
%AppData%
pastebin_config
null
aes.plain
Signatures 6

Filter: none

  • AsyncRat

    Description

    AsyncRAT is designed to remotely monitor and control other computers.

    Tags

  • Async RAT payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1372-63-0x0000000000400000-0x0000000000412000-memory.dmpasyncrat
    behavioral1/memory/1372-64-0x0000000000400000-0x0000000000412000-memory.dmpasyncrat
    behavioral1/memory/1372-65-0x0000000000400000-0x0000000000412000-memory.dmpasyncrat
    behavioral1/memory/1372-66-0x000000000040C70E-mapping.dmpasyncrat
    behavioral1/memory/1372-67-0x0000000000400000-0x0000000000412000-memory.dmpasyncrat
  • Suspicious use of SetThreadContext
    BL. NO. ANSMUNDAR3621.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1636 set thread context of 13721636BL. NO. ANSMUNDAR3621.exeRegSvcs.exe
  • Suspicious behavior: EnumeratesProcesses
    BL. NO. ANSMUNDAR3621.exe

    Reported IOCs

    pidprocess
    1636BL. NO. ANSMUNDAR3621.exe
    1636BL. NO. ANSMUNDAR3621.exe
  • Suspicious use of AdjustPrivilegeToken
    BL. NO. ANSMUNDAR3621.exeRegSvcs.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1636BL. NO. ANSMUNDAR3621.exe
    Token: SeDebugPrivilege1372RegSvcs.exe
  • Suspicious use of WriteProcessMemory
    BL. NO. ANSMUNDAR3621.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1636 wrote to memory of 13721636BL. NO. ANSMUNDAR3621.exeRegSvcs.exe
    PID 1636 wrote to memory of 13721636BL. NO. ANSMUNDAR3621.exeRegSvcs.exe
    PID 1636 wrote to memory of 13721636BL. NO. ANSMUNDAR3621.exeRegSvcs.exe
    PID 1636 wrote to memory of 13721636BL. NO. ANSMUNDAR3621.exeRegSvcs.exe
    PID 1636 wrote to memory of 13721636BL. NO. ANSMUNDAR3621.exeRegSvcs.exe
    PID 1636 wrote to memory of 13721636BL. NO. ANSMUNDAR3621.exeRegSvcs.exe
    PID 1636 wrote to memory of 13721636BL. NO. ANSMUNDAR3621.exeRegSvcs.exe
    PID 1636 wrote to memory of 13721636BL. NO. ANSMUNDAR3621.exeRegSvcs.exe
    PID 1636 wrote to memory of 13721636BL. NO. ANSMUNDAR3621.exeRegSvcs.exe
    PID 1636 wrote to memory of 13721636BL. NO. ANSMUNDAR3621.exeRegSvcs.exe
    PID 1636 wrote to memory of 13721636BL. NO. ANSMUNDAR3621.exeRegSvcs.exe
    PID 1636 wrote to memory of 13721636BL. NO. ANSMUNDAR3621.exeRegSvcs.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\BL. NO. ANSMUNDAR3621.exe
    "C:\Users\Admin\AppData\Local\Temp\BL. NO. ANSMUNDAR3621.exe"
    Suspicious use of SetThreadContext
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:1636
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      Suspicious use of AdjustPrivilegeToken
      PID:1372
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads

                          • memory/1372-63-0x0000000000400000-0x0000000000412000-memory.dmp

                            Download

                          • memory/1372-67-0x0000000000400000-0x0000000000412000-memory.dmp

                            Download

                          • memory/1372-66-0x000000000040C70E-mapping.dmp

                            Download

                          • memory/1372-65-0x0000000000400000-0x0000000000412000-memory.dmp

                            Download

                          • memory/1372-64-0x0000000000400000-0x0000000000412000-memory.dmp

                            Download

                          • memory/1372-61-0x0000000000400000-0x0000000000412000-memory.dmp

                            Download

                          • memory/1372-62-0x0000000000400000-0x0000000000412000-memory.dmp

                            Download

                          • memory/1372-70-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

                            Download

                          • memory/1636-60-0x0000000000B00000-0x0000000000B2D000-memory.dmp

                            Download

                          • memory/1636-59-0x0000000000430000-0x0000000000437000-memory.dmp

                            Download

                          • memory/1636-58-0x0000000004C40000-0x0000000004C41000-memory.dmp

                            Download

                          • memory/1636-57-0x0000000076081000-0x0000000076083000-memory.dmp

                            Download

                          • memory/1636-55-0x0000000000E20000-0x0000000000E21000-memory.dmp

                            Download