BL. NO. ANSMUNDAR3621.exe
BL. NO. ANSMUNDAR3621.exe
343KB
21-10-2021 12:40
6e313f49084c58fcd006489103bac31a
cfb76b45950b867da23054c1df26ce8e7a3f8274
408e8ea1cbe31a44e822f1673cbfbe79dbd2938a1e449e61a661c1cceda8f322
Extracted
| Family | asyncrat |
| Version | 0.5.7B |
| Botnet | Default |
| C2 |
185.222.57.71:00783 |
| Attributes |
anti_vm false
bsod false
delay 3
install false
install_folder %AppData%
pastebin_config null |
| aes.plain |
|
Filter: none
-
AsyncRat
Description
AsyncRAT is designed to remotely monitor and control other computers.
Tags
-
Async RAT payload
Tags
Reported IOCs
resource yara_rule behavioral2/memory/2756-127-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral2/memory/2756-128-0x000000000040C70E-mapping.dmp asyncrat -
Suspicious use of SetThreadContextBL. NO. ANSMUNDAR3621.exe
Reported IOCs
description pid process target process PID 688 set thread context of 2756 688 BL. NO. ANSMUNDAR3621.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcessesBL. NO. ANSMUNDAR3621.exe
Reported IOCs
pid process 688 BL. NO. ANSMUNDAR3621.exe 688 BL. NO. ANSMUNDAR3621.exe -
Suspicious use of AdjustPrivilegeTokenBL. NO. ANSMUNDAR3621.exeRegSvcs.exe
Reported IOCs
description pid process Token: SeDebugPrivilege 688 BL. NO. ANSMUNDAR3621.exe Token: SeDebugPrivilege 2756 RegSvcs.exe -
Suspicious use of WriteProcessMemoryBL. NO. ANSMUNDAR3621.exe
Reported IOCs
description pid process target process PID 688 wrote to memory of 2756 688 BL. NO. ANSMUNDAR3621.exe RegSvcs.exe PID 688 wrote to memory of 2756 688 BL. NO. ANSMUNDAR3621.exe RegSvcs.exe PID 688 wrote to memory of 2756 688 BL. NO. ANSMUNDAR3621.exe RegSvcs.exe PID 688 wrote to memory of 2756 688 BL. NO. ANSMUNDAR3621.exe RegSvcs.exe PID 688 wrote to memory of 2756 688 BL. NO. ANSMUNDAR3621.exe RegSvcs.exe PID 688 wrote to memory of 2756 688 BL. NO. ANSMUNDAR3621.exe RegSvcs.exe PID 688 wrote to memory of 2756 688 BL. NO. ANSMUNDAR3621.exe RegSvcs.exe PID 688 wrote to memory of 2756 688 BL. NO. ANSMUNDAR3621.exe RegSvcs.exe
-
C:\Users\Admin\AppData\Local\Temp\BL. NO. ANSMUNDAR3621.exePID:688"C:\Users\Admin\AppData\Local\Temp\BL. NO. ANSMUNDAR3621.exe"Suspicious use of SetThreadContextSuspicious behavior: EnumeratesProcessesSuspicious use of AdjustPrivilegeTokenSuspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exePID:2756"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Suspicious use of AdjustPrivilegeToken
-
memory/688-118-0x0000000000AF0000-0x0000000000AF1000-memory.dmp
-
memory/688-120-0x00000000058D0000-0x00000000058D1000-memory.dmp
-
memory/688-121-0x00000000053D0000-0x00000000053D1000-memory.dmp
-
memory/688-122-0x0000000005370000-0x0000000005371000-memory.dmp
-
memory/688-123-0x0000000005570000-0x0000000005577000-memory.dmp
-
memory/688-124-0x00000000053D0000-0x00000000058CE000-memory.dmp
-
memory/688-125-0x0000000006170000-0x0000000006171000-memory.dmp
-
memory/688-126-0x0000000005890000-0x00000000058BD000-memory.dmp
-
memory/2756-127-0x0000000000400000-0x0000000000412000-memory.dmp
-
memory/2756-128-0x000000000040C70E-mapping.dmp
-
memory/2756-131-0x00000000055C0000-0x00000000055C1000-memory.dmp
-
memory/2756-134-0x00000000060C0000-0x00000000060C1000-memory.dmp