Analysis
-
max time kernel
120s -
max time network
161s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
21-10-2021 12:38
Static task
static1
Behavioral task
behavioral1
Sample
BL. NO. ANSMUNDAR3621.exe
Resource
win7-en-20211014
windows7_x64
0 signatures
0 seconds
General
-
Target
BL. NO. ANSMUNDAR3621.exe
-
Size
343KB
-
MD5
6e313f49084c58fcd006489103bac31a
-
SHA1
cfb76b45950b867da23054c1df26ce8e7a3f8274
-
SHA256
408e8ea1cbe31a44e822f1673cbfbe79dbd2938a1e449e61a661c1cceda8f322
-
SHA512
e75348da00f0e5d3089a38f8400b18cee22a057f6dc7da3068e49875d024e8512e90b9bdeaad3f866b4dfd0388b72952a4fbdb0a78c845cebaf4f253de1be2a2
Malware Config
Extracted
Family
asyncrat
Version
0.5.7B
Botnet
Default
C2
185.222.57.71:00783
Mutex
AsyncMutex_6SI8OkPnk
Attributes
-
anti_vm
false
-
bsod
false
-
delay
3
-
install
false
-
install_folder
%AppData%
-
pastebin_config
null
aes.plain
Signatures
-
Async RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2756-127-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral2/memory/2756-128-0x000000000040C70E-mapping.dmp asyncrat -
Suspicious use of SetThreadContext 1 IoCs
Processes:
BL. NO. ANSMUNDAR3621.exedescription pid process target process PID 688 set thread context of 2756 688 BL. NO. ANSMUNDAR3621.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
BL. NO. ANSMUNDAR3621.exepid process 688 BL. NO. ANSMUNDAR3621.exe 688 BL. NO. ANSMUNDAR3621.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
BL. NO. ANSMUNDAR3621.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 688 BL. NO. ANSMUNDAR3621.exe Token: SeDebugPrivilege 2756 RegSvcs.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
BL. NO. ANSMUNDAR3621.exedescription pid process target process PID 688 wrote to memory of 2756 688 BL. NO. ANSMUNDAR3621.exe RegSvcs.exe PID 688 wrote to memory of 2756 688 BL. NO. ANSMUNDAR3621.exe RegSvcs.exe PID 688 wrote to memory of 2756 688 BL. NO. ANSMUNDAR3621.exe RegSvcs.exe PID 688 wrote to memory of 2756 688 BL. NO. ANSMUNDAR3621.exe RegSvcs.exe PID 688 wrote to memory of 2756 688 BL. NO. ANSMUNDAR3621.exe RegSvcs.exe PID 688 wrote to memory of 2756 688 BL. NO. ANSMUNDAR3621.exe RegSvcs.exe PID 688 wrote to memory of 2756 688 BL. NO. ANSMUNDAR3621.exe RegSvcs.exe PID 688 wrote to memory of 2756 688 BL. NO. ANSMUNDAR3621.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BL. NO. ANSMUNDAR3621.exe"C:\Users\Admin\AppData\Local\Temp\BL. NO. ANSMUNDAR3621.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/688-118-0x0000000000AF0000-0x0000000000AF1000-memory.dmpFilesize
4KB
-
memory/688-120-0x00000000058D0000-0x00000000058D1000-memory.dmpFilesize
4KB
-
memory/688-121-0x00000000053D0000-0x00000000053D1000-memory.dmpFilesize
4KB
-
memory/688-122-0x0000000005370000-0x0000000005371000-memory.dmpFilesize
4KB
-
memory/688-123-0x0000000005570000-0x0000000005577000-memory.dmpFilesize
28KB
-
memory/688-124-0x00000000053D0000-0x00000000058CE000-memory.dmpFilesize
5.0MB
-
memory/688-125-0x0000000006170000-0x0000000006171000-memory.dmpFilesize
4KB
-
memory/688-126-0x0000000005890000-0x00000000058BD000-memory.dmpFilesize
180KB
-
memory/2756-127-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2756-128-0x000000000040C70E-mapping.dmp
-
memory/2756-131-0x00000000055C0000-0x00000000055C1000-memory.dmpFilesize
4KB
-
memory/2756-134-0x00000000060C0000-0x00000000060C1000-memory.dmpFilesize
4KB