Overview

overview

10

Static

static

f97285590f...8e.exe

windows7_x64

10

f97285590f...8e.exe

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    196s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    21-10-2021 17:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f97285590fe7f6afbfc514ddd2bc538e.exe

  • Size

    255KB

  • MD5

    f97285590fe7f6afbfc514ddd2bc538e

  • SHA1

    1268214c0978b144583a2ceaae238c2042b8ddc7

  • SHA256

    678d4084f84159e43cfb7acbeff823117b1a3610150bebefc202dcfe408b97c6

  • SHA512

    7f602b0f19bc90eb2ba66572cd4d6149ac3020a7acf36bada7667d16e782bf895475abd0498d4c30975830d8b68f51e2ad3fdf1a7a64c2e040eb497aa3f3d023

Score
10/10
asyncratdefaultratsuricata

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

joselamartineslora09.duckdns.org:1980

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • anti_vm

    false

  • bsod

    false

  • delay

    3

  • install

    false

  • install_folder

    %AppData%

  • pastebin_config

    null

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

    suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

    suricata
  • Async RAT payload 6 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f97285590fe7f6afbfc514ddd2bc538e.exe
    "C:\Users\Admin\AppData\Local\Temp\f97285590fe7f6afbfc514ddd2bc538e.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1112
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Tikbwdnflqabculmypdmfm.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1624
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Downloads\iobituninstaller.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:768
    • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
      C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1612

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
    MD5

    91c9ae9c9a17a9db5e08b120e668c74c

    SHA1

    50770954c1ceb0bb6f1d5d3f2de2a0a065773723

    SHA256

    e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

    SHA512

    ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
    MD5

    91c9ae9c9a17a9db5e08b120e668c74c

    SHA1

    50770954c1ceb0bb6f1d5d3f2de2a0a065773723

    SHA256

    e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

    SHA512

    ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_Tikbwdnflqabculmypdmfm.vbs
    MD5

    5688b2eb801a351378401ff15237c20f

    SHA1

    5cbf0e609ac127d8d4bcdff972cdc61a310b702a

    SHA256

    fcd85a624694b7643dfa007fcff9d14c0fa18b311a9add2cabf6d8f81541b3ce

    SHA512

    d5a72caed29e8c362770d131a139d2c143d5b898f25b04d56b76f1ebec206faaebbd2343407e6d7204665f7e1986b7a3861b31d7859208b6979094e387775dba

    Download Submit
  • \Users\Admin\AppData\Local\Temp\InstallUtil.exe
    MD5

    91c9ae9c9a17a9db5e08b120e668c74c

    SHA1

    50770954c1ceb0bb6f1d5d3f2de2a0a065773723

    SHA256

    e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

    SHA512

    ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

    Download Submit
  • memory/768-76-0x0000000002512000-0x0000000002514000-memory.dmp
    Filesize

    8KB

    Download
  • memory/768-75-0x0000000002511000-0x0000000002512000-memory.dmp
    Filesize

    4KB

    Download
  • memory/768-74-0x0000000002510000-0x0000000002511000-memory.dmp
    Filesize

    4KB

    Download
  • memory/768-69-0x0000000000000000-mapping.dmp
    Download
  • memory/1112-60-0x0000000000C00000-0x0000000000C12000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1112-53-0x00000000012B0000-0x00000000012B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1112-56-0x0000000004CC0000-0x0000000004CC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1112-55-0x0000000000630000-0x0000000000667000-memory.dmp
    Filesize

    220KB

    Download
  • memory/1612-78-0x0000000004B20000-0x0000000004B21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1612-64-0x0000000000400000-0x0000000000412000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1612-65-0x0000000000400000-0x0000000000412000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1612-66-0x0000000000400000-0x0000000000412000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1612-67-0x000000000040C75E-mapping.dmp
    Download
  • memory/1612-62-0x0000000000400000-0x0000000000412000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1612-63-0x0000000000400000-0x0000000000412000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1612-71-0x0000000000400000-0x0000000000412000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1612-79-0x0000000000510000-0x0000000000530000-memory.dmp
    Filesize

    128KB

    Download
  • memory/1624-59-0x00000000751A1000-0x00000000751A3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1624-57-0x0000000000000000-mapping.dmp
    Download