Overview

overview

10

Static

static

f97285590f...8e.exe

windows7_x64

10

f97285590f...8e.exe

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    21-10-2021 17:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f97285590fe7f6afbfc514ddd2bc538e.exe

  • Size

    255KB

  • MD5

    f97285590fe7f6afbfc514ddd2bc538e

  • SHA1

    1268214c0978b144583a2ceaae238c2042b8ddc7

  • SHA256

    678d4084f84159e43cfb7acbeff823117b1a3610150bebefc202dcfe408b97c6

  • SHA512

    7f602b0f19bc90eb2ba66572cd4d6149ac3020a7acf36bada7667d16e782bf895475abd0498d4c30975830d8b68f51e2ad3fdf1a7a64c2e040eb497aa3f3d023

Score
10/10
asyncratdefaultratspywarestealersuricata

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

joselamartineslora09.duckdns.org:1980

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • anti_vm

    false

  • bsod

    false

  • delay

    3

  • install

    false

  • install_folder

    %AppData%

  • pastebin_config

    null

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

    suricata
  • suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

    suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

    suricata
  • Async RAT payload 2 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f97285590fe7f6afbfc514ddd2bc538e.exe
    "C:\Users\Admin\AppData\Local\Temp\f97285590fe7f6afbfc514ddd2bc538e.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3496
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Tikbwdnflqabculmypdmfm.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2856
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Downloads\iobituninstaller.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3440
    • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
      C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
      2⤵
      • Executes dropped EXE
      PID:2156
    • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
      C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:680
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2456

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
    MD5

    91c9ae9c9a17a9db5e08b120e668c74c

    SHA1

    50770954c1ceb0bb6f1d5d3f2de2a0a065773723

    SHA256

    e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

    SHA512

    ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
    MD5

    91c9ae9c9a17a9db5e08b120e668c74c

    SHA1

    50770954c1ceb0bb6f1d5d3f2de2a0a065773723

    SHA256

    e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

    SHA512

    ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
    MD5

    91c9ae9c9a17a9db5e08b120e668c74c

    SHA1

    50770954c1ceb0bb6f1d5d3f2de2a0a065773723

    SHA256

    e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

    SHA512

    ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_Tikbwdnflqabculmypdmfm.vbs
    MD5

    5688b2eb801a351378401ff15237c20f

    SHA1

    5cbf0e609ac127d8d4bcdff972cdc61a310b702a

    SHA256

    fcd85a624694b7643dfa007fcff9d14c0fa18b311a9add2cabf6d8f81541b3ce

    SHA512

    d5a72caed29e8c362770d131a139d2c143d5b898f25b04d56b76f1ebec206faaebbd2343407e6d7204665f7e1986b7a3861b31d7859208b6979094e387775dba

    Download Submit
  • memory/680-142-0x00000000056E0000-0x00000000056E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/680-123-0x0000000000400000-0x0000000000412000-memory.dmp
    Filesize

    72KB

    Download
  • memory/680-124-0x000000000040C75E-mapping.dmp
    Download
  • memory/2456-393-0x000000000040678E-mapping.dmp
    Download
  • memory/2456-399-0x0000000005160000-0x000000000565E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2856-119-0x0000000000000000-mapping.dmp
    Download
  • memory/3440-137-0x0000000007CA0000-0x0000000007CA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3440-141-0x0000000008400000-0x0000000008401000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3440-130-0x0000000003200000-0x0000000003201000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3440-131-0x0000000003200000-0x0000000003201000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3440-132-0x0000000006EB0000-0x0000000006EB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3440-133-0x0000000007580000-0x0000000007581000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3440-135-0x0000000006F42000-0x0000000006F43000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3440-134-0x0000000006F40000-0x0000000006F41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3440-136-0x00000000074D0000-0x00000000074D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3440-166-0x0000000009940000-0x0000000009941000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3440-138-0x0000000007DC0000-0x0000000007DC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3440-139-0x0000000007F30000-0x0000000007F31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3440-140-0x00000000083C0000-0x00000000083C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3440-127-0x0000000000000000-mapping.dmp
    Download
  • memory/3440-164-0x000000007EBC0000-0x000000007EBC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3440-143-0x00000000086D0000-0x00000000086D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3440-144-0x0000000003200000-0x0000000003201000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3440-151-0x0000000009420000-0x0000000009453000-memory.dmp
    Filesize

    204KB

    Download
  • memory/3440-158-0x0000000009400000-0x0000000009401000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3440-163-0x0000000009560000-0x0000000009561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3440-165-0x0000000006F43000-0x0000000006F44000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3496-115-0x00000000009D0000-0x00000000009D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3496-120-0x0000000005520000-0x0000000005532000-memory.dmp
    Filesize

    72KB

    Download
  • memory/3496-117-0x0000000005200000-0x0000000005237000-memory.dmp
    Filesize

    220KB

    Download
  • memory/3496-118-0x0000000005410000-0x0000000005411000-memory.dmp
    Filesize

    4KB

    Download