Overview

overview

10

Static

static

INVOICE_PAYMENT.exe

windows7_x64

10

INVOICE_PAYMENT.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    21-02-2022 11:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    INVOICE_PAYMENT.exe

  • Size

    825KB

  • MD5

    d05c3e50c2fe19f0c73104fcdcc69b10

  • SHA1

    76d9509cfc31cc5dccf2dab9566a9145be2554bd

  • SHA256

    71279240d14f290a3b81f4a9a660c5cdb37d52c7c65c60f1fa035d5b05745537

  • SHA512

    7434d374919b6ad96cead1ae18d982bab0293be08dfd1eb6b37d5e1b3788424e14ccd0b0400fa1da5f8675453fdd2baadc7e5b560bf8a015ace75c59d6110516

Score
10/10
asyncratnewyearrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.6D

Botnet

NEWYEAR

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

79.134.225.34:6606

79.134.225.34:7707

79.134.225.34:8808
Mutex

yvlmeiqesk

Attributes
  • anti_vm

    false

  • bsod

    false

  • delay

    10

  • install

    false

  • install_folder

    %AppData%

  • pastebin_config

    null

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • .NET Reactor proctector 1 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Async RAT payload 4 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\INVOICE_PAYMENT.exe
    "C:\Users\Admin\AppData\Local\Temp\INVOICE_PAYMENT.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Users\Admin\AppData\Local\Temp\INVOICE_PAYMENT.exe
      "C:\Users\Admin\AppData\Local\Temp\INVOICE_PAYMENT.exe"
      2⤵
        PID:684

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/684-64-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

      Download
    • memory/684-63-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

      Download
    • memory/684-68-0x0000000004F50000-0x0000000004F51000-memory.dmp
      Filesize

      4KB

      Download
    • memory/684-67-0x0000000076491000-0x0000000076493000-memory.dmp
      Filesize

      8KB

      Download
    • memory/684-66-0x0000000074E4E000-0x0000000074E4F000-memory.dmp
      Filesize

      4KB

      Download
    • memory/684-65-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

      Download
    • memory/684-61-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

      Download
    • memory/684-62-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

      Download
    • memory/684-60-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1724-54-0x0000000000CF0000-0x0000000000DC4000-memory.dmp
      Filesize

      848KB

      Download
    • memory/1724-55-0x0000000074E4E000-0x0000000074E4F000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1724-59-0x0000000000580000-0x0000000000594000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1724-58-0x0000000000B50000-0x0000000000B88000-memory.dmp
      Filesize

      224KB

      Download
    • memory/1724-57-0x0000000000380000-0x0000000000398000-memory.dmp
      Filesize

      96KB

      Download
    • memory/1724-56-0x00000000071C0000-0x00000000071C1000-memory.dmp
      Filesize

      4KB

      Download