Overview

overview

10

Static

static

disposable...sk.exe

windows7_x64

10

disposable...sk.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 03:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    disposable protective mask.exe

  • Size

    375KB

  • MD5

    e18ddc52047f3d3147d94db4bc50cb63

  • SHA1

    7d2f3257ce09b8fd7aad305cb23309348a4b9790

  • SHA256

    369e06999d4475ecc6e01a440ac20bebb744dbbf14b609c002f65379403f4be7

  • SHA512

    f0ebd0c7a72e6419b37a607ce282acebecec2c9c80356f35fddaaf3f0ec8edac0cd6b00d81ad0a61a377eb70e7c5a9bcca70cf7088232d74c79f7bea8bf4cf61

Score
10/10
asyncrathardhardcoreentityratrezer0

Malware Config

Extracted

Family

asyncrat

Version

0.5.6D

Botnet

HARDHARD

C2

185.165.153.215:6606

Mutex

uqeolevmck

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • CoreEntity .NET Packer 1 IoCs

    A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

    coreentity
  • Async RAT payload 6 IoCs
    rat
  • ReZer0 packer 1 IoCs

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    rezer0
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\disposable protective mask.exe
    "C:\Users\Admin\AppData\Local\Temp\disposable protective mask.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1808
    • C:\Users\Admin\AppData\Local\Temp\disposable protective mask.exe
      "{path}"
      2⤵
        PID:1256

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1256-58-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1256-59-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1256-61-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1256-62-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1256-64-0x000000000040C5FE-mapping.dmp

      Download

    • memory/1256-63-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1256-66-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1256-68-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1808-54-0x0000000000D90000-0x0000000000DF4000-memory.dmp

      Filesize

      400KB

      Download

    • memory/1808-55-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1808-56-0x00000000005B0000-0x00000000005B8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1808-57-0x0000000000D40000-0x0000000000D5A000-memory.dmp

      Filesize

      104KB

      Download