Overview

overview

10

Static

static

TRANSFEREN...48.exe

windows7_x64

10

TRANSFEREN...48.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    139s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 12:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TRANSFERENCIA DE PAGO A CUENTA BANCARIA DETALLE DE CONFIRMACION IMG-6743856748357485748.exe

  • Size

    72KB

  • MD5

    2be93df9a3c2e9b0809aa24f46d561f8

  • SHA1

    3c3716c0e5721d61afa4997764aa3eaa091505ef

  • SHA256

    fbc9106506d47f39fddb3a48693e9b3eb80f400d6c273d1e08ecc7ef417f9352

  • SHA512

    92e38a52e72d7a69f6f6781b58423a38dc825dfe4ab5156d457897eb757e8a8888a2c3a1360a7ed3b000c9d96a825e2d7b7226c46b70a02bd4ca28ebd24ee78a

Score
10/10
asyncratdefaultpersistencerat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

ufyu78r8r7.duckdns.org:8057

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Async RAT payload 1 IoCs
    rat
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TRANSFERENCIA DE PAGO A CUENTA BANCARIA DETALLE DE CONFIRMACION IMG-6743856748357485748.exe
    "C:\Users\Admin\AppData\Local\Temp\TRANSFERENCIA DE PAGO A CUENTA BANCARIA DETALLE DE CONFIRMACION IMG-6743856748357485748.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4832
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
      2⤵
        PID:4420

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Winlogon Helper DLL

    1
    T1004

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4420-133-0x0000000000000000-mapping.dmp
      Download
    • memory/4420-134-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

      Download
    • memory/4832-130-0x0000000000010000-0x0000000000026000-memory.dmp
      Filesize

      88KB

      Download
    • memory/4832-131-0x0000000004970000-0x0000000004A0C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/4832-132-0x0000000005030000-0x00000000055D4000-memory.dmp
      Filesize

      5.6MB

      Download