Analysis
-
max time kernel
146s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
01-07-2022 04:55
Static task
static1
Behavioral task
behavioral1
Sample
Unlimited.ps1
Resource
win7-20220414-en
General
-
Target
Unlimited.ps1
-
Size
241KB
-
MD5
e9dd6ae79fddbcabe2aa76e8fddd0244
-
SHA1
7ba6c74d36634c6b673ecd05d69a22038e171c6f
-
SHA256
5227ed40f5ee2c8d976365582e7550bf43e1cedaca4ffdbf3f6993d78826ac47
-
SHA512
bbffbc363bbd1b97a21b8651f39998de6e7c9c8212e0a8c8ef4e9990b1af18a9b78e835bc2b41f87c5993e82e407d44f09009a6f6cb634d8dec06c9fa0b46244
Malware Config
Extracted
asyncrat
| Edit 3LOSH RAT
$$$$
cdtpitbull.hopto.org:7707
cdtpitbull.hopto.org:4404
cdtpitbull.hopto.org:5505
cdtpitbull.hopto.org:3303
cdtpitbull.hopto.org:2222
chromedata.accesscam.org:7707
chromedata.accesscam.org:4404
chromedata.accesscam.org:5505
chromedata.accesscam.org:3303
chromedata.accesscam.org:2222
datacontrol.ddns.net:7707
datacontrol.ddns.net:4404
datacontrol.ddns.net:5505
datacontrol.ddns.net:3303
datacontrol.ddns.net:2222
cdt2023.ddns.net:7707
cdt2023.ddns.net:4404
cdt2023.ddns.net:5505
cdt2023.ddns.net:3303
cdt2023.ddns.net:2222
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_file
DesbravadorUpdata.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4844-134-0x000000000040DC7E-mapping.dmp asyncrat behavioral2/memory/4844-133-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 4948 set thread context of 4844 4948 powershell.exe aspnet_compiler.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 4948 powershell.exe 4948 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 4948 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
powershell.exedescription pid process target process PID 4948 wrote to memory of 4844 4948 powershell.exe aspnet_compiler.exe PID 4948 wrote to memory of 4844 4948 powershell.exe aspnet_compiler.exe PID 4948 wrote to memory of 4844 4948 powershell.exe aspnet_compiler.exe PID 4948 wrote to memory of 4844 4948 powershell.exe aspnet_compiler.exe PID 4948 wrote to memory of 4844 4948 powershell.exe aspnet_compiler.exe PID 4948 wrote to memory of 4844 4948 powershell.exe aspnet_compiler.exe PID 4948 wrote to memory of 4844 4948 powershell.exe aspnet_compiler.exe PID 4948 wrote to memory of 4844 4948 powershell.exe aspnet_compiler.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Unlimited.ps11⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4844-134-0x000000000040DC7E-mapping.dmp
-
memory/4844-133-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4948-130-0x000001FD52A60000-0x000001FD52A82000-memory.dmpFilesize
136KB
-
memory/4948-131-0x00007FFB5C8E0000-0x00007FFB5D3A1000-memory.dmpFilesize
10.8MB
-
memory/4948-132-0x00007FFB5C8E0000-0x00007FFB5D3A1000-memory.dmpFilesize
10.8MB
-
memory/4948-135-0x00007FFB5C8E0000-0x00007FFB5D3A1000-memory.dmpFilesize
10.8MB