Overview

overview

10

Static

static

Unlimited.ps1

windows7_x64

1

Unlimited.ps1

windows10-2004_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    01-07-2022 04:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Unlimited.ps1

  • Size

    241KB

  • MD5

    e9dd6ae79fddbcabe2aa76e8fddd0244

  • SHA1

    7ba6c74d36634c6b673ecd05d69a22038e171c6f

  • SHA256

    5227ed40f5ee2c8d976365582e7550bf43e1cedaca4ffdbf3f6993d78826ac47

  • SHA512

    bbffbc363bbd1b97a21b8651f39998de6e7c9c8212e0a8c8ef4e9990b1af18a9b78e835bc2b41f87c5993e82e407d44f09009a6f6cb634d8dec06c9fa0b46244

Score
10/10
asyncrat$$$$rat

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

$$$$

C2

cdtpitbull.hopto.org:7707

cdtpitbull.hopto.org:4404

cdtpitbull.hopto.org:5505

cdtpitbull.hopto.org:3303

cdtpitbull.hopto.org:2222

chromedata.accesscam.org:7707

chromedata.accesscam.org:4404

chromedata.accesscam.org:5505

chromedata.accesscam.org:3303

chromedata.accesscam.org:2222

datacontrol.ddns.net:7707

datacontrol.ddns.net:4404

datacontrol.ddns.net:5505

datacontrol.ddns.net:3303

datacontrol.ddns.net:2222

cdt2023.ddns.net:7707

cdt2023.ddns.net:4404

cdt2023.ddns.net:5505

cdt2023.ddns.net:3303

cdt2023.ddns.net:2222
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_file

    DesbravadorUpdata.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Unlimited.ps1
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4948
    • C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NEt\Framework\v4.0.30319\aspnet_compiler.exe"
      2⤵
        PID:4844

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4844-134-0x000000000040DC7E-mapping.dmp
      Download
    • memory/4844-133-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

      Download
    • memory/4948-130-0x000001FD52A60000-0x000001FD52A82000-memory.dmp
      Filesize

      136KB

      Download
    • memory/4948-131-0x00007FFB5C8E0000-0x00007FFB5D3A1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4948-132-0x00007FFB5C8E0000-0x00007FFB5D3A1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4948-135-0x00007FFB5C8E0000-0x00007FFB5D3A1000-memory.dmp
      Filesize

      10.8MB

      Download