Overview

overview

10

Static

static

asyncnovodisparo.ps1

windows7_x64

1

asyncnovodisparo.ps1

windows10-2004_x64

10

Analysis

  • max time kernel
    101s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    05-07-2022 12:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    asyncnovodisparo.ps1

  • Size

    143KB

  • MD5

    22349ef6db03e6edef6f007e79641351

  • SHA1

    c03776ce09df11b0a94e125497d77f565b430fd6

  • SHA256

    e170dce58acff291b1ee9cde4093d13ade6a32067b980dbd33033228cc377472

  • SHA512

    563e869b3e98363a705173c4a70e2f46b737ebe56a649c24411c2a733968a40ad1037b4d4d391a6a7e872ac61979dd5912b87bd362dfcb37da116dd483e252c5

Score
10/10
asyncrata_(_c.d.t_)_aratsuricata

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

A_(_C.D.T_)_A

C2

chromedata.accesscam.org:6606

chromedata.accesscam.org:7707

chromedata.accesscam.org:8808

chromedata.accesscam.org:4404

chromedata.accesscam.org:5505

chromedata.accesscam.org:3303

chromedata.accesscam.org:2222

chromedata.accesscam.org:5155

chromedata.accesscam.org:5122

chromedata.accesscam.org:9000

chromedata.accesscam.org:9999

chromedata.accesscam.org:8888

cdt.3utilities.com:6606

cdt.3utilities.com:7707

cdt.3utilities.com:8808

cdt.3utilities.com:4404

cdt.3utilities.com:5505

cdt.3utilities.com:3303

cdt.3utilities.com:2222

cdt.3utilities.com:5155
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • suricata: ET MALWARE Generic AsyncRAT Style SSL Cert

    suricata: ET MALWARE Generic AsyncRAT Style SSL Cert

    suricata
  • Async RAT payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\asyncnovodisparo.ps1
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4808
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3000

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3000-132-0x0000000000400000-0x0000000000412000-memory.dmp
    Filesize

    72KB

    Download
  • memory/3000-133-0x000000000040DCBE-mapping.dmp
    Download
  • memory/3000-135-0x0000000006010000-0x00000000060AC000-memory.dmp
    Filesize

    624KB

    Download
  • memory/3000-136-0x0000000006660000-0x0000000006C04000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/3000-137-0x0000000006120000-0x0000000006186000-memory.dmp
    Filesize

    408KB

    Download
  • memory/3000-138-0x0000000006F90000-0x0000000007006000-memory.dmp
    Filesize

    472KB

    Download
  • memory/3000-139-0x00000000016B0000-0x00000000016CE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/3000-140-0x00000000070B0000-0x0000000007142000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4808-130-0x000001D04A170000-0x000001D04A192000-memory.dmp
    Filesize

    136KB

    Download
  • memory/4808-131-0x00007FFADD9E0000-0x00007FFADE4A1000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4808-134-0x00007FFADD9E0000-0x00007FFADE4A1000-memory.dmp
    Filesize

    10.8MB

    Download