Analysis
-
max time kernel
75s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
30-09-2022 18:08
Behavioral task
behavioral1
Sample
bF3b.exe
Resource
win7-20220812-en
3 signatures
150 seconds
General
-
Target
bF3b.exe
-
Size
45KB
-
MD5
0a5956f7becedb614fb7fc192056f0c6
-
SHA1
1afa1a350707f41a114c0296ae53d7e0c24ed8c4
-
SHA256
112bc23dbf145fb1c5c78e842b605a4da6202c9993114c7118fbdf902d6c7673
-
SHA512
6032f3228cf07e7832687141535fef9c3ea3f17b50d3a87be6550a423af89bbfb6c6b5f4a4fc668525f96dd6e45c3c49310c544cca9ffd56a2c7971950ca6d86
-
SSDEEP
768:vuwCfTg46YbWUn8jjmo2qrDKjGKG6PIyzjbFgX3iqaUQUXtBDZSx:vuwCfTgp/2OKYDy3bCXStCdSx
Malware Config
Extracted
Family |
asyncrat |
Version |
0.5.7B |
Botnet |
Default |
C2 |
0.tcp.ngrok.io:13857 |
Attributes |
delay 3
install false
install_folder %AppData% |
aes.plain |
|
Signatures
-
Async RAT payload ⋅ 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4180-132-0x0000000000370000-0x0000000000382000-memory.dmp asyncrat -
Suspicious use of AdjustPrivilegeToken ⋅ 1 IoCs
Processes:
bF3b.exedescription pid process Token: SeDebugPrivilege 4180 bF3b.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bF3b.exe"C:\Users\Admin\AppData\Local\Temp\bF3b.exe"Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
00:00
00:00
Downloads
Loading data