Overview

overview

10

Static

static

1720e833db...36.exe

windows7-x64

10

1720e833db...36.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    30-09-2022 20:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1720e833db94e2388213e8dbfd8589819ddc8525295c9e2e6df61c2c6446f136.exe

  • Size

    56KB

  • MD5

    f64ccbc901901c142778923c42a6e582

  • SHA1

    214ec7d3082028bcf42a2f7e86917c2d40b9611b

  • SHA256

    1720e833db94e2388213e8dbfd8589819ddc8525295c9e2e6df61c2c6446f136

  • SHA512

    6571b0c2590b9f60b86515a03ca05bbcfbce3d5f01243b91e4870d465439823551ac4129c4fb520215347b96a1a9223faa5aaffceaa0a4fdbe50cdd7a62e08d9

  • SSDEEP

    768:huxJmUepbOSJr8UzFr4DhlWerv1NwF326QI2:hqJtLUzNehlWQ1CM6P

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

110.238.105.105:8848

Mutex

DcRatMutex_qwqdanchun

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1720e833db94e2388213e8dbfd8589819ddc8525295c9e2e6df61c2c6446f136.exe
    "C:\Users\Admin\AppData\Local\Temp\1720e833db94e2388213e8dbfd8589819ddc8525295c9e2e6df61c2c6446f136.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:896
    • C:\Windows\SysWOW64\mstsc.exe
      mstsc.exe /v:122.128.123.178:3389 /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1108
      • C:\Windows\system32\mstsc.exe
        mstsc.exe /v:122.128.123.178:3389 /f
        3⤵
        • Enumerates connected drives
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:808
    • C:\users\Public\documents\dwm.exe
      C://users/Public/documents/dwm.exe
      2⤵
      • Executes dropped EXE
      PID:1180

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\Documents\Text.txt
    Filesize

    109KB

    MD5

    81fdb130a76c6315ce98a28e2caea772

    SHA1

    f2965c3571ec298193a02bf7aa126af4faa8b846

    SHA256

    2900531b2df0712e1687ebc17901d5a6d90e8ff2d47650056d748344fc3d467a

    SHA512

    f5e701737121341223caebd1e8ed05a2ef71d2c8f3bce0b673bbd316d928ae3083e8fe2684efa45c5593777f912ab3dac9d3f76a75bda02e5d1d4c64b0d8d04d

    Download Submit
  • C:\Users\Public\Documents\dwm.exe
    Filesize

    6KB

    MD5

    68288c9c86bcd4dbad9f93294926b29b

    SHA1

    9b177ba5a3d22eaf89cb94b3cacf47b6dcdb4496

    SHA256

    720f10d44aa351453f0cc1fbe463de79e4a6f148bbad369dd1295b1b416b07bc

    SHA512

    48fa5027527d9f139440cb9ef355bca906d654d7b20ad0a98eb89924f12e7fcae0f041afba8c300e62cc79ce6aaf32f4116b88ebd37397c79a873a8ff6942ee6

    Download Submit
  • C:\users\Public\documents\ClassLibrary2.dll
    Filesize

    5KB

    MD5

    ea309f547d484a9506978a64b46e1759

    SHA1

    5487372323411688d34d5137627c1c5d32d42974

    SHA256

    ea02454269f1059e6d9157a1914e60c2f739d5e185801aeb713dc9eafc4ba9d7

    SHA512

    96328f93e81a8a930bb65f9266f0fd700db5e01a9dcc28c37be49df76733d01d74ee2437d3b1fa4d7aa70baf75a7dffc7d598cc8f2ce581aa030dcb23983988f

    Download Submit
  • C:\users\Public\documents\dwm.exe
    Filesize

    6KB

    MD5

    68288c9c86bcd4dbad9f93294926b29b

    SHA1

    9b177ba5a3d22eaf89cb94b3cacf47b6dcdb4496

    SHA256

    720f10d44aa351453f0cc1fbe463de79e4a6f148bbad369dd1295b1b416b07bc

    SHA512

    48fa5027527d9f139440cb9ef355bca906d654d7b20ad0a98eb89924f12e7fcae0f041afba8c300e62cc79ce6aaf32f4116b88ebd37397c79a873a8ff6942ee6

    Download Submit
  • \Users\Public\Documents\RDSv1.dll
    Filesize

    24KB

    MD5

    36f3b718deda0cebb65487b2a0b56678

    SHA1

    5a9a0c523641184d2829155100bd875491be1f5a

    SHA256

    2fca90ac0ae35ef4dd9a99451dc4754bcd53c59ba97c121ffd3e62034b1ecefa

    SHA512

    a30fddfe2526673b2eec78eab91b0a0afcf34e061fee4a3202262a830f94205ecd6d89cdb604abd4ae18027cc122ec2bd8495060a810262e6728f7aac2233e5c

    Download Submit
  • \Users\Public\Documents\calc.dll
    Filesize

    87KB

    MD5

    225d9c27f41c841980c170d65b4d31dd

    SHA1

    2b1381e305c05660b26dd7c571d9b02df88a3f4d

    SHA256

    0d82363a422c876fae84ca27b2b72ab3286ffdf8a2632350bc64680cb8d36de9

    SHA512

    7eca920d383de3e3440225a5ca5930f130bba1f5155dc37920654493130ae3f3073a1eec731eed1b56355700a18d74cf0901b627226350d4d40224e2e5265966

    Download Submit
  • \Users\Public\Documents\dwm.exe
    Filesize

    6KB

    MD5

    68288c9c86bcd4dbad9f93294926b29b

    SHA1

    9b177ba5a3d22eaf89cb94b3cacf47b6dcdb4496

    SHA256

    720f10d44aa351453f0cc1fbe463de79e4a6f148bbad369dd1295b1b416b07bc

    SHA512

    48fa5027527d9f139440cb9ef355bca906d654d7b20ad0a98eb89924f12e7fcae0f041afba8c300e62cc79ce6aaf32f4116b88ebd37397c79a873a8ff6942ee6

    Download Submit
  • memory/808-59-0x000007FEF6451000-0x000007FEF6453000-memory.dmp
    Filesize

    8KB

    Download
  • memory/808-57-0x000007FEFBF71000-0x000007FEFBF73000-memory.dmp
    Filesize

    8KB

    Download
  • memory/808-56-0x0000000000000000-mapping.dmp
    Download
  • memory/1108-54-0x0000000000000000-mapping.dmp
    Download
  • memory/1108-55-0x0000000075B41000-0x0000000075B43000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1180-62-0x0000000000000000-mapping.dmp
    Download
  • memory/1180-65-0x000000013F210000-0x000000013F216000-memory.dmp
    Filesize

    24KB

    Download
  • memory/1180-69-0x0000000000780000-0x0000000000788000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1180-71-0x0000000000930000-0x0000000000940000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1180-72-0x00000000007A0000-0x00000000007B5000-memory.dmp
    Filesize

    84KB

    Download