Overview

overview

10

Static

static

49a739cbc8...b4.exe

windows7-x64

10

49a739cbc8...b4.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    85s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    12-10-2022 20:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    49a739cbc8a28adc28736e145c3f245a2bdf6617663f1c33d513377fae72bbb4.exe

  • Size

    36KB

  • MD5

    801bddf6f14dd89827c5885a6a540de5

  • SHA1

    6fbf71bd0d73c446133c6824be09c2b46f2db756

  • SHA256

    49a739cbc8a28adc28736e145c3f245a2bdf6617663f1c33d513377fae72bbb4

  • SHA512

    e46fb75a40ff00c1bade6e7a19a0f74fe0e0912e5d3828788c19c6ec9f60811945668cdf9769de3a8b8fdebf56898ed52dd093315ea4e256c293611663fe1d4c

  • SSDEEP

    384:GIntgkiTl/PJCQCzirQCz03RAtmoYhpRd42tqHwd5ASc:GIetJCQIirQIKRGlYn42oHI2

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

172.93.181.21:8848

Mutex

DcRatMutex_qwqdanchun

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\49a739cbc8a28adc28736e145c3f245a2bdf6617663f1c33d513377fae72bbb4.exe
    "C:\Users\Admin\AppData\Local\Temp\49a739cbc8a28adc28736e145c3f245a2bdf6617663f1c33d513377fae72bbb4.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:896
    • C:\users\Public\documents\dwm.exe
      C://users/Public/documents/dwm.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1428

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\Documents\Text.txt
    Filesize

    109KB

    MD5

    91d99f9b230d5e3e382dd58185ccdc9f

    SHA1

    92d6dad2f7ebff48989cc0d3a9f192cb64b22684

    SHA256

    acffd5fdcd02939099fe13c497d1945c108ee3cd6bdc80f5f3317445717890e1

    SHA512

    4abf6daef0e83b171e75ab7aa59b107f8276ffd4f95a1e75adc94619e6fb6ec37bc2575285f2c94292645d9cfc772f6ffde84461a89fe21d5b23db1c9d3f07a8

    Download Submit
  • C:\Users\Public\Documents\dwm.exe
    Filesize

    6KB

    MD5

    68288c9c86bcd4dbad9f93294926b29b

    SHA1

    9b177ba5a3d22eaf89cb94b3cacf47b6dcdb4496

    SHA256

    720f10d44aa351453f0cc1fbe463de79e4a6f148bbad369dd1295b1b416b07bc

    SHA512

    48fa5027527d9f139440cb9ef355bca906d654d7b20ad0a98eb89924f12e7fcae0f041afba8c300e62cc79ce6aaf32f4116b88ebd37397c79a873a8ff6942ee6

    Download Submit
  • C:\users\Public\documents\ClassLibrary2.dll
    Filesize

    5KB

    MD5

    ea309f547d484a9506978a64b46e1759

    SHA1

    5487372323411688d34d5137627c1c5d32d42974

    SHA256

    ea02454269f1059e6d9157a1914e60c2f739d5e185801aeb713dc9eafc4ba9d7

    SHA512

    96328f93e81a8a930bb65f9266f0fd700db5e01a9dcc28c37be49df76733d01d74ee2437d3b1fa4d7aa70baf75a7dffc7d598cc8f2ce581aa030dcb23983988f

    Download Submit
  • C:\users\Public\documents\dwm.exe
    Filesize

    6KB

    MD5

    68288c9c86bcd4dbad9f93294926b29b

    SHA1

    9b177ba5a3d22eaf89cb94b3cacf47b6dcdb4496

    SHA256

    720f10d44aa351453f0cc1fbe463de79e4a6f148bbad369dd1295b1b416b07bc

    SHA512

    48fa5027527d9f139440cb9ef355bca906d654d7b20ad0a98eb89924f12e7fcae0f041afba8c300e62cc79ce6aaf32f4116b88ebd37397c79a873a8ff6942ee6

    Download Submit
  • \Users\Public\Documents\calc.dll
    Filesize

    5.4MB

    MD5

    26c044da6732d9534e594a521e841c1c

    SHA1

    9d2f162bf16affab1b3845df38d42faa073c1a07

    SHA256

    c6f59fdf0b85f3b75da208197e0c755fddc51c44967820ac64ccab25b4004ccd

    SHA512

    72f9449ac1e649e87832639c9b76982d4494a8b45d204b5eccba0d6391d9548bb2f898f511d1144d85f120947967749ab0397c9d44531a20f175b5fd6ddbf436

    Download Submit
  • \Users\Public\Documents\dwm.exe
    Filesize

    6KB

    MD5

    68288c9c86bcd4dbad9f93294926b29b

    SHA1

    9b177ba5a3d22eaf89cb94b3cacf47b6dcdb4496

    SHA256

    720f10d44aa351453f0cc1fbe463de79e4a6f148bbad369dd1295b1b416b07bc

    SHA512

    48fa5027527d9f139440cb9ef355bca906d654d7b20ad0a98eb89924f12e7fcae0f041afba8c300e62cc79ce6aaf32f4116b88ebd37397c79a873a8ff6942ee6

    Download Submit
  • memory/896-62-0x00000000741F0000-0x0000000074A92000-memory.dmp
    Filesize

    8.6MB

    Download
  • memory/896-54-0x0000000075E31000-0x0000000075E33000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1428-60-0x000007FEFC101000-0x000007FEFC103000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1428-59-0x000000013F2A0000-0x000000013F2A6000-memory.dmp
    Filesize

    24KB

    Download
  • memory/1428-66-0x00000000005A0000-0x00000000005A8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1428-56-0x0000000000000000-mapping.dmp
    Download
  • memory/1428-68-0x00000000005C0000-0x00000000005D5000-memory.dmp
    Filesize

    84KB

    Download
  • memory/1428-69-0x0000000002450000-0x0000000002460000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1428-70-0x000000001BF2C000-0x000000001BF4B000-memory.dmp
    Filesize

    124KB

    Download
  • memory/1428-71-0x000000001BF2C000-0x000000001BF4B000-memory.dmp
    Filesize

    124KB

    Download