Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-12-2022 07:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ec98f07a9e93ae6859d68c14a84435851a13b21c11a1a0a3356a32b7deb6ac77.exe

  • Size

    14.7MB

  • MD5

    89e792b80337c2520b91a84bac966691

  • SHA1

    702573deadaaaca5445fb7cb7e5a9bf19fb35a06

  • SHA256

    ec98f07a9e93ae6859d68c14a84435851a13b21c11a1a0a3356a32b7deb6ac77

  • SHA512

    9b28a7a699e4a8bacd8af7f91d6da84dee08709244efc51e751e7d71a28cfae45b142c885382fa8081d4ee3970537889a675eaeede83860211e78215bb1f81e9

  • SSDEEP

    196608:nZAfNt+p9ZlvA+2plMKVvxyOqblnjcsVb/6UD:nefNtiZBt2jMKVvxyOGlj

Score
10/10
asyncratdefendersmartscreenrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

DefenderSmartScreen

C2

4.231.233.180:25310

Mutex

DefenderSmartScreen

Attributes
  • delay

    3

  • install

    false

  • install_file

    DefenderSmartScreen

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ec98f07a9e93ae6859d68c14a84435851a13b21c11a1a0a3356a32b7deb6ac77.exe
    "C:\Users\Admin\AppData\Local\Temp\ec98f07a9e93ae6859d68c14a84435851a13b21c11a1a0a3356a32b7deb6ac77.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3136
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4960
  • C:\Users\Admin\AppData\Local\Temp\ec98f07a9e93ae6859d68c14a84435851a13b21c11a1a0a3356a32b7deb6ac77.exe
    C:\Users\Admin\AppData\Local\Temp\ec98f07a9e93ae6859d68c14a84435851a13b21c11a1a0a3356a32b7deb6ac77.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:232
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
        PID:2124

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ec98f07a9e93ae6859d68c14a84435851a13b21c11a1a0a3356a32b7deb6ac77.exe.log
      Filesize

      902B

      MD5

      317ed182314a105b8436cfd8bb3879f6

      SHA1

      aa407b44619a9b06b18d8a39ce27a65b959598e1

      SHA256

      34a156e5235a27901293bd8928b37d13724d62183e409f6d284110280c56f865

      SHA512

      27bc617005ef36be6384484e5cec56d7165d1e9535c9a0b5546f1f082cc4bf5969acb573da77171ac7f4119c8cf50a3ced103cd21485569c9cfcf2e340468604

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\ec98f07a9e93ae6859d68c14a84435851a13b21c11a1a0a3356a32b7deb6ac77.exe
      Filesize

      14.7MB

      MD5

      89e792b80337c2520b91a84bac966691

      SHA1

      702573deadaaaca5445fb7cb7e5a9bf19fb35a06

      SHA256

      ec98f07a9e93ae6859d68c14a84435851a13b21c11a1a0a3356a32b7deb6ac77

      SHA512

      9b28a7a699e4a8bacd8af7f91d6da84dee08709244efc51e751e7d71a28cfae45b142c885382fa8081d4ee3970537889a675eaeede83860211e78215bb1f81e9

      Download Submit
    • memory/2124-141-0x0000000000000000-mapping.dmp
      Download
    • memory/3136-132-0x00000000000E0000-0x0000000000F92000-memory.dmp
      Filesize

      14.7MB

      Download
    • memory/3136-133-0x0000000006470000-0x0000000006A14000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/3136-134-0x0000000006070000-0x0000000006102000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3136-135-0x00000000061C0000-0x000000000625C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/4960-136-0x0000000000000000-mapping.dmp
      Download
    • memory/4960-137-0x0000000000400000-0x0000000000412000-memory.dmp
      Filesize

      72KB

      Download
    • memory/4960-138-0x0000000005900000-0x0000000005966000-memory.dmp
      Filesize

      408KB

      Download