Analysis

  • max time kernel
    159s
  • max time network
    178s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    15-02-2023 17:24

General

  • Target

    AnkaBotPC_4.0.5/AnkaBotPC/Bypass.exe

  • Size

    66KB

  • MD5

    ed8ed2bfb05f2f2a5496c4d32095c34b

  • SHA1

    57002f5bf97a9ddf1aafd909dcc676e60343d322

  • SHA256

    8cabd58822919c0a30ddc7a507e4a55a5d314ec466224791d7814711cf373f6c

  • SHA512

    e55c939802586f0b1525dc6e6c8964c37edec8c35b0bfcbd08998807d2c6a4a0d05db6100fc6312be983c585b2270e39d113e7a72a13a8403588a64710be39d1

  • SSDEEP

    1536:ToUWMO7oo0sS7UAkj9O8QQHFdCxlTk/sbbXApJZLTD9VclN:TJof9O8QQHFPsbbXI7PY

Score
10/10

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.0

Botnet

Default

C2

141.98.11.72:4449

Mutex

sdtgyxyhor

Attributes
  • delay

    1

  • install

    true

  • install_file

    Ankabotkey.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

  • Async RAT payload 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AnkaBotPC_4.0.5\AnkaBotPC\Bypass.exe
    "C:\Users\Admin\AppData\Local\Temp\AnkaBotPC_4.0.5\AnkaBotPC\Bypass.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:828
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Ankabotkey" /tr '"C:\Users\Admin\AppData\Roaming\Ankabotkey.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1048
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "Ankabotkey" /tr '"C:\Users\Admin\AppData\Roaming\Ankabotkey.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:1700
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8122.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1156
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:1092
      • C:\Users\Admin\AppData\Roaming\Ankabotkey.exe
        "C:\Users\Admin\AppData\Roaming\Ankabotkey.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:284

Network

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp8122.tmp.bat
    Filesize

    154B

    MD5

    5cddc4444d51c6417139844b96300d0b

    SHA1

    ea5100b6afe19224d75e458ca16e44f6a30a8d55

    SHA256

    9dd569f9ea5db43dbc216e0e8a279bb28bebd41d11585d17525e32ee71c9b655

    SHA512

    9ad7f2cbf8d804a0dca968f6401c9f57d2fa5876a1613475d3d6ba2bc299c0a2aead99a7bd0bedbf1288ddb61d09ba50e8e62afbc44a9e801efde82225cb8e3b

  • C:\Users\Admin\AppData\Roaming\Ankabotkey.exe
    Filesize

    66KB

    MD5

    ed8ed2bfb05f2f2a5496c4d32095c34b

    SHA1

    57002f5bf97a9ddf1aafd909dcc676e60343d322

    SHA256

    8cabd58822919c0a30ddc7a507e4a55a5d314ec466224791d7814711cf373f6c

    SHA512

    e55c939802586f0b1525dc6e6c8964c37edec8c35b0bfcbd08998807d2c6a4a0d05db6100fc6312be983c585b2270e39d113e7a72a13a8403588a64710be39d1

  • C:\Users\Admin\AppData\Roaming\Ankabotkey.exe
    Filesize

    66KB

    MD5

    ed8ed2bfb05f2f2a5496c4d32095c34b

    SHA1

    57002f5bf97a9ddf1aafd909dcc676e60343d322

    SHA256

    8cabd58822919c0a30ddc7a507e4a55a5d314ec466224791d7814711cf373f6c

    SHA512

    e55c939802586f0b1525dc6e6c8964c37edec8c35b0bfcbd08998807d2c6a4a0d05db6100fc6312be983c585b2270e39d113e7a72a13a8403588a64710be39d1

  • memory/284-60-0x0000000000000000-mapping.dmp
  • memory/284-63-0x0000000000350000-0x0000000000366000-memory.dmp
    Filesize

    88KB

  • memory/828-54-0x0000000001200000-0x0000000001216000-memory.dmp
    Filesize

    88KB

  • memory/1048-55-0x0000000000000000-mapping.dmp
  • memory/1092-59-0x0000000000000000-mapping.dmp
  • memory/1156-56-0x0000000000000000-mapping.dmp
  • memory/1700-57-0x0000000000000000-mapping.dmp