Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
22-03-2023 23:00
General
-
Target
166d6d5be18a889db530c818bf4fabc70a67b381b3d58d64652efbab55ad6bf1.exe
-
Size
114KB
-
MD5
0b2558275f8bf9af6279cbf0c0763ac0
-
SHA1
5385e1878071ae18061c1ddf517d616381efd282
-
SHA256
166d6d5be18a889db530c818bf4fabc70a67b381b3d58d64652efbab55ad6bf1
-
SHA512
fe1693baade99ebdc6927dd3986e918f3058d76cdf99c1142b67416063e06b22ef7d2fd2f3085a40c7f7d4836d6e246fd7d11a7a1324498b662890dc3eb29f3c
-
SSDEEP
1536:Gq+AGtQO2dzb1DBxnkJwAUaPQ4EXJ6EipXy9FMXsGjB+V7DQ4X63AsqiGwHak9i7:PotQOQzb1vTrXni52F47927ogw5aWdY
Malware Config
Extracted
asyncrat
1.0.7
Default
2.tcp.eu.ngrok.io:11712
DcRatMutex_qwqdanchun
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Async RAT payload 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 38 IoCs
-
Suspicious use of SendNotifyMessage 38 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\166d6d5be18a889db530c818bf4fabc70a67b381b3d58d64652efbab55ad6bf1.exe"C:\Users\Admin\AppData\Local\Temp\166d6d5be18a889db530c818bf4fabc70a67b381b3d58d64652efbab55ad6bf1.exe"1⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4488-133-0x00000000001E0000-0x0000000000202000-memory.dmpFilesize
136KB
-
memory/4488-134-0x0000000000A40000-0x0000000000A50000-memory.dmpFilesize
64KB
-
memory/4488-135-0x0000000000A40000-0x0000000000A50000-memory.dmpFilesize
64KB
-
memory/4740-136-0x000001496DB70000-0x000001496DB71000-memory.dmpFilesize
4KB
-
memory/4740-137-0x000001496DB70000-0x000001496DB71000-memory.dmpFilesize
4KB
-
memory/4740-138-0x000001496DB70000-0x000001496DB71000-memory.dmpFilesize
4KB
-
memory/4740-142-0x000001496DB70000-0x000001496DB71000-memory.dmpFilesize
4KB
-
memory/4740-143-0x000001496DB70000-0x000001496DB71000-memory.dmpFilesize
4KB
-
memory/4740-144-0x000001496DB70000-0x000001496DB71000-memory.dmpFilesize
4KB
-
memory/4740-145-0x000001496DB70000-0x000001496DB71000-memory.dmpFilesize
4KB
-
memory/4740-146-0x000001496DB70000-0x000001496DB71000-memory.dmpFilesize
4KB
-
memory/4740-147-0x000001496DB70000-0x000001496DB71000-memory.dmpFilesize
4KB
-
memory/4740-148-0x000001496DB70000-0x000001496DB71000-memory.dmpFilesize
4KB