Analysis

  • max time kernel
    25s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    04/05/2023, 10:34

General

  • Target

    Ta.exe

  • Size

    1024.0MB

  • MD5

    2cae069aa7b7d01aa0518ce54131e797

  • SHA1

    484f33776492a78958914c3a637615e30b3acebb

  • SHA256

    3ae0b6a4b5f4733df33d3962f6911c32d0e21e119fb3dfb93598460f67ff17ff

  • SHA512

    b23b27ae9431846223442da391e9d3d7cc4fc9f30603c8283b03da47f0994cc8a8b22a60d90e36faadeb22f6e70bbd4a6fb1fa5816e411e228158c771ab93275

  • SSDEEP

    12288:l4mT/RcXtvyJdBQhXVQpmDv4alfZqby13caYgd2D0gjDsTrU:l4C/6XtvWBmQpmT4gcaYgdBgjDsPU

Score
10/10

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

45.81.243.217:6606

45.81.243.217:7707

45.81.243.217:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Async RAT payload 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ta.exe
    "C:\Users\Admin\AppData\Local\Temp\Ta.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1572

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1572-54-0x0000000000930000-0x0000000000945000-memory.dmp

          Filesize

          84KB

        • memory/1572-55-0x0000000028070000-0x0000000028082000-memory.dmp

          Filesize

          72KB

        • memory/1572-56-0x0000000041370000-0x00000000413F0000-memory.dmp

          Filesize

          512KB

        • memory/1572-57-0x0000000041370000-0x00000000413F0000-memory.dmp

          Filesize

          512KB