Overview

overview

10

Static

static

3

e51beeef2a...02.exe

windows7-x64

10

e51beeef2a...02.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    182s
  • max time network
    229s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    11-05-2023 18:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e51beeef2a2539ff8ef9e4bf7ffdf002.exe

  • Size

    19.8MB

  • MD5

    e51beeef2a2539ff8ef9e4bf7ffdf002

  • SHA1

    fb7435fcbe78d1e50364db3bc527a7e394a3cc71

  • SHA256

    e09a35ac6c37f4807daf1dcfeb8e2f1fa78003cf1b48b942152ad54152ed2ae6

  • SHA512

    363417b1fb3a4fd12267190cde711366b287def6d00a9ceda33f0f71c88c3500ed57553772f10880edef23eb4733c36c009d07fcf1eb775a5a684ce3f6c47d4b

  • SSDEEP

    6144:7fQTkfGlJz/us5e2jKFFRavrXQ1SHbboDr21dP:7fQTkfsJL9aS7sfu

Score
10/10
asyncratmunabcrat

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

MunaBC

C2

piddix.duckdns.org:4449

Mutex

muna123456789

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 6 IoCs
    rat
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e51beeef2a2539ff8ef9e4bf7ffdf002.exe
    "C:\Users\Admin\AppData\Local\Temp\e51beeef2a2539ff8ef9e4bf7ffdf002.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1540
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1444
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\teamviewer"
      2⤵
        PID:520
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\teamviewer\teamviewer.exe'" /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:976
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\teamviewer\teamviewer.exe'" /f
          3⤵
          • Creates scheduled task(s)
          PID:592
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\e51beeef2a2539ff8ef9e4bf7ffdf002.exe" "C:\Users\Admin\AppData\Roaming\teamviewer\teamviewer.exe"
        2⤵
          PID:468
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {1F62194A-322E-4ABD-BA16-B47D6B8B691D} S-1-5-21-3499517378-2376672570-1134980332-1000:MLXLFKOI\Admin:Interactive:[1]
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:748
        • C:\Users\Admin\AppData\Roaming\teamviewer\teamviewer.exe
          C:\Users\Admin\AppData\Roaming\teamviewer\teamviewer.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1992
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1224
          • C:\Windows\SysWOW64\cmd.exe
            "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\teamviewer"
            3⤵
              PID:2016
            • C:\Windows\SysWOW64\cmd.exe
              "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\teamviewer\teamviewer.exe'" /f
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1720
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\teamviewer\teamviewer.exe'" /f
                4⤵
                • Creates scheduled task(s)
                PID:1228
            • C:\Windows\SysWOW64\cmd.exe
              "cmd" /c copy "C:\Users\Admin\AppData\Roaming\teamviewer\teamviewer.exe" "C:\Users\Admin\AppData\Roaming\teamviewer\teamviewer.exe"
              3⤵
                PID:856

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\teamviewer\teamviewer.exe
            Filesize

            19.8MB

            MD5

            e51beeef2a2539ff8ef9e4bf7ffdf002

            SHA1

            fb7435fcbe78d1e50364db3bc527a7e394a3cc71

            SHA256

            e09a35ac6c37f4807daf1dcfeb8e2f1fa78003cf1b48b942152ad54152ed2ae6

            SHA512

            363417b1fb3a4fd12267190cde711366b287def6d00a9ceda33f0f71c88c3500ed57553772f10880edef23eb4733c36c009d07fcf1eb775a5a684ce3f6c47d4b

            Download Submit

          • C:\Users\Admin\AppData\Roaming\teamviewer\teamviewer.exe
            Filesize

            19.8MB

            MD5

            e51beeef2a2539ff8ef9e4bf7ffdf002

            SHA1

            fb7435fcbe78d1e50364db3bc527a7e394a3cc71

            SHA256

            e09a35ac6c37f4807daf1dcfeb8e2f1fa78003cf1b48b942152ad54152ed2ae6

            SHA512

            363417b1fb3a4fd12267190cde711366b287def6d00a9ceda33f0f71c88c3500ed57553772f10880edef23eb4733c36c009d07fcf1eb775a5a684ce3f6c47d4b

            Download Submit

          • memory/1224-85-0x0000000000460000-0x00000000004A0000-memory.dmp

            Filesize

            256KB

            Download

          • memory/1444-58-0x0000000000400000-0x0000000000416000-memory.dmp

            Filesize

            88KB

            Download

          • memory/1444-68-0x00000000025B0000-0x00000000025F0000-memory.dmp

            Filesize

            256KB

            Download

          • memory/1444-59-0x0000000000400000-0x0000000000416000-memory.dmp

            Filesize

            88KB

            Download

          • memory/1444-60-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1444-61-0x0000000000400000-0x0000000000416000-memory.dmp

            Filesize

            88KB

            Download

          • memory/1444-63-0x0000000000400000-0x0000000000416000-memory.dmp

            Filesize

            88KB

            Download

          • memory/1444-65-0x0000000000400000-0x0000000000416000-memory.dmp

            Filesize

            88KB

            Download

          • memory/1444-56-0x0000000000400000-0x0000000000416000-memory.dmp

            Filesize

            88KB

            Download

          • memory/1444-69-0x00000000025B0000-0x00000000025F0000-memory.dmp

            Filesize

            256KB

            Download

          • memory/1444-57-0x0000000000400000-0x0000000000416000-memory.dmp

            Filesize

            88KB

            Download

          • memory/1540-54-0x0000000000890000-0x0000000000912000-memory.dmp

            Filesize

            520KB

            Download

          • memory/1540-55-0x00000000047D0000-0x0000000004810000-memory.dmp

            Filesize

            256KB

            Download

          • memory/1992-73-0x0000000001320000-0x00000000013A2000-memory.dmp

            Filesize

            520KB

            Download

          • memory/1992-74-0x0000000001110000-0x0000000001150000-memory.dmp

            Filesize

            256KB

            Download