Analysis
-
max time kernel
135s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2023 05:51
Static task
static1
Behavioral task
behavioral1
Sample
x5Z0luEJ3fbsDaW.exe
Resource
win7-20230220-en
General
-
Target
x5Z0luEJ3fbsDaW.exe
-
Size
578KB
-
MD5
c514ff7ca1abd4e92b17c1249e00569f
-
SHA1
5ca2b947a3722a75b6b4299e8aa2341fac1da608
-
SHA256
e7257b2ef7c6b3b168ad3671313943edd71572ac24421d765890a878a67556bb
-
SHA512
2e4e005a235281fc94a50489dcb2d3410800fd3e595d0350289ea31dd6f1fd60ebd0acd55692a5c913a39b391116c7a892d467fd40488b49beaa93d4ad82ebba
-
SSDEEP
12288:Q4AMTihh6xhZ6Orm8pet86bqUoEjU7tkJB02EiK:gMUgh8yna86YEjU7tOBxE
Malware Config
Extracted
asyncrat
0.5.7B
Default
95.214.27.44:6606
95.214.27.44:7707
95.214.27.44:8808
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/memory/5048-139-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4808 set thread context of 5048 4808 x5Z0luEJ3fbsDaW.exe 88 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5048 x5Z0luEJ3fbsDaW.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4808 wrote to memory of 5048 4808 x5Z0luEJ3fbsDaW.exe 88 PID 4808 wrote to memory of 5048 4808 x5Z0luEJ3fbsDaW.exe 88 PID 4808 wrote to memory of 5048 4808 x5Z0luEJ3fbsDaW.exe 88 PID 4808 wrote to memory of 5048 4808 x5Z0luEJ3fbsDaW.exe 88 PID 4808 wrote to memory of 5048 4808 x5Z0luEJ3fbsDaW.exe 88 PID 4808 wrote to memory of 5048 4808 x5Z0luEJ3fbsDaW.exe 88 PID 4808 wrote to memory of 5048 4808 x5Z0luEJ3fbsDaW.exe 88 PID 4808 wrote to memory of 5048 4808 x5Z0luEJ3fbsDaW.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\x5Z0luEJ3fbsDaW.exe"C:\Users\Admin\AppData\Local\Temp\x5Z0luEJ3fbsDaW.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Users\Admin\AppData\Local\Temp\x5Z0luEJ3fbsDaW.exe"C:\Users\Admin\AppData\Local\Temp\x5Z0luEJ3fbsDaW.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5048
-
Network
-
Remote address:8.8.8.8:53Request133.211.185.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request22.160.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request58.55.71.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request8.3.197.209.in-addr.arpaIN PTRResponse8.3.197.209.in-addr.arpaIN PTRvip0x008map2sslhwcdnnet
-
Remote address:8.8.8.8:53Request233.141.123.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request44.27.214.95.in-addr.arpaIN PTRResponse
-
260 B 5
-
-
322 B 7
-
260 B 5
-
-
5.4kB 5.8kB 49 49
-
260 B 5
-
260 B 5
-
260 B 5
-
208 B 4
-
73 B 147 B 1 1
DNS Request
133.211.185.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
22.160.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
58.55.71.13.in-addr.arpa
-
70 B 111 B 1 1
DNS Request
8.3.197.209.in-addr.arpa
-
73 B 159 B 1 1
DNS Request
233.141.123.20.in-addr.arpa
-
71 B 146 B 1 1
DNS Request
44.27.214.95.in-addr.arpa
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD536049bae97bba745c793444373453cb0
SHA1eb6e9a822944e8e207abba1a5e53f0183a1684f1
SHA256839fa1f9725719938ffa24533587b168bae2768f23ac09dccb3ad4ab8ae6abcd
SHA512a6584b7b435afeffb6becfbed82517087030eb23534fa50deecd02330bf36d633ba22e979e36b9c27e35885f9cc1cc9481dadc53cc265be61391e11a7c2c7cdb