Analysis
-
max time kernel
132s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
12/03/2024, 21:34
Static task
static1
Behavioral task
behavioral1
Sample
6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe
Resource
win10v2004-20240226-en
General
-
Target
6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe
-
Size
320KB
-
MD5
3f088e75c8dff450bb0eb1d9a8a1c68a
-
SHA1
779f0f742cd4e1e42f95c4c86e14c2bac5a88397
-
SHA256
6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e
-
SHA512
f858234e044960ff862e6c716c159f631384096618955b9c041a2c03c0b70732f00ea4baaf4d96c78045f37e32e389ec27f3c0cc16ee18be01b68935806336c7
-
SSDEEP
3072:wqQLW3NQGDxLKFvweJvCnKkopganrtvaTVieMhJ3Bj3untI1fE:lXa1vmopganrtvaTVieMT36L
Malware Config
Extracted
asyncrat
1.0.7
Dark-20250 - M
bg1.heztak.pro:2202
DcRatMutex_qwqdanchun
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Detects executables attemping to enumerate video devices using WMI 5 IoCs
resource yara_rule behavioral1/memory/2144-5-0x0000000000400000-0x0000000000412000-memory.dmp INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice behavioral1/memory/2144-6-0x0000000000400000-0x0000000000412000-memory.dmp INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice behavioral1/memory/2144-9-0x0000000000400000-0x0000000000412000-memory.dmp INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice behavioral1/memory/2144-11-0x0000000000400000-0x0000000000412000-memory.dmp INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice behavioral1/memory/2144-13-0x0000000000400000-0x0000000000412000-memory.dmp INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice -
Detects executables containing the string DcRatBy 5 IoCs
resource yara_rule behavioral1/memory/2144-5-0x0000000000400000-0x0000000000412000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DcRatBy behavioral1/memory/2144-6-0x0000000000400000-0x0000000000412000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DcRatBy behavioral1/memory/2144-9-0x0000000000400000-0x0000000000412000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DcRatBy behavioral1/memory/2144-11-0x0000000000400000-0x0000000000412000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DcRatBy behavioral1/memory/2144-13-0x0000000000400000-0x0000000000412000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DcRatBy -
Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. 5 IoCs
resource yara_rule behavioral1/memory/2144-5-0x0000000000400000-0x0000000000412000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Artifacts behavioral1/memory/2144-6-0x0000000000400000-0x0000000000412000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Artifacts behavioral1/memory/2144-9-0x0000000000400000-0x0000000000412000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Artifacts behavioral1/memory/2144-11-0x0000000000400000-0x0000000000412000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Artifacts behavioral1/memory/2144-13-0x0000000000400000-0x0000000000412000-memory.dmp INDICATOR_SUSPICIOUS_EXE_B64_Artifacts -
Detects executables packed with SmartAssembly 2 IoCs
resource yara_rule behavioral1/memory/3028-0-0x00000000012B0000-0x00000000012DA000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly behavioral1/memory/3028-2-0x0000000004AD0000-0x0000000004B10000-memory.dmp INDICATOR_EXE_Packed_SmartAssembly -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3028 set thread context of 2144 3028 6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe 28 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2696 schtasks.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 3028 wrote to memory of 2144 3028 6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe 28 PID 3028 wrote to memory of 2144 3028 6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe 28 PID 3028 wrote to memory of 2144 3028 6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe 28 PID 3028 wrote to memory of 2144 3028 6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe 28 PID 3028 wrote to memory of 2144 3028 6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe 28 PID 3028 wrote to memory of 2144 3028 6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe 28 PID 3028 wrote to memory of 2144 3028 6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe 28 PID 3028 wrote to memory of 2144 3028 6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe 28 PID 3028 wrote to memory of 2144 3028 6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe 28 PID 3028 wrote to memory of 2144 3028 6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe 28 PID 3028 wrote to memory of 2144 3028 6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe 28 PID 3028 wrote to memory of 2144 3028 6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe 28 PID 3028 wrote to memory of 2556 3028 6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe 29 PID 3028 wrote to memory of 2556 3028 6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe 29 PID 3028 wrote to memory of 2556 3028 6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe 29 PID 3028 wrote to memory of 2556 3028 6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe 29 PID 3028 wrote to memory of 2652 3028 6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe 30 PID 3028 wrote to memory of 2652 3028 6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe 30 PID 3028 wrote to memory of 2652 3028 6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe 30 PID 3028 wrote to memory of 2652 3028 6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe 30 PID 3028 wrote to memory of 2680 3028 6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe 31 PID 3028 wrote to memory of 2680 3028 6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe 31 PID 3028 wrote to memory of 2680 3028 6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe 31 PID 3028 wrote to memory of 2680 3028 6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe 31 PID 2652 wrote to memory of 2696 2652 cmd.exe 35 PID 2652 wrote to memory of 2696 2652 cmd.exe 35 PID 2652 wrote to memory of 2696 2652 cmd.exe 35 PID 2652 wrote to memory of 2696 2652 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe"C:\Users\Admin\AppData\Local\Temp\6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:2144
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\AddDate"2⤵PID:2556
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\AddDate\AddDate.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\AddDate\AddDate.exe'" /f3⤵
- Creates scheduled task(s)
PID:2696
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\6bfa0dd8358f29a9201496ffa3a4893480b17328f8ef106e373842776770a36e.exe" "C:\Users\Admin\AppData\Roaming\AddDate\AddDate.exe"2⤵PID:2680
-