Overview

overview

10

Static

static

3

4516D516DC...8F.exe

windows7-x64

10

4516D516DC...8F.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    24-05-2024 06:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4516D516DCF02B03D700312E4AF2B58F.exe

  • Size

    91KB

  • MD5

    4516d516dcf02b03d700312e4af2b58f

  • SHA1

    8a36bd779bfba8a87b5d8ee8e6c0d7c0a4faa3ca

  • SHA256

    b010fc8a5324e8c3f72bd5884f5f31cbc02dcb9df573cf5a82405560f4927687

  • SHA512

    0709c4069670d24c96d32f47fbf8a0eb0b3484cdce07205f5d2640b9b852fa8d0b1fda1b93d2858062ad76c44778cbc68ee831f3919e82422197c64e9a698f39

  • SSDEEP

    1536:rMuBw+olasjN0Fu8MmiGRwOFSe4808VxdHDYIEgr69cmoLu0t0H:rMuBwsshLW/j4v8PdHsX9cmoLu0Y

Score
10/10
asyncratoprat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

OP

C2

20.117.108.240:5612

Mutex

HssS7dvHeccj

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4516D516DCF02B03D700312E4AF2B58F.exe
    "C:\Users\Admin\AppData\Local\Temp\4516D516DCF02B03D700312E4AF2B58F.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1580
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      #system32
      2⤵
        PID:2948
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        #system32
        2⤵
          PID:2440
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          #system32
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2444

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1580-0-0x0000000074DFE000-0x0000000074DFF000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1580-1-0x0000000000F40000-0x0000000000F5E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/1580-2-0x0000000074DF0000-0x00000000754DE000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/1580-14-0x0000000074DF0000-0x00000000754DE000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/2444-6-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/2444-9-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/2444-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2444-5-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/2444-4-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/2444-3-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/2444-13-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download
      • memory/2444-11-0x0000000000400000-0x0000000000412000-memory.dmp
        Filesize

        72KB

        Download