Overview

overview

10

Static

static

10

Client.exe

windows10-2004-x64

Client.exe

windows11-21h2-x64

Analysis

  • max time kernel
    333s
  • max time network
    334s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-07-2024 17:46

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Client.exe

  • Size

    47KB

  • MD5

    fb11528a2333082ba221031b9a9a0e77

  • SHA1

    af59136079fc620db3ff50f0a00cc4768bc05336

  • SHA256

    b2c58a9b825b968a5e48ee6942c45fd44b88597248e5b4528c72ce9b9baca9f5

  • SHA512

    344d4638da6abc45286c32dcd53856e3e3c1ec856a3a2fe57f1140d5475cd6f6e836bf651d152abdef67a0f8e65647e985512f8f6630f9b47a1e47513269d10b

  • SSDEEP

    768:4q+s3pUtDILNCCa+DiptelDSN+iV08YbygeB5gyZaUhvEgK/JvZVc6KN:4q+AGtQOptKDs4zb1BynkJvZVclN

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

127.0.0.1:8848

127.0.0.1:37029

147.185.221.21:8848

147.185.221.21:37029
Mutex

DcRatMutex_qwqdanchun

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client.exe
    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3936
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4136
      • C:\Windows\system32\shutdown.exe
        shutdown /r /t 0
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4944
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa395c055 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:1184

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\y.bat
    Filesize

    20B

    MD5

    0dd69117362dc55fd18fd6515a558959

    SHA1

    a926d94063ba9bcfbe2ea3908f422e7180dc501f

    SHA256

    6de70703ba83f3910ed35774ba63f603bcbe0277e7ea4c02091eb26f86a9433f

    SHA512

    b9b89afa81e1005203a9c18afb9f456f8fe1374d2036977911197fbfbf918032d6527b48b5e34d8349fac223c40e20120f3197179899a352023792e31abb39a4

    Download Submit

  • memory/3936-6-0x00007FFDA44D0000-0x00007FFDA4F91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3936-2-0x00007FFDA44D0000-0x00007FFDA4F91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3936-3-0x00007FFDA44D0000-0x00007FFDA4F91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3936-4-0x00007FFDA44D3000-0x00007FFDA44D5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3936-5-0x00007FFDA44D0000-0x00007FFDA4F91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3936-0-0x0000000000AE0000-0x0000000000AF2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3936-7-0x000000001D350000-0x000000001D3C6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3936-8-0x0000000001300000-0x000000000130E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3936-9-0x0000000002D90000-0x0000000002DAE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3936-10-0x0000000002DF0000-0x0000000002E0A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3936-1-0x00007FFDA44D3000-0x00007FFDA44D5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3936-18-0x00007FFDA44D0000-0x00007FFDA4F91000-memory.dmp

    Filesize

    10.8MB

    Download