Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-08-2024 12:13

General

  • Target

    50ce164844684892d697f16bc194d82841e4c1b951609d12bc26cab8b028192e.exe

  • Size

    45KB

  • MD5

    278d86f7b656fb8b1a901b2eea6fddfa

  • SHA1

    871c9002a7d53530ef4db4a7130adfa543de6a88

  • SHA256

    50ce164844684892d697f16bc194d82841e4c1b951609d12bc26cab8b028192e

  • SHA512

    916f18eef5d0c351b21d6e7d02dfeeb91967ee5ee44a30640499e927003b60bdcbef86014ebb519f082e4e76ea95547afebede2afc00c6a978c16265bc1dce59

  • SSDEEP

    768:huk0VT3ongoWU2Gjimo2qrgKjPGaG6PIyzjbFgX3ivYESIfQlvBDZCx:huk0VT3Q+25KTkDy3bCXSvYkfQlZdCx

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

6.tcp.ngrok.io:13280

Mutex

CQHCbIQaDxZy

Attributes
  • delay

    3

  • install

    false

  • install_file

    jor.exe

  • install_folder

    %AppData%

aes.plain
1
6OnJcGpWr7aWvPIwnwmslLMotZnjkGan

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\50ce164844684892d697f16bc194d82841e4c1b951609d12bc26cab8b028192e.exe
    "C:\Users\Admin\AppData\Local\Temp\50ce164844684892d697f16bc194d82841e4c1b951609d12bc26cab8b028192e.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:1176

Network

  • flag-us
    DNS
    140.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    140.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    205.47.74.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    205.47.74.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    81.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    81.144.22.2.in-addr.arpa
    IN PTR
    Response
    81.144.22.2.in-addr.arpa
    IN PTR
    a2-22-144-81deploystaticakamaitechnologiescom
  • flag-us
    DNS
    6.tcp.ngrok.io
    50ce164844684892d697f16bc194d82841e4c1b951609d12bc26cab8b028192e.exe
    Remote address:
    8.8.8.8:53
    Request
    6.tcp.ngrok.io
    IN A
    Response
    6.tcp.ngrok.io
    IN A
    3.140.223.7
  • flag-us
    DNS
    183.59.114.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    183.59.114.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    6.tcp.ngrok.io
    50ce164844684892d697f16bc194d82841e4c1b951609d12bc26cab8b028192e.exe
    Remote address:
    8.8.8.8:53
    Request
    6.tcp.ngrok.io
    IN A
    Response
    6.tcp.ngrok.io
    IN A
    3.140.223.7
  • flag-us
    DNS
    6.tcp.ngrok.io
    50ce164844684892d697f16bc194d82841e4c1b951609d12bc26cab8b028192e.exe
    Remote address:
    8.8.8.8:53
    Request
    6.tcp.ngrok.io
    IN A
    Response
    6.tcp.ngrok.io
    IN A
    3.141.142.211
  • 3.140.223.7:13280
    6.tcp.ngrok.io
    50ce164844684892d697f16bc194d82841e4c1b951609d12bc26cab8b028192e.exe
    260 B
    200 B
    5
    5
  • 3.140.223.7:13280
    6.tcp.ngrok.io
    50ce164844684892d697f16bc194d82841e4c1b951609d12bc26cab8b028192e.exe
    260 B
    200 B
    5
    5
  • 3.140.223.7:13280
    6.tcp.ngrok.io
    50ce164844684892d697f16bc194d82841e4c1b951609d12bc26cab8b028192e.exe
    260 B
    200 B
    5
    5
  • 3.140.223.7:13280
    6.tcp.ngrok.io
    50ce164844684892d697f16bc194d82841e4c1b951609d12bc26cab8b028192e.exe
    260 B
    200 B
    5
    5
  • 3.140.223.7:13280
    6.tcp.ngrok.io
    50ce164844684892d697f16bc194d82841e4c1b951609d12bc26cab8b028192e.exe
    260 B
    200 B
    5
    5
  • 3.140.223.7:13280
    6.tcp.ngrok.io
    50ce164844684892d697f16bc194d82841e4c1b951609d12bc26cab8b028192e.exe
    260 B
    200 B
    5
    5
  • 3.140.223.7:13280
    6.tcp.ngrok.io
    50ce164844684892d697f16bc194d82841e4c1b951609d12bc26cab8b028192e.exe
    260 B
    200 B
    5
    5
  • 3.140.223.7:13280
    6.tcp.ngrok.io
    50ce164844684892d697f16bc194d82841e4c1b951609d12bc26cab8b028192e.exe
    260 B
    200 B
    5
    5
  • 3.140.223.7:13280
    6.tcp.ngrok.io
    50ce164844684892d697f16bc194d82841e4c1b951609d12bc26cab8b028192e.exe
    260 B
    200 B
    5
    5
  • 3.140.223.7:13280
    6.tcp.ngrok.io
    50ce164844684892d697f16bc194d82841e4c1b951609d12bc26cab8b028192e.exe
    260 B
    200 B
    5
    5
  • 3.140.223.7:13280
    6.tcp.ngrok.io
    50ce164844684892d697f16bc194d82841e4c1b951609d12bc26cab8b028192e.exe
    260 B
    200 B
    5
    5
  • 3.140.223.7:13280
    6.tcp.ngrok.io
    50ce164844684892d697f16bc194d82841e4c1b951609d12bc26cab8b028192e.exe
    260 B
    200 B
    5
    5
  • 3.140.223.7:13280
    6.tcp.ngrok.io
    50ce164844684892d697f16bc194d82841e4c1b951609d12bc26cab8b028192e.exe
    260 B
    200 B
    5
    5
  • 3.140.223.7:13280
    6.tcp.ngrok.io
    50ce164844684892d697f16bc194d82841e4c1b951609d12bc26cab8b028192e.exe
    260 B
    200 B
    5
    5
  • 3.140.223.7:13280
    6.tcp.ngrok.io
    50ce164844684892d697f16bc194d82841e4c1b951609d12bc26cab8b028192e.exe
    260 B
    200 B
    5
    5
  • 3.140.223.7:13280
    6.tcp.ngrok.io
    50ce164844684892d697f16bc194d82841e4c1b951609d12bc26cab8b028192e.exe
    260 B
    200 B
    5
    5
  • 3.141.142.211:13280
    6.tcp.ngrok.io
    50ce164844684892d697f16bc194d82841e4c1b951609d12bc26cab8b028192e.exe
    260 B
    200 B
    5
    5
  • 3.141.142.211:13280
    6.tcp.ngrok.io
    50ce164844684892d697f16bc194d82841e4c1b951609d12bc26cab8b028192e.exe
    260 B
    200 B
    5
    5
  • 3.141.142.211:13280
    6.tcp.ngrok.io
    50ce164844684892d697f16bc194d82841e4c1b951609d12bc26cab8b028192e.exe
    260 B
    200 B
    5
    5
  • 3.141.142.211:13280
    6.tcp.ngrok.io
    50ce164844684892d697f16bc194d82841e4c1b951609d12bc26cab8b028192e.exe
    104 B
    40 B
    2
    1
  • 8.8.8.8:53
    140.32.126.40.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    140.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    81.144.22.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    81.144.22.2.in-addr.arpa

  • 8.8.8.8:53
    205.47.74.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    205.47.74.20.in-addr.arpa

  • 8.8.8.8:53
    6.tcp.ngrok.io
    dns
    50ce164844684892d697f16bc194d82841e4c1b951609d12bc26cab8b028192e.exe
    60 B
    76 B
    1
    1

    DNS Request

    6.tcp.ngrok.io

    DNS Response

    3.140.223.7

  • 8.8.8.8:53
    183.59.114.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    183.59.114.20.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    6.tcp.ngrok.io
    dns
    50ce164844684892d697f16bc194d82841e4c1b951609d12bc26cab8b028192e.exe
    60 B
    76 B
    1
    1

    DNS Request

    6.tcp.ngrok.io

    DNS Response

    3.140.223.7

  • 8.8.8.8:53
    6.tcp.ngrok.io
    dns
    50ce164844684892d697f16bc194d82841e4c1b951609d12bc26cab8b028192e.exe
    60 B
    76 B
    1
    1

    DNS Request

    6.tcp.ngrok.io

    DNS Response

    3.141.142.211

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1176-0-0x0000000074FBE000-0x0000000074FBF000-memory.dmp

    Filesize

    4KB

  • memory/1176-1-0x0000000000FA0000-0x0000000000FB2000-memory.dmp

    Filesize

    72KB

  • memory/1176-2-0x0000000074FB0000-0x0000000075760000-memory.dmp

    Filesize

    7.7MB

  • memory/1176-3-0x0000000074FBE000-0x0000000074FBF000-memory.dmp

    Filesize

    4KB

  • memory/1176-4-0x0000000074FB0000-0x0000000075760000-memory.dmp

    Filesize

    7.7MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.