Analysis

  • max time kernel
    129s
  • max time network
    157s
  • platform
    windows10-1703_x64
  • resource
    win10-20240611-en
  • resource tags

    arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
  • submitted
    07-08-2024 18:44

General

  • Target

    Infected.exe

  • Size

    63KB

  • MD5

    b559d134b2b20d390013bfc82871134e

  • SHA1

    e3cdfc8a1ea3193f9a2e0efe70725140c37d1b81

  • SHA256

    4ebb21aa5c2d20a7bbba1d199d70df4ad7bee1f31d0a5b59713223d01f7e1c7f

  • SHA512

    2a560cbd05299249565f03ff22eb467a5452ac5f537fd33f9b312c79ecb65364906bb690cb461d7c629dd347a6e23e1381411c2b355ac9a3782e0cd79f009110

  • SSDEEP

    768:QvsM2sk/978SQC8A+XjlazcBRL5JTk1+T4KSBGHmDbD/ph0oXkhur9eQSu0dpqKX:j1/M/dSJYUbdh9Avu0dpqKmY7

Score
10/10

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:5552

127.0.0.1:30043

transportation-denied.gl.at.ply.gg:5552

transportation-denied.gl.at.ply.gg:30043

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain
1
Hpigh0eofYLhfOSui6fEFHZblrjldMcX

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Infected.exe
    "C:\Users\Admin\AppData\Local\Temp\Infected.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4488

Network

  • flag-us
    DNS
    transportation-denied.gl.at.ply.gg
    Infected.exe
    Remote address:
    8.8.8.8:53
    Request
    transportation-denied.gl.at.ply.gg
    IN A
    Response
    transportation-denied.gl.at.ply.gg
    IN A
    147.185.221.20
  • flag-us
    DNS
    20.221.185.147.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    20.221.185.147.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    69.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    69.190.18.2.in-addr.arpa
    IN PTR
    Response
    69.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-69deploystaticakamaitechnologiescom
  • flag-us
    DNS
    14.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    79.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    79.190.18.2.in-addr.arpa
    IN PTR
    Response
    79.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-79deploystaticakamaitechnologiescom
  • flag-us
    DNS
    171.117.168.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.117.168.52.in-addr.arpa
    IN PTR
    Response
  • 127.0.0.1:5552
    Infected.exe
  • 127.0.0.1:5552
    Infected.exe
  • 147.185.221.20:30043
    transportation-denied.gl.at.ply.gg
    tls
    Infected.exe
    5.0kB
    3.3kB
    38
    37
  • 8.8.8.8:53
    transportation-denied.gl.at.ply.gg
    dns
    Infected.exe
    80 B
    96 B
    1
    1

    DNS Request

    transportation-denied.gl.at.ply.gg

    DNS Response

    147.185.221.20

  • 8.8.8.8:53
    20.221.185.147.in-addr.arpa
    dns
    73 B
    130 B
    1
    1

    DNS Request

    20.221.185.147.in-addr.arpa

  • 8.8.8.8:53
    69.190.18.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    69.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    14.227.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    14.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    79.190.18.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    79.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    171.117.168.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    171.117.168.52.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4488-0-0x0000000000040000-0x0000000000056000-memory.dmp

    Filesize

    88KB

  • memory/4488-1-0x00007FFB513E0000-0x00007FFB515BB000-memory.dmp

    Filesize

    1.9MB

  • memory/4488-2-0x00007FFB513E0000-0x00007FFB515BB000-memory.dmp

    Filesize

    1.9MB

  • memory/4488-3-0x00007FFB513E0000-0x00007FFB515BB000-memory.dmp

    Filesize

    1.9MB

  • memory/4488-6-0x00007FFB513E0000-0x00007FFB515BB000-memory.dmp

    Filesize

    1.9MB

  • memory/4488-7-0x00007FFB513E0000-0x00007FFB515BB000-memory.dmp

    Filesize

    1.9MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.