Overview

overview

10

Static

static

3

corn.zip

windows10-1703-x64

10

Analysis

  • max time kernel
    1787s
  • max time network
    1798s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    10-10-2024 10:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    corn.zip

  • Size

    42.8MB

  • MD5

    b2240d2e0b513829302d88ffe03d0dfc

  • SHA1

    53aee13e981747502a54c412794cc7cdc9d1805b

  • SHA256

    7f792e120c8f15453d4c3475911aa8ec4bcbe95514d9167aadfc445af7fe68a5

  • SHA512

    d687e375b6b70c18f4bb3b4a3c72277eed2f4433be63d7a3f1a192af29a4a89e7b333ec9743e83ed327bb7e7c0f251eb2e5735c5d73b740170afcc0663254c09

  • SSDEEP

    786432:CDXXuerfHkIZf06hLwbl9Pm2TW38ZF+oxwk4fbSep82zpMNV:CDnXfHkIZcXM2TdZooxwnXWNV

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

91.92.247.210:3232

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Async RAT payload 1 IoCs
    rat
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3196
      • C:\Program Files\7-Zip\7zFM.exe
        C:\Users\Admin\AppData\Local\Temp\corn.zip
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3336
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3572
        • C:\Users\puncher\Downloads\Python\Python312\python.exe
          python.exe ve.py
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          • Suspicious use of WriteProcessMemory
          PID:1132
      • C:\Windows\System32\notepad.exe
        C:\Windows\System32\notepad.exe
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2896
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:2412

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1132-43-0x000001E91FD50000-0x000001E920D20000-memory.dmp

        Filesize

        15.8MB

        Download

      • memory/2896-44-0x000001D8FBE60000-0x000001D8FBE7A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2896-49-0x000001D8FD9B0000-0x000001D8FD9C6000-memory.dmp

        Filesize

        88KB

        Download