Overview

overview

10

Static

static

3

corn.zip

windows10-1703-x64

10

Analysis

  • max time kernel
    1789s
  • max time network
    1800s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    10-10-2024 11:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    corn.zip

  • Size

    42.8MB

  • MD5

    b2240d2e0b513829302d88ffe03d0dfc

  • SHA1

    53aee13e981747502a54c412794cc7cdc9d1805b

  • SHA256

    7f792e120c8f15453d4c3475911aa8ec4bcbe95514d9167aadfc445af7fe68a5

  • SHA512

    d687e375b6b70c18f4bb3b4a3c72277eed2f4433be63d7a3f1a192af29a4a89e7b333ec9743e83ed327bb7e7c0f251eb2e5735c5d73b740170afcc0663254c09

  • SSDEEP

    786432:CDXXuerfHkIZf06hLwbl9Pm2TW38ZF+oxwk4fbSep82zpMNV:CDnXfHkIZcXM2TdZooxwnXWNV

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

91.92.247.210:4449

Mutex

sarcofamdkdtq

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Async RAT payload 1 IoCs
    rat
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3168
      • C:\Program Files\7-Zip\7zFM.exe
        C:\Users\Admin\AppData\Local\Temp\corn.zip
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2752
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1936
        • C:\Users\puncher\Downloads\Python\Python312\python.exe
          python.exe an.py
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          • Suspicious use of WriteProcessMemory
          PID:4504
      • C:\Windows\System32\notepad.exe
        C:\Windows\System32\notepad.exe
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:4684
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3588

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/4684-43-0x00000265C38C0000-0x00000265C38DC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/4684-48-0x00000265C53F0000-0x00000265C5408000-memory.dmp

        Filesize

        96KB

        Download