Overview

overview

10

Static

static

10

Client.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-11-2024 00:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client.exe

  • Size

    63KB

  • MD5

    0cfabb4492c8d690bd6f9cf88b52ead9

  • SHA1

    640f8b5a21ef6ab691e524e915b36add1d53950e

  • SHA256

    606a8ba12343088e8ae770a119c33e7bd86ed45346b5a1f88f94b8d3562284bf

  • SHA512

    110c0a9cef7e535d28b3ae666ebeed159d05f9c1c32cfeac1c35d96eaf7b2e3623ca2d9be7d9ba324e0e4ae2f247f53ceb9f52bb304ae76acf7341d2c6f63e6e

  • SSDEEP

    1536:xhRzHh1AkR7IWL3leeiMl8GbbXwEXk2GZZVclN:xhRzHh1AkR7X3YeFmGbbXx0DzY

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

Mutex

NUEJFR_RT

Attributes
  • delay

    1

  • install

    true

  • install_file

    svchost.exe

  • install_folder

    %Temp%

  • pastebin_config

    https://pastebin.com/raw/c5xtcUfn

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client.exe
    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4500
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3312

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3312-12-0x00000285E8370000-0x00000285E8371000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3312-15-0x00000285E8370000-0x00000285E8371000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3312-4-0x00000285E8370000-0x00000285E8371000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3312-6-0x00000285E8370000-0x00000285E8371000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3312-5-0x00000285E8370000-0x00000285E8371000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3312-16-0x00000285E8370000-0x00000285E8371000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3312-10-0x00000285E8370000-0x00000285E8371000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3312-14-0x00000285E8370000-0x00000285E8371000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3312-11-0x00000285E8370000-0x00000285E8371000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3312-13-0x00000285E8370000-0x00000285E8371000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4500-0-0x00007FFDF1C13000-0x00007FFDF1C15000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4500-1-0x0000000000610000-0x0000000000626000-memory.dmp

    Filesize

    88KB

    Download

  • memory/4500-3-0x00007FFDF1C10000-0x00007FFDF26D1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4500-2-0x00007FFDF1C10000-0x00007FFDF26D1000-memory.dmp

    Filesize

    10.8MB

    Download