Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2024 16:29
Behavioral task
behavioral1
Sample
56beb9a6774310778d8ce675d947c1cdd9163b2366d8388edaa7b24c1f0fa185.exe
Resource
win7-20240903-en
windows7-x64
4 signatures
150 seconds
General
-
Target
56beb9a6774310778d8ce675d947c1cdd9163b2366d8388edaa7b24c1f0fa185.exe
-
Size
63KB
-
MD5
8043097a0256d80b1c11fb19cdd657cc
-
SHA1
4ab53cb4025f9e3661eb234e3dfd5f51e2c13d7e
-
SHA256
56beb9a6774310778d8ce675d947c1cdd9163b2366d8388edaa7b24c1f0fa185
-
SHA512
d718deab2faf66d5de91bf2702a1e443cb55a27ffe00bad7e1b5b903ab5c2a845520c45d20cb46cfe85f8d9413e07a20cada2a711cb555858c7c9df1430c8bb9
-
SSDEEP
1536:NZJttUdjLAQBhMUyWDwAGbbmwkXfbGMNVclNk:NZJttUdjvBhMUyWDZGbbmXfY2
Malware Config
Extracted
Family
asyncrat
Version
1.0.7
Botnet
Default
Mutex
DcRatMutex_qwqdanchun
Attributes
-
delay
1
-
install
false
-
install_file
csrss.exe
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/3Z9zi18j
aes.plain
Signatures
-
Asyncrat family
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
Processes:
flow ioc 5 pastebin.com 6 pastebin.com 12 4.tcp.eu.ngrok.io 47 4.tcp.eu.ngrok.io 60 4.tcp.eu.ngrok.io -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
56beb9a6774310778d8ce675d947c1cdd9163b2366d8388edaa7b24c1f0fa185.exedescription pid process Token: SeDebugPrivilege 3620 56beb9a6774310778d8ce675d947c1cdd9163b2366d8388edaa7b24c1f0fa185.exe