Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-12-2024 10:13

General

  • Target

    mod_raenma.exe

  • Size

    351KB

  • MD5

    4be742cf9d626cd0e49ebd0f6673c5a3

  • SHA1

    4b59ac80c7d3173322f6e9af9752152ba3ba8437

  • SHA256

    c81e4314c2184685ea4bbb147a928fe6a3cc57f5498b8e311fb352b2f1055712

  • SHA512

    e7772593e30e38f32ca6b760693a7574b9c87293021494dee8b182ce0813ddfd01a7e7de6030ea3be9391a2dbb6f8073d1d47db3c101764555f83416863161bc

  • SSDEEP

    6144:zWsRLwBm74DJWy6mYrLC0m7tuGyqxLkMH9O1BNI:zBRLwBm2JWxBGyykMo7I

Malware Config

Extracted

Family

asyncrat

Botnet

DEC-feder.xyz

C2

bahautopilotusatzfeder.xyz:2011

eichstaett.duckdns.org:2011

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Asyncrat family
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Async RAT payload 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3432
      • C:\Users\Admin\AppData\Local\Temp\mod_raenma.exe
        "C:\Users\Admin\AppData\Local\Temp\mod_raenma.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of WriteProcessMemory
        PID:224
      • C:\Windows\System32\notepad.exe
        C:\Windows\System32\notepad.exe
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2764

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2764-0-0x00000223ABD70000-0x00000223ABD8A000-memory.dmp

      Filesize

      104KB

    • memory/2764-1-0x00007FFA37DA3000-0x00007FFA37DA5000-memory.dmp

      Filesize

      8KB

    • memory/2764-2-0x00000223AD8A0000-0x00000223AD8B6000-memory.dmp

      Filesize

      88KB

    • memory/2764-3-0x00007FFA37DA0000-0x00007FFA38861000-memory.dmp

      Filesize

      10.8MB

    • memory/2764-4-0x00007FFA37DA0000-0x00007FFA38861000-memory.dmp

      Filesize

      10.8MB

    • memory/2764-7-0x00007FFA37DA3000-0x00007FFA37DA5000-memory.dmp

      Filesize

      8KB

    • memory/2764-8-0x00007FFA37DA0000-0x00007FFA38861000-memory.dmp

      Filesize

      10.8MB

    • memory/2764-9-0x00007FFA37DA0000-0x00007FFA38861000-memory.dmp

      Filesize

      10.8MB

    • memory/2764-10-0x00007FFA37DA0000-0x00007FFA38861000-memory.dmp

      Filesize

      10.8MB

    • memory/2764-11-0x00007FFA37DA0000-0x00007FFA38861000-memory.dmp

      Filesize

      10.8MB