Overview

overview

10

Static

static

3

b899fc7141...bb.exe

windows7-x64

10

b899fc7141...bb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-12-2024 10:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b899fc7141b866552940b6ee0f8ab0d214a05c8338906fd85fae67c507d652bb.exe

  • Size

    481KB

  • MD5

    3bcf40a5ad0db3f29f3c6243a923e277

  • SHA1

    5a500389d073311b3decc47819c19dd7faf56abb

  • SHA256

    b899fc7141b866552940b6ee0f8ab0d214a05c8338906fd85fae67c507d652bb

  • SHA512

    45ffa4c66672403220f96b58dc4bc6ac361aff38e8bb14743c63ab52659229d186a36181b7b396b024648f1f2bc54a67ca7224f1fe17cb2a4ad04d5986d78d9a

  • SSDEEP

    6144:csFDZUi1H8vzgMU+duPOyxzWtrboPZXBR+IhQaTb5Jz/:nlH8vzgL8QJxzWqRXBR

Score
10/10
asyncrat26/4/22discoveryrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

26/4/22

C2

znets.ddns.net:2000

dnets.ddns.net:2000
Mutex

mgjgjfugfrabywe7retren89i><LPO((*&*UJjiM8yn&&*N89I)(

Attributes
  • delay

    3

  • install

    false

  • install_file

    Windows Utility Essentials.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b899fc7141b866552940b6ee0f8ab0d214a05c8338906fd85fae67c507d652bb.exe
    "C:\Users\Admin\AppData\Local\Temp\b899fc7141b866552940b6ee0f8ab0d214a05c8338906fd85fae67c507d652bb.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3124
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4224

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3124-9-0x00000000750A0000-0x0000000075850000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3124-1-0x0000000000A40000-0x0000000000ABE000-memory.dmp

    Filesize

    504KB

    Download

  • memory/3124-2-0x00000000059D0000-0x0000000005F74000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3124-3-0x00000000054C0000-0x0000000005552000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3124-4-0x00000000750A0000-0x0000000075850000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3124-5-0x0000000005890000-0x000000000589A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3124-8-0x00000000750AE000-0x00000000750AF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3124-0-0x00000000750AE000-0x00000000750AF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4224-6-0x0000000000400000-0x0000000000412000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4224-7-0x00000000750A0000-0x0000000075850000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4224-10-0x00000000750A0000-0x0000000075850000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4224-11-0x00000000750A0000-0x0000000075850000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4224-12-0x00000000750A0000-0x0000000075850000-memory.dmp

    Filesize

    7.7MB

    Download