asyncrat | 009836a304833c35cb2336b438f32f29ef113887402f93fe0664505ee7bed246

General

Target

pdfcartaembargodianreferencianullbywwwdiangovgoverenlinescartadeuda.exe
Size

1.0MB
MD5

2596a24f0668203076e4829fa72dcfe7
SHA1

6d47cd0fa430e89e98931c487a179de58b943521
SHA256

009836a304833c35cb2336b438f32f29ef113887402f93fe0664505ee7bed246
SHA512

267359ee0fc829a8d7a7eb954203a238164ec3b397c714c3836241c001d7b90a6dc10720c524a60460597b3a54e47d3e5441dd208bb5a0bcccf7bcfae9432e0e

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

productos.linkpc.net:3470

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
cRDJUz3TELGT8tZPsxRbzbKFZunEqWvB
anti_detection
false
autorun
true
bdos
false
delay
Default
host
productos.linkpc.net
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
3470
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1692-10-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1692-11-0x000000000040C76E-mapping.dmp	asyncrat
behavioral1/memory/1692-12-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1692-13-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1672-36-0x000000000040C76E-mapping.dmp	asyncrat
behavioral1/memory/1672-38-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1672-39-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Executes dropped EXE 3 IoCs

Processes:

dllwindefenderp.exedllwindefenderp.exedllwindefenderp.exe

pid process

564 dllwindefenderp.exe
920 dllwindefenderp.exe
1672 dllwindefenderp.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1040 cmd.exe

pid	process
564	dllwindefenderp.exe
920	dllwindefenderp.exe
1672	dllwindefenderp.exe

pid	process
1040	cmd.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

pdfcartaembargodianreferencianullbywwwdiangovgoverenlinescartadeuda.exedllwindefenderp.exe

description	pid	process	target process
PID 836 set thread context of 1692	836	pdfcartaembargodianreferencianullbywwwdiangovgoverenlinescartadeuda.exe	pdfcartaembargodianreferencianullbywwwdiangovgoverenlinescartadeuda.exe
PID 564 set thread context of 1672	564	dllwindefenderp.exe	dllwindefenderp.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

932 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

472 timeout.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pdfcartaembargodianreferencianullbywwwdiangovgoverenlinescartadeuda.exedllwindefenderp.exe

pid process

1692 pdfcartaembargodianreferencianullbywwwdiangovgoverenlinescartadeuda.exe
564 dllwindefenderp.exe

pid	process
932	schtasks.exe

pid	process
472	timeout.exe

pid	process
1692	pdfcartaembargodianreferencianullbywwwdiangovgoverenlinescartadeuda.exe
564	dllwindefenderp.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

pdfcartaembargodianreferencianullbywwwdiangovgoverenlinescartadeuda.exedllwindefenderp.exedllwindefenderp.exe

description	pid	process
Token: SeDebugPrivilege	1692	pdfcartaembargodianreferencianullbywwwdiangovgoverenlinescartadeuda.exe
Token: SeDebugPrivilege	564	dllwindefenderp.exe
Token: SeDebugPrivilege	1672	dllwindefenderp.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

pdfcartaembargodianreferencianullbywwwdiangovgoverenlinescartadeuda.exepdfcartaembargodianreferencianullbywwwdiangovgoverenlinescartadeuda.execmd.execmd.exedllwindefenderp.exe

description	pid	process	target process
PID 836 wrote to memory of 1692	836	pdfcartaembargodianreferencianullbywwwdiangovgoverenlinescartadeuda.exe	pdfcartaembargodianreferencianullbywwwdiangovgoverenlinescartadeuda.exe
PID 836 wrote to memory of 1692	836	pdfcartaembargodianreferencianullbywwwdiangovgoverenlinescartadeuda.exe	pdfcartaembargodianreferencianullbywwwdiangovgoverenlinescartadeuda.exe
PID 836 wrote to memory of 1692	836	pdfcartaembargodianreferencianullbywwwdiangovgoverenlinescartadeuda.exe	pdfcartaembargodianreferencianullbywwwdiangovgoverenlinescartadeuda.exe
PID 836 wrote to memory of 1692	836	pdfcartaembargodianreferencianullbywwwdiangovgoverenlinescartadeuda.exe	pdfcartaembargodianreferencianullbywwwdiangovgoverenlinescartadeuda.exe
PID 836 wrote to memory of 1692	836	pdfcartaembargodianreferencianullbywwwdiangovgoverenlinescartadeuda.exe	pdfcartaembargodianreferencianullbywwwdiangovgoverenlinescartadeuda.exe
PID 836 wrote to memory of 1692	836	pdfcartaembargodianreferencianullbywwwdiangovgoverenlinescartadeuda.exe	pdfcartaembargodianreferencianullbywwwdiangovgoverenlinescartadeuda.exe
PID 836 wrote to memory of 1692	836	pdfcartaembargodianreferencianullbywwwdiangovgoverenlinescartadeuda.exe	pdfcartaembargodianreferencianullbywwwdiangovgoverenlinescartadeuda.exe
PID 836 wrote to memory of 1692	836	pdfcartaembargodianreferencianullbywwwdiangovgoverenlinescartadeuda.exe	pdfcartaembargodianreferencianullbywwwdiangovgoverenlinescartadeuda.exe
PID 836 wrote to memory of 1692	836	pdfcartaembargodianreferencianullbywwwdiangovgoverenlinescartadeuda.exe	pdfcartaembargodianreferencianullbywwwdiangovgoverenlinescartadeuda.exe
PID 1692 wrote to memory of 936	1692	pdfcartaembargodianreferencianullbywwwdiangovgoverenlinescartadeuda.exe	cmd.exe
PID 1692 wrote to memory of 936	1692	pdfcartaembargodianreferencianullbywwwdiangovgoverenlinescartadeuda.exe	cmd.exe
PID 1692 wrote to memory of 936	1692	pdfcartaembargodianreferencianullbywwwdiangovgoverenlinescartadeuda.exe	cmd.exe
PID 1692 wrote to memory of 936	1692	pdfcartaembargodianreferencianullbywwwdiangovgoverenlinescartadeuda.exe	cmd.exe
PID 1692 wrote to memory of 1040	1692	pdfcartaembargodianreferencianullbywwwdiangovgoverenlinescartadeuda.exe	cmd.exe
PID 1692 wrote to memory of 1040	1692	pdfcartaembargodianreferencianullbywwwdiangovgoverenlinescartadeuda.exe	cmd.exe
PID 1692 wrote to memory of 1040	1692	pdfcartaembargodianreferencianullbywwwdiangovgoverenlinescartadeuda.exe	cmd.exe
PID 1692 wrote to memory of 1040	1692	pdfcartaembargodianreferencianullbywwwdiangovgoverenlinescartadeuda.exe	cmd.exe
PID 936 wrote to memory of 932	936	cmd.exe	schtasks.exe
PID 936 wrote to memory of 932	936	cmd.exe	schtasks.exe
PID 936 wrote to memory of 932	936	cmd.exe	schtasks.exe
PID 936 wrote to memory of 932	936	cmd.exe	schtasks.exe
PID 1040 wrote to memory of 472	1040	cmd.exe	timeout.exe
PID 1040 wrote to memory of 472	1040	cmd.exe	timeout.exe
PID 1040 wrote to memory of 472	1040	cmd.exe	timeout.exe
PID 1040 wrote to memory of 472	1040	cmd.exe	timeout.exe
PID 1040 wrote to memory of 564	1040	cmd.exe	dllwindefenderp.exe
PID 1040 wrote to memory of 564	1040	cmd.exe	dllwindefenderp.exe
PID 1040 wrote to memory of 564	1040	cmd.exe	dllwindefenderp.exe
PID 1040 wrote to memory of 564	1040	cmd.exe	dllwindefenderp.exe
PID 564 wrote to memory of 920	564	dllwindefenderp.exe	dllwindefenderp.exe
PID 564 wrote to memory of 920	564	dllwindefenderp.exe	dllwindefenderp.exe
PID 564 wrote to memory of 920	564	dllwindefenderp.exe	dllwindefenderp.exe
PID 564 wrote to memory of 920	564	dllwindefenderp.exe	dllwindefenderp.exe
PID 564 wrote to memory of 1672	564	dllwindefenderp.exe	dllwindefenderp.exe
PID 564 wrote to memory of 1672	564	dllwindefenderp.exe	dllwindefenderp.exe
PID 564 wrote to memory of 1672	564	dllwindefenderp.exe	dllwindefenderp.exe
PID 564 wrote to memory of 1672	564	dllwindefenderp.exe	dllwindefenderp.exe
PID 564 wrote to memory of 1672	564	dllwindefenderp.exe	dllwindefenderp.exe
PID 564 wrote to memory of 1672	564	dllwindefenderp.exe	dllwindefenderp.exe
PID 564 wrote to memory of 1672	564	dllwindefenderp.exe	dllwindefenderp.exe
PID 564 wrote to memory of 1672	564	dllwindefenderp.exe	dllwindefenderp.exe
PID 564 wrote to memory of 1672	564	dllwindefenderp.exe	dllwindefenderp.exe

C:\Users\Admin\AppData\Local\Temp\pdfcartaembargodianreferencianullbywwwdiangovgoverenlinescartadeuda.exe
"C:\Users\Admin\AppData\Local\Temp\pdfcartaembargodianreferencianullbywwwdiangovgoverenlinescartadeuda.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:836

C:\Users\Admin\AppData\Local\Temp\pdfcartaembargodianreferencianullbywwwdiangovgoverenlinescartadeuda.exe
"C:\Users\Admin\AppData\Local\Temp\pdfcartaembargodianreferencianullbywwwdiangovgoverenlinescartadeuda.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "dllwindefenderp" /tr '"C:\Users\Admin\AppData\Roaming\dllwindefenderp.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "dllwindefenderp" /tr '"C:\Users\Admin\AppData\Roaming\dllwindefenderp.exe"'
4⤵
- Creates scheduled task(s)
PID:932

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpEFCB.tmp.bat""
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1040

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:472

C:\Users\Admin\AppData\Roaming\dllwindefenderp.exe
"C:\Users\Admin\AppData\Roaming\dllwindefenderp.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:564

C:\Users\Admin\AppData\Roaming\dllwindefenderp.exe
"C:\Users\Admin\AppData\Roaming\dllwindefenderp.exe"
5⤵
- Executes dropped EXE
PID:920

C:\Users\Admin\AppData\Roaming\dllwindefenderp.exe
"C:\Users\Admin\AppData\Roaming\dllwindefenderp.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpEFCB.tmp.bat
MD5
8dad16dd1570ef3a8c7243c53ade73db

SHA1
a6c6ff0b56b6e297f49cb31511d22afe982a96dd

SHA256
84a2aa4353503350932b257e81ed65b08830d7b66a224fc38ce58c0a97dfda2f

SHA512
69fcecd43ed9d642fa036da898bd318f0ad23171d029bf0c7395ef2975101969cebfe4da9cdb02b0bd9a7d9876b89da4efdb52983be1ae5b6132d3d7d3f9b2c1

Download Submit
C:\Users\Admin\AppData\Roaming\dllwindefenderp.exe
MD5
2596a24f0668203076e4829fa72dcfe7

SHA1
6d47cd0fa430e89e98931c487a179de58b943521

SHA256
009836a304833c35cb2336b438f32f29ef113887402f93fe0664505ee7bed246

SHA512
267359ee0fc829a8d7a7eb954203a238164ec3b397c714c3836241c001d7b90a6dc10720c524a60460597b3a54e47d3e5441dd208bb5a0bcccf7bcfae9432e0e

Download Submit
C:\Users\Admin\AppData\Roaming\dllwindefenderp.exe
MD5
2596a24f0668203076e4829fa72dcfe7

SHA1
6d47cd0fa430e89e98931c487a179de58b943521

SHA256
009836a304833c35cb2336b438f32f29ef113887402f93fe0664505ee7bed246

SHA512
267359ee0fc829a8d7a7eb954203a238164ec3b397c714c3836241c001d7b90a6dc10720c524a60460597b3a54e47d3e5441dd208bb5a0bcccf7bcfae9432e0e

Download Submit
C:\Users\Admin\AppData\Roaming\dllwindefenderp.exe
MD5
2596a24f0668203076e4829fa72dcfe7

SHA1
6d47cd0fa430e89e98931c487a179de58b943521

SHA256
009836a304833c35cb2336b438f32f29ef113887402f93fe0664505ee7bed246

SHA512
267359ee0fc829a8d7a7eb954203a238164ec3b397c714c3836241c001d7b90a6dc10720c524a60460597b3a54e47d3e5441dd208bb5a0bcccf7bcfae9432e0e

Download Submit
C:\Users\Admin\AppData\Roaming\dllwindefenderp.exe
MD5
2596a24f0668203076e4829fa72dcfe7

SHA1
6d47cd0fa430e89e98931c487a179de58b943521

SHA256
009836a304833c35cb2336b438f32f29ef113887402f93fe0664505ee7bed246

SHA512
267359ee0fc829a8d7a7eb954203a238164ec3b397c714c3836241c001d7b90a6dc10720c524a60460597b3a54e47d3e5441dd208bb5a0bcccf7bcfae9432e0e

Download Submit
\Users\Admin\AppData\Roaming\dllwindefenderp.exe
MD5
2596a24f0668203076e4829fa72dcfe7

SHA1
6d47cd0fa430e89e98931c487a179de58b943521

SHA256
009836a304833c35cb2336b438f32f29ef113887402f93fe0664505ee7bed246

SHA512
267359ee0fc829a8d7a7eb954203a238164ec3b397c714c3836241c001d7b90a6dc10720c524a60460597b3a54e47d3e5441dd208bb5a0bcccf7bcfae9432e0e

Download Submit
memory/472-21-0x0000000000000000-mapping.dmp

Download
memory/564-27-0x0000000001000000-0x0000000001001000-memory.dmp

Filesize
4KB

Download
memory/564-26-0x00000000739B0000-0x000000007409E000-memory.dmp

Filesize
6.9MB

Download
memory/564-24-0x0000000000000000-mapping.dmp

Download
memory/836-9-0x00000000045B0000-0x000000000461C000-memory.dmp

Filesize
432KB

Download
memory/836-7-0x0000000000860000-0x0000000000868000-memory.dmp

Filesize
32KB

Download
memory/836-6-0x0000000005400000-0x000000000548A000-memory.dmp

Filesize
552KB

Download
memory/836-5-0x00000000005C0000-0x00000000005D2000-memory.dmp

Filesize
72KB

Download
memory/836-2-0x00000000746D0000-0x0000000074DBE000-memory.dmp

Filesize
6.9MB

Download
memory/836-3-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/932-20-0x0000000000000000-mapping.dmp

Download
memory/936-17-0x0000000000000000-mapping.dmp

Download
memory/1040-18-0x0000000000000000-mapping.dmp

Download
memory/1672-36-0x000000000040C76E-mapping.dmp

Download
memory/1672-38-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1672-39-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1672-40-0x00000000739B0000-0x000000007409E000-memory.dmp

Filesize
6.9MB

Download
memory/1692-14-0x00000000746D0000-0x0000000074DBE000-memory.dmp

Filesize
6.9MB

Download
memory/1692-13-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1692-12-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1692-11-0x000000000040C76E-mapping.dmp

Download
memory/1692-10-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads