asyncrat | af4bd862386d1c1415faae0d962153f35b3c19312baa346bc3ab44841dca3793

General

Target

TRANSFERENCIA MISMO BANCO OTRO TITULAR BANCO AGRARIO DE COLOMBIA.exe
Size

1.0MB
MD5

bc0057f2f79389ac4b6837c6b9e01239
SHA1

b3b8950d0829187de5dd133fb7c24957da7d591e
SHA256

535547d574d192bd58faf18b39b1508af8e75c167b38fb1f0dafbba77a1cfabb
SHA512

d055d358fd8e13ea9ec98292c5c9c5e5b30abb98a69cbcadb6972988741593076368ad6433ce27c500e52a53af8be6c8a4f276656713c543f66d5254689406eb

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

parrarobertogali10.duckdns.org:1884

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
UWjy2UHG1k5J2or57HtKfk85dQrUidYK
anti_detection
false
autorun
false
bdos
false
delay
Default
host
parrarobertogali10.duckdns.org
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
1884
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2516-138-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/2516-139-0x000000000040C74E-mapping.dmp	asyncrat

Suspicious use of SetThreadContext 1 IoCs

Processes:

TRANSFERENCIA MISMO BANCO OTRO TITULAR BANCO AGRARIO DE COLOMBIA.exe

description	pid	process	target process
PID 636 set thread context of 2516	636	TRANSFERENCIA MISMO BANCO OTRO TITULAR BANCO AGRARIO DE COLOMBIA.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3800 schtasks.exe

pid	process
3800	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

TRANSFERENCIA MISMO BANCO OTRO TITULAR BANCO AGRARIO DE COLOMBIA.exepowershell.exepowershell.exepowershell.exe

pid	process
636	TRANSFERENCIA MISMO BANCO OTRO TITULAR BANCO AGRARIO DE COLOMBIA.exe
636	TRANSFERENCIA MISMO BANCO OTRO TITULAR BANCO AGRARIO DE COLOMBIA.exe
636	TRANSFERENCIA MISMO BANCO OTRO TITULAR BANCO AGRARIO DE COLOMBIA.exe
636	TRANSFERENCIA MISMO BANCO OTRO TITULAR BANCO AGRARIO DE COLOMBIA.exe
636	TRANSFERENCIA MISMO BANCO OTRO TITULAR BANCO AGRARIO DE COLOMBIA.exe
636	TRANSFERENCIA MISMO BANCO OTRO TITULAR BANCO AGRARIO DE COLOMBIA.exe
3716	powershell.exe
976	powershell.exe
3444	powershell.exe
3716	powershell.exe
976	powershell.exe
3444	powershell.exe
3716	powershell.exe
976	powershell.exe
3444	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

TRANSFERENCIA MISMO BANCO OTRO TITULAR BANCO AGRARIO DE COLOMBIA.exepowershell.exepowershell.exepowershell.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	636	TRANSFERENCIA MISMO BANCO OTRO TITULAR BANCO AGRARIO DE COLOMBIA.exe
Token: SeDebugPrivilege	976	powershell.exe
Token: SeDebugPrivilege	3716	powershell.exe
Token: SeDebugPrivilege	3444	powershell.exe
Token: SeDebugPrivilege	2516	RegSvcs.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

TRANSFERENCIA MISMO BANCO OTRO TITULAR BANCO AGRARIO DE COLOMBIA.exe

description	pid	process	target process
PID 636 wrote to memory of 3716	636	TRANSFERENCIA MISMO BANCO OTRO TITULAR BANCO AGRARIO DE COLOMBIA.exe	powershell.exe
PID 636 wrote to memory of 3716	636	TRANSFERENCIA MISMO BANCO OTRO TITULAR BANCO AGRARIO DE COLOMBIA.exe	powershell.exe
PID 636 wrote to memory of 3716	636	TRANSFERENCIA MISMO BANCO OTRO TITULAR BANCO AGRARIO DE COLOMBIA.exe	powershell.exe
PID 636 wrote to memory of 976	636	TRANSFERENCIA MISMO BANCO OTRO TITULAR BANCO AGRARIO DE COLOMBIA.exe	powershell.exe
PID 636 wrote to memory of 976	636	TRANSFERENCIA MISMO BANCO OTRO TITULAR BANCO AGRARIO DE COLOMBIA.exe	powershell.exe
PID 636 wrote to memory of 976	636	TRANSFERENCIA MISMO BANCO OTRO TITULAR BANCO AGRARIO DE COLOMBIA.exe	powershell.exe
PID 636 wrote to memory of 3800	636	TRANSFERENCIA MISMO BANCO OTRO TITULAR BANCO AGRARIO DE COLOMBIA.exe	schtasks.exe
PID 636 wrote to memory of 3800	636	TRANSFERENCIA MISMO BANCO OTRO TITULAR BANCO AGRARIO DE COLOMBIA.exe	schtasks.exe
PID 636 wrote to memory of 3800	636	TRANSFERENCIA MISMO BANCO OTRO TITULAR BANCO AGRARIO DE COLOMBIA.exe	schtasks.exe
PID 636 wrote to memory of 3444	636	TRANSFERENCIA MISMO BANCO OTRO TITULAR BANCO AGRARIO DE COLOMBIA.exe	powershell.exe
PID 636 wrote to memory of 3444	636	TRANSFERENCIA MISMO BANCO OTRO TITULAR BANCO AGRARIO DE COLOMBIA.exe	powershell.exe
PID 636 wrote to memory of 3444	636	TRANSFERENCIA MISMO BANCO OTRO TITULAR BANCO AGRARIO DE COLOMBIA.exe	powershell.exe
PID 636 wrote to memory of 3192	636	TRANSFERENCIA MISMO BANCO OTRO TITULAR BANCO AGRARIO DE COLOMBIA.exe	RegSvcs.exe
PID 636 wrote to memory of 3192	636	TRANSFERENCIA MISMO BANCO OTRO TITULAR BANCO AGRARIO DE COLOMBIA.exe	RegSvcs.exe
PID 636 wrote to memory of 3192	636	TRANSFERENCIA MISMO BANCO OTRO TITULAR BANCO AGRARIO DE COLOMBIA.exe	RegSvcs.exe
PID 636 wrote to memory of 2516	636	TRANSFERENCIA MISMO BANCO OTRO TITULAR BANCO AGRARIO DE COLOMBIA.exe	RegSvcs.exe
PID 636 wrote to memory of 2516	636	TRANSFERENCIA MISMO BANCO OTRO TITULAR BANCO AGRARIO DE COLOMBIA.exe	RegSvcs.exe
PID 636 wrote to memory of 2516	636	TRANSFERENCIA MISMO BANCO OTRO TITULAR BANCO AGRARIO DE COLOMBIA.exe	RegSvcs.exe
PID 636 wrote to memory of 2516	636	TRANSFERENCIA MISMO BANCO OTRO TITULAR BANCO AGRARIO DE COLOMBIA.exe	RegSvcs.exe
PID 636 wrote to memory of 2516	636	TRANSFERENCIA MISMO BANCO OTRO TITULAR BANCO AGRARIO DE COLOMBIA.exe	RegSvcs.exe
PID 636 wrote to memory of 2516	636	TRANSFERENCIA MISMO BANCO OTRO TITULAR BANCO AGRARIO DE COLOMBIA.exe	RegSvcs.exe
PID 636 wrote to memory of 2516	636	TRANSFERENCIA MISMO BANCO OTRO TITULAR BANCO AGRARIO DE COLOMBIA.exe	RegSvcs.exe
PID 636 wrote to memory of 2516	636	TRANSFERENCIA MISMO BANCO OTRO TITULAR BANCO AGRARIO DE COLOMBIA.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\TRANSFERENCIA MISMO BANCO OTRO TITULAR BANCO AGRARIO DE COLOMBIA.exe
"C:\Users\Admin\AppData\Local\Temp\TRANSFERENCIA MISMO BANCO OTRO TITULAR BANCO AGRARIO DE COLOMBIA.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\TRANSFERENCIA MISMO BANCO OTRO TITULAR BANCO AGRARIO DE COLOMBIA.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3716

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IJvYuv.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:976

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IJvYuv" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5540.tmp"
2⤵
- Creates scheduled task(s)
PID:3800

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IJvYuv.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
PID:3192

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2516

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
3d4036bc0b43556eb1891e0905f9c95c

SHA1
55822c1993064e5e148c0f0902fdef29de7d243c

SHA256
006868a0a663b3fab6b0ae95adc4debd5a52a6627a0a0d623d374bc70bc35957

SHA512
ae5efc74442fc39984b0260de567820f8ec96ea6775c27d7c5b8199474bb926ded50f53a2fc8e1ed526b5bba745f702c5dfd921dd1a26199524fb6f37b563fff

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5540.tmp
MD5
0f4175f1f674571f23d15097319394a0

SHA1
1baf077039fa3b2fce9de527542e2d10421e2a85

SHA256
f05b77b89de8e4760822a77fe79c961cf1f470779dcf830d5e2c5c9e23ae8be6

SHA512
218ff9f9b12904b73301577953f82cb75f9a198e51cb63c02a74a2672277c5176c4b92a2ea8f3155b6cbd7ed6507bc6226c90d962d55b84676749ec71c9e23b1

Download Submit
memory/636-122-0x0000000006130000-0x0000000006136000-memory.dmp

Filesize
24KB

Download
memory/636-117-0x0000000005A90000-0x0000000005A91000-memory.dmp

Filesize
4KB

Download
memory/636-121-0x00000000056D0000-0x00000000056D1000-memory.dmp

Filesize
4KB

Download
memory/636-120-0x0000000005520000-0x0000000005521000-memory.dmp

Filesize
4KB

Download
memory/636-123-0x0000000001370000-0x00000000013FF000-memory.dmp

Filesize
572KB

Download
memory/636-124-0x00000000073D0000-0x0000000007419000-memory.dmp

Filesize
292KB

Download
memory/636-114-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/636-116-0x0000000005450000-0x0000000005451000-memory.dmp

Filesize
4KB

Download
memory/636-119-0x0000000005590000-0x0000000005A8E000-memory.dmp

Filesize
5.0MB

Download
memory/636-118-0x0000000005630000-0x0000000005631000-memory.dmp

Filesize
4KB

Download
memory/976-154-0x0000000006940000-0x0000000006941000-memory.dmp

Filesize
4KB

Download
memory/976-192-0x000000007F470000-0x000000007F471000-memory.dmp

Filesize
4KB

Download
memory/976-128-0x0000000000000000-mapping.dmp

Download
memory/976-155-0x0000000006942000-0x0000000006943000-memory.dmp

Filesize
4KB

Download
memory/976-195-0x0000000006943000-0x0000000006944000-memory.dmp

Filesize
4KB

Download
memory/976-146-0x0000000006E70000-0x0000000006E71000-memory.dmp

Filesize
4KB

Download
memory/2516-139-0x000000000040C74E-mapping.dmp

Download
memory/2516-179-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/2516-138-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3444-196-0x0000000007283000-0x0000000007284000-memory.dmp

Filesize
4KB

Download
memory/3444-194-0x000000007E550000-0x000000007E551000-memory.dmp

Filesize
4KB

Download
memory/3444-156-0x0000000007280000-0x0000000007281000-memory.dmp

Filesize
4KB

Download
memory/3444-157-0x0000000007282000-0x0000000007283000-memory.dmp

Filesize
4KB

Download
memory/3444-137-0x0000000000000000-mapping.dmp

Download
memory/3444-161-0x0000000008220000-0x0000000008221000-memory.dmp

Filesize
4KB

Download
memory/3444-164-0x00000000085F0000-0x00000000085F1000-memory.dmp

Filesize
4KB

Download
memory/3444-167-0x0000000008A30000-0x0000000008A31000-memory.dmp

Filesize
4KB

Download
memory/3716-125-0x0000000000000000-mapping.dmp

Download
memory/3716-170-0x0000000007FF0000-0x0000000007FF1000-memory.dmp

Filesize
4KB

Download
memory/3716-158-0x0000000007800000-0x0000000007801000-memory.dmp

Filesize
4KB

Download
memory/3716-193-0x000000007EFC0000-0x000000007EFC1000-memory.dmp

Filesize
4KB

Download
memory/3716-150-0x0000000007010000-0x0000000007011000-memory.dmp

Filesize
4KB

Download
memory/3716-152-0x0000000001252000-0x0000000001253000-memory.dmp

Filesize
4KB

Download
memory/3716-149-0x0000000001250000-0x0000000001251000-memory.dmp

Filesize
4KB

Download
memory/3716-197-0x0000000001253000-0x0000000001254000-memory.dmp

Filesize
4KB

Download
memory/3716-131-0x00000000070D0000-0x00000000070D1000-memory.dmp

Filesize
4KB

Download
memory/3716-129-0x00000000010B0000-0x00000000010B1000-memory.dmp

Filesize
4KB

Download
memory/3800-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads