asyncrat | 83302413883609f00a703e8118667940e5723ab6604c820505eba7a405f358e7

General

Target

DEMANDA JUDICIAL REMITIDA CON PROCESO DE FALSIFICACION DE DATOS.exe
Size

798KB
MD5

c1aa336f4b738ae79e10f59e51fb762d
SHA1

2456ec77be476735c8f734050dc20f623caa335c
SHA256

83302413883609f00a703e8118667940e5723ab6604c820505eba7a405f358e7
SHA512

74307439683c228643db7cdec51f569c6fa9bb1deb0d4ba1a2bcacf05d58748c89982a447cf2ff35a7876b4aa48f8d99ad3954d82f29d503cf178f68be496bcd

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

margotmejiabyusfnscdvds.duckdns.org:5020

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
t7UnwEeIlo0l3z9TvkTm9W8qZ2GdeolI
anti_detection
false
autorun
false
bdos
false
delay
Default
host
margotmejiabyusfnscdvds.duckdns.org
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
5020
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2764-138-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/2764-139-0x000000000040C75E-mapping.dmp	asyncrat

Suspicious use of SetThreadContext 1 IoCs

Processes:

DEMANDA JUDICIAL REMITIDA CON PROCESO DE FALSIFICACION DE DATOS.exe

description	pid	process	target process
PID 3856 set thread context of 2764	3856	DEMANDA JUDICIAL REMITIDA CON PROCESO DE FALSIFICACION DE DATOS.exe	DEMANDA JUDICIAL REMITIDA CON PROCESO DE FALSIFICACION DE DATOS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1000 schtasks.exe

pid	process
1000	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

DEMANDA JUDICIAL REMITIDA CON PROCESO DE FALSIFICACION DE DATOS.exepowershell.exepowershell.exepowershell.exe

pid	process
3856	DEMANDA JUDICIAL REMITIDA CON PROCESO DE FALSIFICACION DE DATOS.exe
3856	DEMANDA JUDICIAL REMITIDA CON PROCESO DE FALSIFICACION DE DATOS.exe
3856	DEMANDA JUDICIAL REMITIDA CON PROCESO DE FALSIFICACION DE DATOS.exe
3856	DEMANDA JUDICIAL REMITIDA CON PROCESO DE FALSIFICACION DE DATOS.exe
1220	powershell.exe
3748	powershell.exe
4044	powershell.exe
1220	powershell.exe
3748	powershell.exe
4044	powershell.exe
3748	powershell.exe
1220	powershell.exe
4044	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

DEMANDA JUDICIAL REMITIDA CON PROCESO DE FALSIFICACION DE DATOS.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3856	DEMANDA JUDICIAL REMITIDA CON PROCESO DE FALSIFICACION DE DATOS.exe
Token: SeDebugPrivilege	1220	powershell.exe
Token: SeDebugPrivilege	3748	powershell.exe
Token: SeDebugPrivilege	4044	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

DEMANDA JUDICIAL REMITIDA CON PROCESO DE FALSIFICACION DE DATOS.exe

description	pid	process	target process
PID 3856 wrote to memory of 3748	3856	DEMANDA JUDICIAL REMITIDA CON PROCESO DE FALSIFICACION DE DATOS.exe	powershell.exe
PID 3856 wrote to memory of 3748	3856	DEMANDA JUDICIAL REMITIDA CON PROCESO DE FALSIFICACION DE DATOS.exe	powershell.exe
PID 3856 wrote to memory of 3748	3856	DEMANDA JUDICIAL REMITIDA CON PROCESO DE FALSIFICACION DE DATOS.exe	powershell.exe
PID 3856 wrote to memory of 1220	3856	DEMANDA JUDICIAL REMITIDA CON PROCESO DE FALSIFICACION DE DATOS.exe	powershell.exe
PID 3856 wrote to memory of 1220	3856	DEMANDA JUDICIAL REMITIDA CON PROCESO DE FALSIFICACION DE DATOS.exe	powershell.exe
PID 3856 wrote to memory of 1220	3856	DEMANDA JUDICIAL REMITIDA CON PROCESO DE FALSIFICACION DE DATOS.exe	powershell.exe
PID 3856 wrote to memory of 1000	3856	DEMANDA JUDICIAL REMITIDA CON PROCESO DE FALSIFICACION DE DATOS.exe	schtasks.exe
PID 3856 wrote to memory of 1000	3856	DEMANDA JUDICIAL REMITIDA CON PROCESO DE FALSIFICACION DE DATOS.exe	schtasks.exe
PID 3856 wrote to memory of 1000	3856	DEMANDA JUDICIAL REMITIDA CON PROCESO DE FALSIFICACION DE DATOS.exe	schtasks.exe
PID 3856 wrote to memory of 4044	3856	DEMANDA JUDICIAL REMITIDA CON PROCESO DE FALSIFICACION DE DATOS.exe	powershell.exe
PID 3856 wrote to memory of 4044	3856	DEMANDA JUDICIAL REMITIDA CON PROCESO DE FALSIFICACION DE DATOS.exe	powershell.exe
PID 3856 wrote to memory of 4044	3856	DEMANDA JUDICIAL REMITIDA CON PROCESO DE FALSIFICACION DE DATOS.exe	powershell.exe
PID 3856 wrote to memory of 2764	3856	DEMANDA JUDICIAL REMITIDA CON PROCESO DE FALSIFICACION DE DATOS.exe	DEMANDA JUDICIAL REMITIDA CON PROCESO DE FALSIFICACION DE DATOS.exe
PID 3856 wrote to memory of 2764	3856	DEMANDA JUDICIAL REMITIDA CON PROCESO DE FALSIFICACION DE DATOS.exe	DEMANDA JUDICIAL REMITIDA CON PROCESO DE FALSIFICACION DE DATOS.exe
PID 3856 wrote to memory of 2764	3856	DEMANDA JUDICIAL REMITIDA CON PROCESO DE FALSIFICACION DE DATOS.exe	DEMANDA JUDICIAL REMITIDA CON PROCESO DE FALSIFICACION DE DATOS.exe
PID 3856 wrote to memory of 2764	3856	DEMANDA JUDICIAL REMITIDA CON PROCESO DE FALSIFICACION DE DATOS.exe	DEMANDA JUDICIAL REMITIDA CON PROCESO DE FALSIFICACION DE DATOS.exe
PID 3856 wrote to memory of 2764	3856	DEMANDA JUDICIAL REMITIDA CON PROCESO DE FALSIFICACION DE DATOS.exe	DEMANDA JUDICIAL REMITIDA CON PROCESO DE FALSIFICACION DE DATOS.exe
PID 3856 wrote to memory of 2764	3856	DEMANDA JUDICIAL REMITIDA CON PROCESO DE FALSIFICACION DE DATOS.exe	DEMANDA JUDICIAL REMITIDA CON PROCESO DE FALSIFICACION DE DATOS.exe
PID 3856 wrote to memory of 2764	3856	DEMANDA JUDICIAL REMITIDA CON PROCESO DE FALSIFICACION DE DATOS.exe	DEMANDA JUDICIAL REMITIDA CON PROCESO DE FALSIFICACION DE DATOS.exe
PID 3856 wrote to memory of 2764	3856	DEMANDA JUDICIAL REMITIDA CON PROCESO DE FALSIFICACION DE DATOS.exe	DEMANDA JUDICIAL REMITIDA CON PROCESO DE FALSIFICACION DE DATOS.exe

C:\Users\Admin\AppData\Local\Temp\DEMANDA JUDICIAL REMITIDA CON PROCESO DE FALSIFICACION DE DATOS.exe
"C:\Users\Admin\AppData\Local\Temp\DEMANDA JUDICIAL REMITIDA CON PROCESO DE FALSIFICACION DE DATOS.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3856

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\DEMANDA JUDICIAL REMITIDA CON PROCESO DE FALSIFICACION DE DATOS.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3748

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NoCZgC.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NoCZgC" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBFF5.tmp"
2⤵
- Creates scheduled task(s)
PID:1000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NoCZgC.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4044

C:\Users\Admin\AppData\Local\Temp\DEMANDA JUDICIAL REMITIDA CON PROCESO DE FALSIFICACION DE DATOS.exe
"C:\Users\Admin\AppData\Local\Temp\DEMANDA JUDICIAL REMITIDA CON PROCESO DE FALSIFICACION DE DATOS.exe"
2⤵
PID:2764

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
cab55dc39dbabd09712b0502141c0bd0

SHA1
49083318ef7778db9c4909e420c8ca32f5d1e6aa

SHA256
ebe7849df6a63a8ed191ce29d8da2098ef869606b25e14f9f30e55e83b5920ec

SHA512
22a2a5aa4ce86e42d77f9221437d1a0867c708738fb69c602b962fb1d370257c4a3ced980002139243ec959767c10c3e41a25f9c873a693d044729a4741ee76b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
cab55dc39dbabd09712b0502141c0bd0

SHA1
49083318ef7778db9c4909e420c8ca32f5d1e6aa

SHA256
ebe7849df6a63a8ed191ce29d8da2098ef869606b25e14f9f30e55e83b5920ec

SHA512
22a2a5aa4ce86e42d77f9221437d1a0867c708738fb69c602b962fb1d370257c4a3ced980002139243ec959767c10c3e41a25f9c873a693d044729a4741ee76b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBFF5.tmp
MD5
298802275d6d07f3a349843cf802519a

SHA1
ef188289c36324f19fbc37eb7a7b5813e2e5267f

SHA256
7f1d2cf2300a92b6cb7533037133e0a8312e8b506c2ab81191fb12c7a600cd34

SHA512
77706be7a2ed2d024d0065ba2cfa0d2fc29c65b20d8ebc43dce1ff7fdcaba6f42224bcc5358998bd2e56a8162ab5350e6877d6d01de2c3d155bc57a3ad72db53

Download Submit
memory/1000-127-0x0000000000000000-mapping.dmp

Download
memory/1220-195-0x0000000006653000-0x0000000006654000-memory.dmp

Filesize
4KB

Download
memory/1220-192-0x000000007F450000-0x000000007F451000-memory.dmp

Filesize
4KB

Download
memory/1220-189-0x0000000008B50000-0x0000000008B83000-memory.dmp

Filesize
204KB

Download
memory/1220-160-0x0000000006652000-0x0000000006653000-memory.dmp

Filesize
4KB

Download
memory/1220-158-0x0000000006650000-0x0000000006651000-memory.dmp

Filesize
4KB

Download
memory/1220-150-0x0000000007510000-0x0000000007511000-memory.dmp

Filesize
4KB

Download
memory/1220-126-0x0000000000000000-mapping.dmp

Download
memory/1220-146-0x00000000072C0000-0x00000000072C1000-memory.dmp

Filesize
4KB

Download
memory/1220-148-0x00000000074A0000-0x00000000074A1000-memory.dmp

Filesize
4KB

Download
memory/1220-134-0x0000000006C90000-0x0000000006C91000-memory.dmp

Filesize
4KB

Download
memory/1220-144-0x0000000006AC0000-0x0000000006AC1000-memory.dmp

Filesize
4KB

Download
memory/2764-191-0x00000000056C0000-0x00000000056C1000-memory.dmp

Filesize
4KB

Download
memory/2764-138-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2764-139-0x000000000040C75E-mapping.dmp

Download
memory/3748-125-0x0000000000000000-mapping.dmp

Download
memory/3748-193-0x000000007F760000-0x000000007F761000-memory.dmp

Filesize
4KB

Download
memory/3748-132-0x00000000043D0000-0x00000000043D1000-memory.dmp

Filesize
4KB

Download
memory/3748-196-0x00000000044C3000-0x00000000044C4000-memory.dmp

Filesize
4KB

Download
memory/3748-156-0x00000000044C0000-0x00000000044C1000-memory.dmp

Filesize
4KB

Download
memory/3748-170-0x0000000007F20000-0x0000000007F21000-memory.dmp

Filesize
4KB

Download
memory/3748-161-0x00000000044C2000-0x00000000044C3000-memory.dmp

Filesize
4KB

Download
memory/3856-119-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/3856-123-0x0000000001040000-0x00000000010A6000-memory.dmp

Filesize
408KB

Download
memory/3856-116-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/3856-117-0x0000000005780000-0x0000000005781000-memory.dmp

Filesize
4KB

Download
memory/3856-118-0x0000000005280000-0x0000000005281000-memory.dmp

Filesize
4KB

Download
memory/3856-124-0x0000000000FA0000-0x0000000000FC0000-memory.dmp

Filesize
128KB

Download
memory/3856-122-0x0000000005760000-0x0000000005769000-memory.dmp

Filesize
36KB

Download
memory/3856-121-0x0000000005280000-0x000000000577E000-memory.dmp

Filesize
5.0MB

Download
memory/3856-120-0x00000000054A0000-0x00000000054A1000-memory.dmp

Filesize
4KB

Download
memory/3856-114-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/4044-167-0x00000000082B0000-0x00000000082B1000-memory.dmp

Filesize
4KB

Download
memory/4044-194-0x000000007EC20000-0x000000007EC21000-memory.dmp

Filesize
4KB

Download
memory/4044-197-0x0000000004773000-0x0000000004774000-memory.dmp

Filesize
4KB

Download
memory/4044-137-0x0000000000000000-mapping.dmp

Download
memory/4044-162-0x0000000004770000-0x0000000004771000-memory.dmp

Filesize
4KB

Download
memory/4044-164-0x0000000007CB0000-0x0000000007CB1000-memory.dmp

Filesize
4KB

Download
memory/4044-163-0x0000000004772000-0x0000000004773000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads