asyncrat | 97415cc05647c3eeb7aac99997a4e4eb64bd3a5b521beb70b1e72a9727d01365

General

Target

TRANSFERENCIA DE PAGO A CUENTA BANCARIA DETALLE DE CONFIRMACION IMG-6743856748357485748.exe
Size

72KB
MD5

2be93df9a3c2e9b0809aa24f46d561f8
SHA1

3c3716c0e5721d61afa4997764aa3eaa091505ef
SHA256

fbc9106506d47f39fddb3a48693e9b3eb80f400d6c273d1e08ecc7ef417f9352
SHA512

92e38a52e72d7a69f6f6781b58423a38dc825dfe4ab5156d457897eb757e8a8888a2c3a1360a7ed3b000c9d96a825e2d7b7226c46b70a02bd4ca28ebd24ee78a

Score

10^/10

asyncrat default persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

ufyu78r8r7.duckdns.org:8057

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

TRANSFERENCIA DE PAGO A CUENTA BANCARIA DETALLE DE CONFIRMACION IMG-6743856748357485748.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\TRANSFERENCIA DE PAGO A CUENTA BANCARIA DETALLE DE CONFIRMACION IMG-6743856748357485748.exe\""	TRANSFERENCIA DE PAGO A CUENTA BANCARIA DETALLE DE CONFIRMACION IMG-6743856748357485748.exe

Async RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1756-56-0x0000000000310000-0x0000000000326000-memory.dmp	asyncrat
behavioral1/memory/1712-60-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1712-61-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1712-62-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1712-63-0x000000000040C72E-mapping.dmp	asyncrat
behavioral1/memory/1712-65-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1712-67-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Drops startup file 2 IoCs

Processes:

TRANSFERENCIA DE PAGO A CUENTA BANCARIA DETALLE DE CONFIRMACION IMG-6743856748357485748.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TRANSFERENCIA DE PAGO A CUENTA BANCARIA DETALLE DE CONFIRMACION IMG-6743856748357485748.exe	TRANSFERENCIA DE PAGO A CUENTA BANCARIA DETALLE DE CONFIRMACION IMG-6743856748357485748.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TRANSFERENCIA DE PAGO A CUENTA BANCARIA DETALLE DE CONFIRMACION IMG-6743856748357485748.exe	TRANSFERENCIA DE PAGO A CUENTA BANCARIA DETALLE DE CONFIRMACION IMG-6743856748357485748.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

TRANSFERENCIA DE PAGO A CUENTA BANCARIA DETALLE DE CONFIRMACION IMG-6743856748357485748.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\TRANSFERENCIA DE PAGO A CUENTA BANCARIA DETALLE DE CONFIRMACION IMG-6743856748357485748.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\TRANSFERENCIA DE PAGO A CUENTA BANCARIA DETALLE DE CONFIRMACION IMG-6743856748357485748.exe"	TRANSFERENCIA DE PAGO A CUENTA BANCARIA DETALLE DE CONFIRMACION IMG-6743856748357485748.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

TRANSFERENCIA DE PAGO A CUENTA BANCARIA DETALLE DE CONFIRMACION IMG-6743856748357485748.exe

description	pid	process	target process
PID 1756 set thread context of 1712	1756	TRANSFERENCIA DE PAGO A CUENTA BANCARIA DETALLE DE CONFIRMACION IMG-6743856748357485748.exe	installutil.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

TRANSFERENCIA DE PAGO A CUENTA BANCARIA DETALLE DE CONFIRMACION IMG-6743856748357485748.exe

description	pid	process	target process
PID 1756 wrote to memory of 1712	1756	TRANSFERENCIA DE PAGO A CUENTA BANCARIA DETALLE DE CONFIRMACION IMG-6743856748357485748.exe	installutil.exe
PID 1756 wrote to memory of 1712	1756	TRANSFERENCIA DE PAGO A CUENTA BANCARIA DETALLE DE CONFIRMACION IMG-6743856748357485748.exe	installutil.exe
PID 1756 wrote to memory of 1712	1756	TRANSFERENCIA DE PAGO A CUENTA BANCARIA DETALLE DE CONFIRMACION IMG-6743856748357485748.exe	installutil.exe
PID 1756 wrote to memory of 1712	1756	TRANSFERENCIA DE PAGO A CUENTA BANCARIA DETALLE DE CONFIRMACION IMG-6743856748357485748.exe	installutil.exe
PID 1756 wrote to memory of 1712	1756	TRANSFERENCIA DE PAGO A CUENTA BANCARIA DETALLE DE CONFIRMACION IMG-6743856748357485748.exe	installutil.exe
PID 1756 wrote to memory of 1712	1756	TRANSFERENCIA DE PAGO A CUENTA BANCARIA DETALLE DE CONFIRMACION IMG-6743856748357485748.exe	installutil.exe
PID 1756 wrote to memory of 1712	1756	TRANSFERENCIA DE PAGO A CUENTA BANCARIA DETALLE DE CONFIRMACION IMG-6743856748357485748.exe	installutil.exe
PID 1756 wrote to memory of 1712	1756	TRANSFERENCIA DE PAGO A CUENTA BANCARIA DETALLE DE CONFIRMACION IMG-6743856748357485748.exe	installutil.exe
PID 1756 wrote to memory of 1712	1756	TRANSFERENCIA DE PAGO A CUENTA BANCARIA DETALLE DE CONFIRMACION IMG-6743856748357485748.exe	installutil.exe
PID 1756 wrote to memory of 1712	1756	TRANSFERENCIA DE PAGO A CUENTA BANCARIA DETALLE DE CONFIRMACION IMG-6743856748357485748.exe	installutil.exe
PID 1756 wrote to memory of 1712	1756	TRANSFERENCIA DE PAGO A CUENTA BANCARIA DETALLE DE CONFIRMACION IMG-6743856748357485748.exe	installutil.exe
PID 1756 wrote to memory of 1712	1756	TRANSFERENCIA DE PAGO A CUENTA BANCARIA DETALLE DE CONFIRMACION IMG-6743856748357485748.exe	installutil.exe

C:\Users\Admin\AppData\Local\Temp\TRANSFERENCIA DE PAGO A CUENTA BANCARIA DETALLE DE CONFIRMACION IMG-6743856748357485748.exe
"C:\Users\Admin\AppData\Local\Temp\TRANSFERENCIA DE PAGO A CUENTA BANCARIA DETALLE DE CONFIRMACION IMG-6743856748357485748.exe"
1⤵
- Modifies WinLogon for persistence
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
2⤵
PID:1712

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1712-57-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1712-58-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1712-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1712-61-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1712-62-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1712-63-0x000000000040C72E-mapping.dmp

Download
memory/1712-65-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1712-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1756-54-0x0000000000960000-0x0000000000976000-memory.dmp

Filesize
88KB

Download
memory/1756-55-0x00000000753B1000-0x00000000753B3000-memory.dmp

Filesize
8KB

Download
memory/1756-56-0x0000000000310000-0x0000000000326000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads