asyncrat | 558af040bcfa1aaf774e953cca682eaaf38ec8c4f3ca4f3e24e0ea8a783ca1df

Analysis

max time kernel
139s
max time network
156s
platform
windows7_x64
resource
win7-20220812-es
resource tags

arch:x64arch:x86image:win7-20220812-eslocale:es-esos:windows7-x64systemwindows
submitted
05/10/2022, 23:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe
Size

8.9MB
MD5

705385c167486ac75a5063f6934c5631
SHA1

d08da29cca536b6b502cec7ca2f5c9cb419308e2
SHA256

558af040bcfa1aaf774e953cca682eaaf38ec8c4f3ca4f3e24e0ea8a783ca1df
SHA512

67249411406d7a6f41a97a6e40facd364fb6777c2833465aacdc6081fde3854109c9a308f5dc6f03c6fd940cc2d291be7ce9b13c6dc5a45dc810d091e98d88af
SSDEEP

98304:7soxgg0Y8w5AUY52JgpVOEjrZGNw9J2/8w1MlpYRO1izoaRIS9NhICGucHATgwY0:p8Aohi8Y/+y

Score

10^/10

asyncrat default evasion persistence rat trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

maraddiego763.duckdns.org:1881

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe\""	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe

Windows security bypass 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe = "0"	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe = "0"	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe

Async RAT payload 6 IoCs

rat

resource	yara_rule
behavioral1/memory/1016-79-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1016-78-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1016-81-0x000000000040C72E-mapping.dmp	asyncrat
behavioral1/memory/1016-80-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1016-83-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1016-85-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe

Windows security modification 2 TTPs 9 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe = "0"	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe = "0"	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe"	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe"	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs

pid	Process
1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe
1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe
1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe
1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe
1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe
1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe
1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe
1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe
1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe
1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe
1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe
1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe
1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1300 set thread context of 1016	1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
716	powershell.exe
1576	powershell.exe
904	powershell.exe
2028	powershell.exe
1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe
1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe
1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe
Token: SeDebugPrivilege	716	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	904	powershell.exe
Token: SeDebugPrivilege	1576	powershell.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 2028	1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe	28
PID 1300 wrote to memory of 2028	1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe	28
PID 1300 wrote to memory of 2028	1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe	28
PID 1300 wrote to memory of 2028	1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe	28
PID 1300 wrote to memory of 1576	1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe	30
PID 1300 wrote to memory of 1576	1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe	30
PID 1300 wrote to memory of 1576	1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe	30
PID 1300 wrote to memory of 1576	1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe	30
PID 1300 wrote to memory of 716	1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe	32
PID 1300 wrote to memory of 716	1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe	32
PID 1300 wrote to memory of 716	1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe	32
PID 1300 wrote to memory of 716	1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe	32
PID 1300 wrote to memory of 904	1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe	34
PID 1300 wrote to memory of 904	1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe	34
PID 1300 wrote to memory of 904	1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe	34
PID 1300 wrote to memory of 904	1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe	34
PID 1300 wrote to memory of 996	1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe	36
PID 1300 wrote to memory of 996	1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe	36
PID 1300 wrote to memory of 996	1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe	36
PID 1300 wrote to memory of 996	1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe	36
PID 1300 wrote to memory of 996	1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe	36
PID 1300 wrote to memory of 996	1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe	36
PID 1300 wrote to memory of 996	1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe	36
PID 1300 wrote to memory of 1016	1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe	37
PID 1300 wrote to memory of 1016	1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe	37
PID 1300 wrote to memory of 1016	1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe	37
PID 1300 wrote to memory of 1016	1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe	37
PID 1300 wrote to memory of 1016	1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe	37
PID 1300 wrote to memory of 1016	1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe	37
PID 1300 wrote to memory of 1016	1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe	37
PID 1300 wrote to memory of 1016	1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe	37
PID 1300 wrote to memory of 1016	1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe	37
PID 1300 wrote to memory of 1016	1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe	37
PID 1300 wrote to memory of 1016	1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe	37
PID 1300 wrote to memory of 1016	1300	APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe	37

C:\Users\Admin\AppData\Local\Temp\APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe
"C:\Users\Admin\AppData\Local\Temp\APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2028
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1576
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:716
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\APROBACION DE PAGO REALIZADO EXITOSAMENTE.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
  2⤵
  PID:996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
  2⤵
  PID:1016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f9da165545a77d6b78c9a812a366675b

SHA1
458e94d697990e042640a4d294aeb72fcc64fa6b

SHA256
240d15262c790e38a9ebcc959c1ca25ee616d3d3ec33bd3f41f1d389d8323c20

SHA512
138def5c9d38a3d78232809ec60d852bf8dc49ce6694c7ad340c53c596c467f1f9e980a7752d5bbd4de7470ef61f9840ea1b221bb2b7bf49175f3ab436fd0737

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f9da165545a77d6b78c9a812a366675b

SHA1
458e94d697990e042640a4d294aeb72fcc64fa6b

SHA256
240d15262c790e38a9ebcc959c1ca25ee616d3d3ec33bd3f41f1d389d8323c20

SHA512
138def5c9d38a3d78232809ec60d852bf8dc49ce6694c7ad340c53c596c467f1f9e980a7752d5bbd4de7470ef61f9840ea1b221bb2b7bf49175f3ab436fd0737

Download Submit
memory/716-71-0x000000006F6E0000-0x000000006FC8B000-memory.dmp

Filesize
5.7MB

Download
memory/716-69-0x000000006F6E0000-0x000000006FC8B000-memory.dmp

Filesize
5.7MB

Download
memory/904-73-0x000000006F6E0000-0x000000006FC8B000-memory.dmp

Filesize
5.7MB

Download
memory/904-67-0x000000006F6E0000-0x000000006FC8B000-memory.dmp

Filesize
5.7MB

Download
memory/1016-78-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1016-76-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1016-85-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1016-83-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1016-75-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1016-80-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1016-79-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1300-55-0x0000000004BE0000-0x0000000004CDC000-memory.dmp

Filesize
1008KB

Download
memory/1300-54-0x0000000000A30000-0x0000000001316000-memory.dmp

Filesize
8.9MB

Download
memory/1300-56-0x0000000075A81000-0x0000000075A83000-memory.dmp

Filesize
8KB

Download
memory/1576-74-0x000000006F6E0000-0x000000006FC8B000-memory.dmp

Filesize
5.7MB

Download
memory/1576-68-0x000000006F6E0000-0x000000006FC8B000-memory.dmp

Filesize
5.7MB

Download
memory/2028-72-0x000000006F6E0000-0x000000006FC8B000-memory.dmp

Filesize
5.7MB

Download
memory/2028-70-0x000000006F6E0000-0x000000006FC8B000-memory.dmp

Filesize
5.7MB

Download