asyncrat | 1e3e424d41bae88878ec8ff68e76e437012fdabd8881937dbe9300527c7d0e66

Analysis

max time kernel
485s
max time network
518s
platform
windows10-2004_x64
resource
win10v2004-20221111-es
resource tags

arch:x64arch:x86image:win10v2004-20221111-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
01-12-2022 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TRANSACCION DE PAGO A CUENTA BANCARIA PDF.exe
Size

310KB
MD5

21e46a899b0322c89c9be7a523c8fac0
SHA1

ee646c0fee2f4e859776b859f7723293da978825
SHA256

32232cd07f6c7553613725de84b0fb6da14d2a076918c59e5d1bdf704b857d12
SHA512

0963e30a46064f25ef24a0f37f5f5503a8a36c893678002ef3821965755032a8c47654bf07d89e2bf418bf86b9e61bf5c73cf76c63e2307fa414b7ddb0532f09
SSDEEP

6144:+Pla3hyO2k1EwO4jDFcPQQAF+MdsjdBMamnL2c3ra9pWQ3R2wialFpra:0syOlFc4QAfsBtmL2PDWOtlH

Score

10^/10

asyncrat default persistence rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

bmxfghsh.duckdns.org:8026

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/216-136-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/216-137-0x000000000040CBBE-mapping.dmp	asyncrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

TRANSACCION DE PAGO A CUENTA BANCARIA PDF.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\B1807F337A9A4895AF531D4912CAA6FB = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\TRANSACCION DE PAGO A CUENTA BANCARIA PDF.exe\""	TRANSACCION DE PAGO A CUENTA BANCARIA PDF.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

TRANSACCION DE PAGO A CUENTA BANCARIA PDF.exe

description pid process target process

PID 2296 set thread context of 216 2296 TRANSACCION DE PAGO A CUENTA BANCARIA PDF.exe InstallUtil.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

TRANSACCION DE PAGO A CUENTA BANCARIA PDF.exeInstallUtil.exe

description pid process

Token: SeDebugPrivilege 2296 TRANSACCION DE PAGO A CUENTA BANCARIA PDF.exe
Token: SeDebugPrivilege 216 InstallUtil.exe

description	pid	process	target process
PID 2296 set thread context of 216	2296	TRANSACCION DE PAGO A CUENTA BANCARIA PDF.exe	InstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	2296	TRANSACCION DE PAGO A CUENTA BANCARIA PDF.exe
Token: SeDebugPrivilege	216	InstallUtil.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

TRANSACCION DE PAGO A CUENTA BANCARIA PDF.exe

description	pid	process	target process
PID 2296 wrote to memory of 216	2296	TRANSACCION DE PAGO A CUENTA BANCARIA PDF.exe	InstallUtil.exe
PID 2296 wrote to memory of 216	2296	TRANSACCION DE PAGO A CUENTA BANCARIA PDF.exe	InstallUtil.exe
PID 2296 wrote to memory of 216	2296	TRANSACCION DE PAGO A CUENTA BANCARIA PDF.exe	InstallUtil.exe
PID 2296 wrote to memory of 216	2296	TRANSACCION DE PAGO A CUENTA BANCARIA PDF.exe	InstallUtil.exe
PID 2296 wrote to memory of 216	2296	TRANSACCION DE PAGO A CUENTA BANCARIA PDF.exe	InstallUtil.exe
PID 2296 wrote to memory of 216	2296	TRANSACCION DE PAGO A CUENTA BANCARIA PDF.exe	InstallUtil.exe
PID 2296 wrote to memory of 216	2296	TRANSACCION DE PAGO A CUENTA BANCARIA PDF.exe	InstallUtil.exe
PID 2296 wrote to memory of 216	2296	TRANSACCION DE PAGO A CUENTA BANCARIA PDF.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\TRANSACCION DE PAGO A CUENTA BANCARIA PDF.exe
"C:\Users\Admin\AppData\Local\Temp\TRANSACCION DE PAGO A CUENTA BANCARIA PDF.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/216-136-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/216-137-0x000000000040CBBE-mapping.dmp

Download
memory/216-139-0x0000000005F20000-0x0000000006022000-memory.dmp

Filesize
1.0MB

Download
memory/216-140-0x0000000005E10000-0x0000000005EAC000-memory.dmp

Filesize
624KB

Download
memory/216-141-0x0000000006750000-0x0000000006CF4000-memory.dmp

Filesize
5.6MB

Download
memory/216-142-0x00000000017F0000-0x0000000001856000-memory.dmp

Filesize
408KB

Download
memory/2296-132-0x00000110A9CD0000-0x00000110A9D22000-memory.dmp

Filesize
328KB

Download
memory/2296-133-0x00007FF811860000-0x00007FF812321000-memory.dmp

Filesize
10.8MB

Download
memory/2296-134-0x00000110C42E0000-0x00000110C43E2000-memory.dmp

Filesize
1.0MB

Download
memory/2296-135-0x00007FF811860000-0x00007FF812321000-memory.dmp

Filesize
10.8MB

Download
memory/2296-138-0x00007FF811860000-0x00007FF812321000-memory.dmp

Filesize
10.8MB

Download