asyncrat | c8a3f4816fa4458a57513a4a40b2ff3b4a2f4668fb7ac310a4b6980a6f56a786

Analysis

max time kernel
147s
max time network
314s
platform
windows10-2004_x64
resource
win10v2004-20230915-es
resource tags

arch:x64arch:x86image:win10v2004-20230915-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
03/10/2023, 21:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NOTIFICACION CITACION JUDIACIAL JUZGADO 34 DE/1 NOTIFICACION CITACION JUDIACIAL JUZGADO 34 DE .........exe
Size

658KB
MD5

ab63396cb0774ac41107b7b112f81d5a
SHA1

f5dc67429147e886b01413472496576a2ee34075
SHA256

9a43c57f3e98bd69789e8ccbeef2c1b6b5a3b1d06d63257bb4bd58dffa23689d
SHA512

2121961ae2b154ba941af6937d0522505ec7e323094fb2edc7058194ae958bcf866bbbc7842924236b8635917800d0708eaabff6112f131f496189bb6e021699
SSDEEP

12288:BKwp3N7HPqUeL31VI1kR8BgrsEofzwHJem7OzwHJe0IhfiZ:swp97HyUeLFVIuRCgrsEorwpemIwpels

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

Default

paisaloro.kozow.com:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/4156-43-0x0000000000340000-0x0000000000356000-memory.dmp	asyncrat

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2952 set thread context of 2764	2952	1 NOTIFICACION CITACION JUDIACIAL JUZGADO 34 DE .........exe	83
PID 2764 set thread context of 4156	2764	cmd.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2952	1 NOTIFICACION CITACION JUDIACIAL JUZGADO 34 DE .........exe
2764	cmd.exe
2764	cmd.exe
4156	MSBuild.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2952	1 NOTIFICACION CITACION JUDIACIAL JUZGADO 34 DE .........exe
2764	cmd.exe
2764	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4156	MSBuild.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4156	MSBuild.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 2764	2952	1 NOTIFICACION CITACION JUDIACIAL JUZGADO 34 DE .........exe	83
PID 2952 wrote to memory of 2764	2952	1 NOTIFICACION CITACION JUDIACIAL JUZGADO 34 DE .........exe	83
PID 2952 wrote to memory of 2764	2952	1 NOTIFICACION CITACION JUDIACIAL JUZGADO 34 DE .........exe	83
PID 2952 wrote to memory of 2764	2952	1 NOTIFICACION CITACION JUDIACIAL JUZGADO 34 DE .........exe	83
PID 2764 wrote to memory of 4156	2764	cmd.exe	96
PID 2764 wrote to memory of 4156	2764	cmd.exe	96
PID 2764 wrote to memory of 4156	2764	cmd.exe	96
PID 2764 wrote to memory of 4156	2764	cmd.exe	96
PID 2764 wrote to memory of 4156	2764	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\NOTIFICACION CITACION JUDIACIAL JUZGADO 34 DE\1 NOTIFICACION CITACION JUDIACIAL JUZGADO 34 DE .........exe
"C:\Users\Admin\AppData\Local\Temp\NOTIFICACION CITACION JUDIACIAL JUZGADO 34 DE\1 NOTIFICACION CITACION JUDIACIAL JUZGADO 34 DE .........exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1aa28c36

Filesize
638KB

MD5
76ad74ddce499af46bb0fa789fa486a5

SHA1
493a7543b45a1088e356713e8cc953658f136cde

SHA256
c4ac7513e6f339855e1cc5548a8d8c3cecb0f663d08ab004ad824ffffeb428da

SHA512
f8b2791a9b7af46287ac8e6e1cb67d68766fbcd102dc00449a5875103d58cb22789bd9355f02a0bacd8cfded06e0299b9573e7e800cfbd5ef5588d4d75ac464a

Download Submit
memory/2764-33-0x00007FFDF8E90000-0x00007FFDF9085000-memory.dmp

Filesize
2.0MB

Download
memory/2764-36-0x0000000075A50000-0x0000000075BCB000-memory.dmp

Filesize
1.5MB

Download
memory/2764-37-0x0000000075A50000-0x0000000075BCB000-memory.dmp

Filesize
1.5MB

Download
memory/2764-39-0x0000000075A50000-0x0000000075BCB000-memory.dmp

Filesize
1.5MB

Download
memory/2952-0-0x00007FFDE7EA0000-0x00007FFDE8012000-memory.dmp

Filesize
1.4MB

Download
memory/2952-29-0x00007FFDE7EA0000-0x00007FFDE8012000-memory.dmp

Filesize
1.4MB

Download
memory/2952-30-0x00007FFDE7EA0000-0x00007FFDE8012000-memory.dmp

Filesize
1.4MB

Download
memory/4156-44-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/4156-43-0x0000000000340000-0x0000000000356000-memory.dmp

Filesize
88KB

Download
memory/4156-40-0x0000000073FD0000-0x0000000075224000-memory.dmp

Filesize
18.3MB

Download
memory/4156-45-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/4156-46-0x0000000005780000-0x0000000005D24000-memory.dmp

Filesize
5.6MB

Download
memory/4156-47-0x0000000005370000-0x0000000005402000-memory.dmp

Filesize
584KB

Download
memory/4156-48-0x0000000005340000-0x000000000534A000-memory.dmp

Filesize
40KB

Download
memory/4156-51-0x00000000062A0000-0x000000000633C000-memory.dmp

Filesize
624KB

Download
memory/4156-52-0x0000000005FA0000-0x0000000006006000-memory.dmp

Filesize
408KB

Download
memory/4156-53-0x0000000006550000-0x0000000006652000-memory.dmp

Filesize
1.0MB

Download
memory/4156-54-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/4156-55-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download