asyncrat | c770093587db0c4503dd8acaeaf9e1021ab8a19473640b4011525f397c8a99a6

Resubmissions

31/10/2023, 19:59

231031-yqxbrafd25 10

31/10/2023, 19:56

231031-yn5v4sdb9v 5

Analysis

max time kernel
143s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
31/10/2023, 19:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09 NOTIFICACION DEMANDA JUDICIAL/09 NOTIFICACION DEMANDA JUDICIAL....exe
Size

658KB
MD5

ab63396cb0774ac41107b7b112f81d5a
SHA1

f5dc67429147e886b01413472496576a2ee34075
SHA256

9a43c57f3e98bd69789e8ccbeef2c1b6b5a3b1d06d63257bb4bd58dffa23689d
SHA512

2121961ae2b154ba941af6937d0522505ec7e323094fb2edc7058194ae958bcf866bbbc7842924236b8635917800d0708eaabff6112f131f496189bb6e021699
SSDEEP

12288:BKwp3N7HPqUeL31VI1kR8BgrsEofzwHJem7OzwHJe0IhfiZ:swp97HyUeLFVIuRCgrsEorwpemIwpels

Score

10^/10

asyncrat clientes rat

Malware Config

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

Clientes

enviofinal.kozow.com:5051

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_file
System.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/3372-42-0x00000000005C0000-0x00000000005D6000-memory.dmp	asyncrat

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3228 set thread context of 4920	3228	09 NOTIFICACION DEMANDA JUDICIAL....exe	86
PID 4920 set thread context of 3372	4920	cmd.exe	101

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3228	09 NOTIFICACION DEMANDA JUDICIAL....exe
4920	cmd.exe
4920	cmd.exe
3372	MSBuild.exe
3372	MSBuild.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
3228	09 NOTIFICACION DEMANDA JUDICIAL....exe
4920	cmd.exe
4920	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3372	MSBuild.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3372	MSBuild.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3228 wrote to memory of 4920	3228	09 NOTIFICACION DEMANDA JUDICIAL....exe	86
PID 3228 wrote to memory of 4920	3228	09 NOTIFICACION DEMANDA JUDICIAL....exe	86
PID 3228 wrote to memory of 4920	3228	09 NOTIFICACION DEMANDA JUDICIAL....exe	86
PID 3228 wrote to memory of 4920	3228	09 NOTIFICACION DEMANDA JUDICIAL....exe	86
PID 4920 wrote to memory of 3372	4920	cmd.exe	101
PID 4920 wrote to memory of 3372	4920	cmd.exe	101
PID 4920 wrote to memory of 3372	4920	cmd.exe	101
PID 4920 wrote to memory of 3372	4920	cmd.exe	101
PID 4920 wrote to memory of 3372	4920	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\09 NOTIFICACION DEMANDA JUDICIAL\09 NOTIFICACION DEMANDA JUDICIAL....exe
"C:\Users\Admin\AppData\Local\Temp\09 NOTIFICACION DEMANDA JUDICIAL\09 NOTIFICACION DEMANDA JUDICIAL....exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\19b69c32

Filesize
638KB

MD5
ac7fb768b4b0239b7789df357635bc6b

SHA1
f97e032afe58b36b1c5a4cf81b25730628a2707e

SHA256
1fe2cb3307412d28c8804b9df42625d6a1aefc487997a5caaa66403082cd0754

SHA512
1321e2ff48d48e3113c9f732949ae510de6efab7dcb1b8f312ab0b75a4595fa87c3de26c3ede02e7ef41e7409d33b470c1cf8910a53e02f91588b19524be2705

Download Submit
memory/3228-0-0x00007FFC9DED0000-0x00007FFC9E042000-memory.dmp

Filesize
1.4MB

Download
memory/3228-29-0x00007FFC9DED0000-0x00007FFC9E042000-memory.dmp

Filesize
1.4MB

Download
memory/3228-30-0x00007FFC9DED0000-0x00007FFC9E042000-memory.dmp

Filesize
1.4MB

Download
memory/3372-45-0x0000000005680000-0x0000000005C24000-memory.dmp

Filesize
5.6MB

Download
memory/3372-44-0x0000000004C80000-0x0000000004C90000-memory.dmp

Filesize
64KB

Download
memory/3372-53-0x0000000004C80000-0x0000000004C90000-memory.dmp

Filesize
64KB

Download
memory/3372-52-0x0000000072F70000-0x0000000073720000-memory.dmp

Filesize
7.7MB

Download
memory/3372-39-0x0000000073830000-0x0000000074A84000-memory.dmp

Filesize
18.3MB

Download
memory/3372-42-0x00000000005C0000-0x00000000005D6000-memory.dmp

Filesize
88KB

Download
memory/3372-43-0x0000000072F70000-0x0000000073720000-memory.dmp

Filesize
7.7MB

Download
memory/3372-51-0x00000000061F0000-0x0000000006256000-memory.dmp

Filesize
408KB

Download
memory/3372-50-0x0000000006150000-0x00000000061EC000-memory.dmp

Filesize
624KB

Download
memory/3372-46-0x00000000052C0000-0x0000000005352000-memory.dmp

Filesize
584KB

Download
memory/3372-47-0x00000000052B0000-0x00000000052BA000-memory.dmp

Filesize
40KB

Download
memory/4920-33-0x00007FFCBB670000-0x00007FFCBB865000-memory.dmp

Filesize
2.0MB

Download
memory/4920-35-0x00000000752B0000-0x000000007542B000-memory.dmp

Filesize
1.5MB

Download
memory/4920-38-0x00000000752B0000-0x000000007542B000-memory.dmp

Filesize
1.5MB

Download
memory/4920-36-0x00000000752B0000-0x000000007542B000-memory.dmp

Filesize
1.5MB

Download