asyncrat | 42cd003d51ecbce1731e918f8e46decce104c22d65a2473206117c9067b0996c

Analysis

max time kernel
43s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20231127-es
resource tags

arch:x64arch:x86image:win10v2004-20231127-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
06-12-2023 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

#6 NOTIFICACION PROCESO FISCAL..exe
Size

20KB
MD5

9329ba45c8b97485926a171e34c2abb8
SHA1

20118bc0432b4e8b3660a4b038b20ca28f721e5c
SHA256

effa6fcb8759375b4089ccf61202a5c63243f4102872e64e3eb0a1bdc2727659
SHA512

0af06b5495142ba0632a46be0778a7bd3d507e9848b3159436aa504536919abbcacd8b740ef4b591296e86604b49e0642fee2c273a45e44b41a80f91a1d52acc
SSDEEP

384:Damtvzlx5v02RIDauMTnxOn6sGCYJLW7wycJbi6jc:D7Jv0qpukxO6s6Lhbimc

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

Default

lila152512.duckdns.org:1234

Mutex

AsyncMutex_Default

Attributes

delay
3
install
false
install_file
poder.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/760-23-0x0000000000620000-0x0000000000636000-memory.dmp	asyncrat

Suspicious use of SetThreadContext 2 IoCs

Processes:

#6 NOTIFICACION PROCESO FISCAL..execmd.exe

description	pid	process	target process
PID 3516 set thread context of 1132	3516	#6 NOTIFICACION PROCESO FISCAL..exe	cmd.exe
PID 1132 set thread context of 760	1132	cmd.exe	MSBuild.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

#6 NOTIFICACION PROCESO FISCAL..execmd.exeMSBuild.exe

pid process

3516 #6 NOTIFICACION PROCESO FISCAL..exe
1132 cmd.exe
1132 cmd.exe
760 MSBuild.exe
760 MSBuild.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

#6 NOTIFICACION PROCESO FISCAL..execmd.exe

pid process

3516 #6 NOTIFICACION PROCESO FISCAL..exe
1132 cmd.exe
1132 cmd.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description pid process

Token: SeDebugPrivilege 760 MSBuild.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MSBuild.exe

pid process

760 MSBuild.exe

pid	process
3516	#6 NOTIFICACION PROCESO FISCAL..exe
1132	cmd.exe
1132	cmd.exe
760	MSBuild.exe
760	MSBuild.exe

pid	process
3516	#6 NOTIFICACION PROCESO FISCAL..exe
1132	cmd.exe
1132	cmd.exe

description	pid	process
Token: SeDebugPrivilege	760	MSBuild.exe

pid	process
760	MSBuild.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

#6 NOTIFICACION PROCESO FISCAL..execmd.exe

description	pid	process	target process
PID 3516 wrote to memory of 1132	3516	#6 NOTIFICACION PROCESO FISCAL..exe	cmd.exe
PID 3516 wrote to memory of 1132	3516	#6 NOTIFICACION PROCESO FISCAL..exe	cmd.exe
PID 3516 wrote to memory of 1132	3516	#6 NOTIFICACION PROCESO FISCAL..exe	cmd.exe
PID 3516 wrote to memory of 1132	3516	#6 NOTIFICACION PROCESO FISCAL..exe	cmd.exe
PID 1132 wrote to memory of 760	1132	cmd.exe	MSBuild.exe
PID 1132 wrote to memory of 760	1132	cmd.exe	MSBuild.exe
PID 1132 wrote to memory of 760	1132	cmd.exe	MSBuild.exe
PID 1132 wrote to memory of 760	1132	cmd.exe	MSBuild.exe
PID 1132 wrote to memory of 760	1132	cmd.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\#6 NOTIFICACION PROCESO FISCAL..exe
"C:\Users\Admin\AppData\Local\Temp\#6 NOTIFICACION PROCESO FISCAL..exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:760

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1b102d1c
Filesize
741KB

MD5
6f188b101dbee3bc70488e34d44fbea7

SHA1
eb2043d5eea4e2b6f37c42b3003b74f122ea908f

SHA256
6039eaa96de33de076449e7fb8e0fa7567e06c4902674c7cf5ed445badb14e94

SHA512
7c5d1bb55847090b69c397ee741b09af6eba36d831816c6f718611511b4dd6d78d3cf4df9ddc41f08f9c6780e6c5c58a01694fb0ff09a506ca8f2fe77954e48c

Download Submit
memory/760-20-0x0000000072E80000-0x00000000740D4000-memory.dmp

Filesize
18.3MB

Download
memory/760-28-0x0000000005310000-0x000000000531A000-memory.dmp

Filesize
40KB

Download
memory/760-27-0x0000000005340000-0x00000000053D2000-memory.dmp

Filesize
584KB

Download
memory/760-26-0x0000000005710000-0x0000000005CB4000-memory.dmp

Filesize
5.6MB

Download
memory/760-25-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/760-23-0x0000000000620000-0x0000000000636000-memory.dmp

Filesize
88KB

Download
memory/760-24-0x00000000726D0000-0x0000000072E80000-memory.dmp

Filesize
7.7MB

Download
memory/1132-12-0x00000000749F0000-0x0000000074B6B000-memory.dmp

Filesize
1.5MB

Download
memory/1132-19-0x00000000749F0000-0x0000000074B6B000-memory.dmp

Filesize
1.5MB

Download
memory/1132-17-0x00000000749F0000-0x0000000074B6B000-memory.dmp

Filesize
1.5MB

Download
memory/1132-16-0x00000000749F0000-0x0000000074B6B000-memory.dmp

Filesize
1.5MB

Download
memory/1132-14-0x00007FF867470000-0x00007FF867665000-memory.dmp

Filesize
2.0MB

Download
memory/3516-0-0x00000000749F0000-0x0000000074B6B000-memory.dmp

Filesize
1.5MB

Download
memory/3516-10-0x00000000749F0000-0x0000000074B6B000-memory.dmp

Filesize
1.5MB

Download
memory/3516-9-0x00000000749F0000-0x0000000074B6B000-memory.dmp

Filesize
1.5MB

Download
memory/3516-1-0x00007FF867470000-0x00007FF867665000-memory.dmp

Filesize
2.0MB

Download