asyncrat | dcf90d69b4a83839e6b741986745c373a2c386a1a5518cab19133fda1f7f6e16

Analysis

max time kernel
154s
max time network
195s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04/04/2024, 15:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Acta; Proceso Informativo; Nro-08800411515052211-74 Acta Detellado #0079327788667772-2.exe
Size

5.4MB
MD5

e845e389a77d91d7cee1f9083c217576
SHA1

32012607cd749f4360260862e1c52772d144100e
SHA256

dcf90d69b4a83839e6b741986745c373a2c386a1a5518cab19133fda1f7f6e16
SHA512

e2cb38b53e9c37aefeab7b74b6f8327d9302c3ac43d359a532536606204a01832d678f564cb3ed69f8b028e1129bef11bcb266c787e8004cb07ea3be47961e74
SSDEEP

98304:PuOH/DmnPC7YCJ4jsdd1grzHcp8214+5OeyRE3:PuOH/an67JJ4jYdiz7C3

Score

10^/10

asyncrat new envio -04 persistence rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

NEW ENVIO -04

preferenciales12.duckdns.org:7090

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\SpyPro = "C:\\Users\\Admin\\Documents\\ChromeUpdate\\schost.exe"	Acta; Proceso Informativo; Nro-08800411515052211-74 Acta Detellado #0079327788667772-2.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2860 set thread context of 612	2860	Acta; Proceso Informativo; Nro-08800411515052211-74 Acta Detellado #0079327788667772-2.exe	29

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	612	csc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 612	2860	Acta; Proceso Informativo; Nro-08800411515052211-74 Acta Detellado #0079327788667772-2.exe	29
PID 2860 wrote to memory of 612	2860	Acta; Proceso Informativo; Nro-08800411515052211-74 Acta Detellado #0079327788667772-2.exe	29
PID 2860 wrote to memory of 612	2860	Acta; Proceso Informativo; Nro-08800411515052211-74 Acta Detellado #0079327788667772-2.exe	29
PID 2860 wrote to memory of 612	2860	Acta; Proceso Informativo; Nro-08800411515052211-74 Acta Detellado #0079327788667772-2.exe	29
PID 2860 wrote to memory of 612	2860	Acta; Proceso Informativo; Nro-08800411515052211-74 Acta Detellado #0079327788667772-2.exe	29
PID 2860 wrote to memory of 612	2860	Acta; Proceso Informativo; Nro-08800411515052211-74 Acta Detellado #0079327788667772-2.exe	29

C:\Users\Admin\AppData\Local\Temp\Acta; Proceso Informativo; Nro-08800411515052211-74 Acta Detellado #0079327788667772-2.exe
"C:\Users\Admin\AppData\Local\Temp\Acta; Proceso Informativo; Nro-08800411515052211-74 Acta Detellado #0079327788667772-2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/612-11-0x0000000073C50000-0x000000007433E000-memory.dmp

Filesize
6.9MB

Download
memory/612-3-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/612-4-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/612-5-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/612-8-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/612-10-0x0000000000080000-0x0000000000092000-memory.dmp

Filesize
72KB

Download
memory/612-12-0x0000000004E20000-0x0000000004E60000-memory.dmp

Filesize
256KB

Download
memory/612-30-0x0000000073C50000-0x000000007433E000-memory.dmp

Filesize
6.9MB

Download
memory/612-31-0x0000000004E20000-0x0000000004E60000-memory.dmp

Filesize
256KB

Download
memory/2860-1-0x0000000000400000-0x0000000000982000-memory.dmp

Filesize
5.5MB

Download
memory/2860-2-0x0000000000400000-0x0000000000982000-memory.dmp

Filesize
5.5MB

Download
memory/2860-7-0x0000000000400000-0x0000000000982000-memory.dmp

Filesize
5.5MB

Download
memory/2860-0-0x0000000000400000-0x0000000000982000-memory.dmp

Filesize
5.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads