asyncrat | dcf90d69b4a83839e6b741986745c373a2c386a1a5518cab19133fda1f7f6e16

Analysis

max time kernel
141s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2024, 15:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Acta; Proceso Informativo; Nro-08800411515052211-74 Acta Detellado #0079327788667772-2.exe
Size

5.4MB
MD5

e845e389a77d91d7cee1f9083c217576
SHA1

32012607cd749f4360260862e1c52772d144100e
SHA256

dcf90d69b4a83839e6b741986745c373a2c386a1a5518cab19133fda1f7f6e16
SHA512

e2cb38b53e9c37aefeab7b74b6f8327d9302c3ac43d359a532536606204a01832d678f564cb3ed69f8b028e1129bef11bcb266c787e8004cb07ea3be47961e74
SSDEEP

98304:PuOH/DmnPC7YCJ4jsdd1grzHcp8214+5OeyRE3:PuOH/an67JJ4jYdiz7C3

Score

10^/10

asyncrat new envio -04 persistence rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

NEW ENVIO -04

preferenciales12.duckdns.org:7090

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SpyPro = "C:\\Users\\Admin\\Documents\\ChromeUpdate\\schost.exeĀ"	Acta; Proceso Informativo; Nro-08800411515052211-74 Acta Detellado #0079327788667772-2.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2492 set thread context of 4780	2492	Acta; Proceso Informativo; Nro-08800411515052211-74 Acta Detellado #0079327788667772-2.exe	103

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4780	csc.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 4780	2492	Acta; Proceso Informativo; Nro-08800411515052211-74 Acta Detellado #0079327788667772-2.exe	103
PID 2492 wrote to memory of 4780	2492	Acta; Proceso Informativo; Nro-08800411515052211-74 Acta Detellado #0079327788667772-2.exe	103
PID 2492 wrote to memory of 4780	2492	Acta; Proceso Informativo; Nro-08800411515052211-74 Acta Detellado #0079327788667772-2.exe	103
PID 2492 wrote to memory of 4780	2492	Acta; Proceso Informativo; Nro-08800411515052211-74 Acta Detellado #0079327788667772-2.exe	103
PID 2492 wrote to memory of 4780	2492	Acta; Proceso Informativo; Nro-08800411515052211-74 Acta Detellado #0079327788667772-2.exe	103

C:\Users\Admin\AppData\Local\Temp\Acta; Proceso Informativo; Nro-08800411515052211-74 Acta Detellado #0079327788667772-2.exe
"C:\Users\Admin\AppData\Local\Temp\Acta; Proceso Informativo; Nro-08800411515052211-74 Acta Detellado #0079327788667772-2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3672 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
1⤵
PID:3316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2492-4-0x0000000000400000-0x0000000000982000-memory.dmp

Filesize
5.5MB

Download
memory/2492-1-0x0000000000400000-0x0000000000982000-memory.dmp

Filesize
5.5MB

Download
memory/2492-2-0x0000000000400000-0x0000000000982000-memory.dmp

Filesize
5.5MB

Download
memory/2492-0-0x0000000000400000-0x0000000000982000-memory.dmp

Filesize
5.5MB

Download
memory/4780-6-0x00000000052F0000-0x0000000005300000-memory.dmp

Filesize
64KB

Download
memory/4780-5-0x00000000741A0000-0x0000000074950000-memory.dmp

Filesize
7.7MB

Download
memory/4780-3-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/4780-9-0x0000000005840000-0x00000000058DC000-memory.dmp

Filesize
624KB

Download
memory/4780-10-0x0000000005E90000-0x0000000006434000-memory.dmp

Filesize
5.6MB

Download
memory/4780-11-0x00000000058E0000-0x0000000005946000-memory.dmp

Filesize
408KB

Download
memory/4780-12-0x00000000741A0000-0x0000000074950000-memory.dmp

Filesize
7.7MB

Download
memory/4780-13-0x00000000757A0000-0x00000000757B2000-memory.dmp

Filesize
72KB

Download
memory/4780-14-0x00000000052F0000-0x0000000005300000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads