asyncrat | 534d1e3d7e1b3da44c4a24e67d2467ed56ac5644d8f92288b19ac4be7853c5f3

Analysis

max time kernel
135s
max time network
147s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20-04-2024 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

001-NOTIFICACION JUDICIAL AUTO DE IMPUTACION POR INCUMPLIMIENTO FISCAL/001-NOTIFICACION JUDICIAL.exe
Size

63KB
MD5

ae224c5e196ff381836c9e95deebb7d5
SHA1

910446a2a0f4e53307b6fdeb1a3e236c929e2ef4
SHA256

bf933ccf86c55fc328e343b55dbf2e8ebd528e8a0a54f8f659cd0d4b4f261f26
SHA512

f845dbb13b04f76b6823bec48e1c47f96bcbd6d02a834c8b128ac750fe338b53f775ee2a8784e8c443d49dfcb918c5b9d59b5492a1fe18743b8ba65b7d12514c
SSDEEP

1536:Wio8DVyYs7JZT0uPXn8OS6sIe3ekT5Z240jSZk:WkhyYIJZT0uPXn8OdsIe3c4Ql

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

Default

enviofinal.kozow.com:5051

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_file
AnsyFelix
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Suspicious use of SetThreadContext 2 IoCs

Processes:

001-NOTIFICACION JUDICIAL.execmd.exe

description	pid	process	target process
PID 2972 set thread context of 2136	2972	001-NOTIFICACION JUDICIAL.exe	cmd.exe
PID 2136 set thread context of 2928	2136	cmd.exe	MSBuild.exe

Drops file in Windows directory 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Windows\Tasks\Quicktool.job cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

001-NOTIFICACION JUDICIAL.execmd.exeMSBuild.exe

pid process

2972 001-NOTIFICACION JUDICIAL.exe
2136 cmd.exe
2136 cmd.exe
2928 MSBuild.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

001-NOTIFICACION JUDICIAL.execmd.exe

pid process

2972 001-NOTIFICACION JUDICIAL.exe
2136 cmd.exe
2136 cmd.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description pid process

Token: SeDebugPrivilege 2928 MSBuild.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MSBuild.exe

pid process

2928 MSBuild.exe

description	ioc	process
File created	C:\Windows\Tasks\Quicktool.job	cmd.exe

pid	process
2972	001-NOTIFICACION JUDICIAL.exe
2136	cmd.exe
2136	cmd.exe
2928	MSBuild.exe

pid	process
2972	001-NOTIFICACION JUDICIAL.exe
2136	cmd.exe
2136	cmd.exe

description	pid	process
Token: SeDebugPrivilege	2928	MSBuild.exe

pid	process
2928	MSBuild.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

001-NOTIFICACION JUDICIAL.execmd.exe

description	pid	process	target process
PID 2972 wrote to memory of 2136	2972	001-NOTIFICACION JUDICIAL.exe	cmd.exe
PID 2972 wrote to memory of 2136	2972	001-NOTIFICACION JUDICIAL.exe	cmd.exe
PID 2972 wrote to memory of 2136	2972	001-NOTIFICACION JUDICIAL.exe	cmd.exe
PID 2972 wrote to memory of 2136	2972	001-NOTIFICACION JUDICIAL.exe	cmd.exe
PID 2972 wrote to memory of 2136	2972	001-NOTIFICACION JUDICIAL.exe	cmd.exe
PID 2136 wrote to memory of 2928	2136	cmd.exe	MSBuild.exe
PID 2136 wrote to memory of 2928	2136	cmd.exe	MSBuild.exe
PID 2136 wrote to memory of 2928	2136	cmd.exe	MSBuild.exe
PID 2136 wrote to memory of 2928	2136	cmd.exe	MSBuild.exe
PID 2136 wrote to memory of 2928	2136	cmd.exe	MSBuild.exe
PID 2136 wrote to memory of 2928	2136	cmd.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\001-NOTIFICACION JUDICIAL AUTO DE IMPUTACION POR INCUMPLIMIENTO FISCAL\001-NOTIFICACION JUDICIAL.exe
"C:\Users\Admin\AppData\Local\Temp\001-NOTIFICACION JUDICIAL AUTO DE IMPUTACION POR INCUMPLIMIENTO FISCAL\001-NOTIFICACION JUDICIAL.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
2⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2928

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a7268739
Filesize
776KB

MD5
8da9d472c4ab78a1d82d2b9d92d51c75

SHA1
babe937f7f46fe592fd8637a936291467378e2e4

SHA256
3d3dca76f27c703a2d70f0a54141a4b47dd5e07c7a35a82fb7fe4e1a76994129

SHA512
3a78343a5ca39255259a1ef97678980c11d0abb2d60e2591c5e9e489d12f93b98d4ec37211de13b60659d1e424b46078516619e3cff09da6c35e6e86757aab50

Download Submit
memory/2136-18-0x0000000076F10000-0x00000000770B9000-memory.dmp

Filesize
1.7MB

Download
memory/2136-76-0x0000000074580000-0x00000000746F4000-memory.dmp

Filesize
1.5MB

Download
memory/2136-73-0x0000000074580000-0x00000000746F4000-memory.dmp

Filesize
1.5MB

Download
memory/2136-72-0x0000000074580000-0x00000000746F4000-memory.dmp

Filesize
1.5MB

Download
memory/2136-65-0x0000000074580000-0x00000000746F4000-memory.dmp

Filesize
1.5MB

Download
memory/2136-63-0x0000000074580000-0x00000000746F4000-memory.dmp

Filesize
1.5MB

Download
memory/2136-16-0x0000000074580000-0x00000000746F4000-memory.dmp

Filesize
1.5MB

Download
memory/2928-77-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2928-78-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2928-83-0x0000000004920000-0x0000000004960000-memory.dmp

Filesize
256KB

Download
memory/2928-82-0x0000000073B00000-0x00000000741EE000-memory.dmp

Filesize
6.9MB

Download
memory/2928-81-0x0000000004920000-0x0000000004960000-memory.dmp

Filesize
256KB

Download
memory/2928-80-0x0000000073B00000-0x00000000741EE000-memory.dmp

Filesize
6.9MB

Download
memory/2928-75-0x0000000072490000-0x00000000734F2000-memory.dmp

Filesize
16.4MB

Download
memory/2928-79-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2972-3-0x0000000074580000-0x00000000746F4000-memory.dmp

Filesize
1.5MB

Download
memory/2972-0-0x00000000001B0000-0x00000000002B8000-memory.dmp

Filesize
1.0MB

Download
memory/2972-2-0x00000000002D0000-0x00000000002E1000-memory.dmp

Filesize
68KB

Download
memory/2972-14-0x0000000074580000-0x00000000746F4000-memory.dmp

Filesize
1.5MB

Download
memory/2972-4-0x0000000076F10000-0x00000000770B9000-memory.dmp

Filesize
1.7MB

Download
memory/2972-13-0x0000000074580000-0x00000000746F4000-memory.dmp

Filesize
1.5MB

Download