asyncrat | c0747c10be35b8c1072a360c7759228b17f35d2ec890154020c716d572b00fbd

Analysis

max time kernel
360s
max time network
361s
platform
windows7_x64
resource
win7-20231129-es
resource tags

arch:x64arch:x86image:win7-20231129-eslocale:es-esos:windows7-x64systemwindows
submitted
26/04/2024, 22:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CITACION DEMANDA/04 CITACION DEMANDA.exe
Size

446KB
MD5

485008b43f0edceba0e0d3ca04bc1c1a
SHA1

55ae8f105af415bb763d1b87f6572f078052877c
SHA256

12c22ba646232d5d5087d0300d5cfd46fed424f26143a02dc866f1bfceab3c10
SHA512

402652786daae635c7405f5fa0924d768cbde2086f9f57b10f00f921dec98e37168f5c3a6baa5593ba9a478f3971d32747c517ffd485d25634c924e6b08815b1
SSDEEP

12288:vK5+DMJA3TAz4plk9iZOOti81N5y1qMIg+GV5Zul3M:y5+DMJA3TAz4plk9ijK1qlGV7ulM

Score

10^/10

asyncrat zgrat default rat

Malware Config

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

Default

melo2024.kozow.com:8000

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_file
AnsyFelix
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral3/memory/856-89-0x0000000000600000-0x0000000000626000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2588 set thread context of 2516	2588	04 CITACION DEMANDA.exe	29
PID 2516 set thread context of 856	2516	cmd.exe	31

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Firefoxnode_xz.job	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
992	timeout.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2588	04 CITACION DEMANDA.exe
2588	04 CITACION DEMANDA.exe
2516	cmd.exe
2516	cmd.exe
856	MSBuild.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2588	04 CITACION DEMANDA.exe
2516	cmd.exe
2516	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	856	MSBuild.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
856	MSBuild.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 2516	2588	04 CITACION DEMANDA.exe	29
PID 2588 wrote to memory of 2516	2588	04 CITACION DEMANDA.exe	29
PID 2588 wrote to memory of 2516	2588	04 CITACION DEMANDA.exe	29
PID 2588 wrote to memory of 2516	2588	04 CITACION DEMANDA.exe	29
PID 2588 wrote to memory of 2516	2588	04 CITACION DEMANDA.exe	29
PID 2516 wrote to memory of 856	2516	cmd.exe	31
PID 2516 wrote to memory of 856	2516	cmd.exe	31
PID 2516 wrote to memory of 856	2516	cmd.exe	31
PID 2516 wrote to memory of 856	2516	cmd.exe	31
PID 2516 wrote to memory of 856	2516	cmd.exe	31
PID 2516 wrote to memory of 856	2516	cmd.exe	31
PID 856 wrote to memory of 2384	856	MSBuild.exe	34
PID 856 wrote to memory of 2384	856	MSBuild.exe	34
PID 856 wrote to memory of 2384	856	MSBuild.exe	34
PID 856 wrote to memory of 2384	856	MSBuild.exe	34
PID 2384 wrote to memory of 992	2384	cmd.exe	36
PID 2384 wrote to memory of 992	2384	cmd.exe	36
PID 2384 wrote to memory of 992	2384	cmd.exe	36
PID 2384 wrote to memory of 992	2384	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\CITACION DEMANDA\04 CITACION DEMANDA.exe
"C:\Users\Admin\AppData\Local\Temp\CITACION DEMANDA\04 CITACION DEMANDA.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:856
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpCE4D.tmp.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2384
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\94f74a4b

Filesize
776KB

MD5
bce9b77ab2f04e34d7c2dd81d1ea3753

SHA1
c1575b074fbc8e3642ffb67b3844d3c13de31d26

SHA256
68d949f9930043565cb40a5f1cbd5a986b8c046a055b6b1a35e59aad4f746d39

SHA512
3b697a576b99afca3b19fba3abd6961715cd7009c81fe16092e437d32f97b277056d3bc2b15f72ed8bec8dfe00bccf0cf51e3f9cfd954d20c4b02b90908737cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCE2D.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCE4D.tmp.bat

Filesize
171B

MD5
fbcdfb362da6eebf41816402968531ab

SHA1
37f8bebbcbfaed82d7dce57e91780ea06e3af865

SHA256
70055378e39678ca801917dbdfc474e3086e40f174665e0d27495cfd6ba83ce6

SHA512
71955fc84759604592c6aa3138682fc69ebd30aca3791e740880ee54c58196c0f3469bb9cc8d956c396fd597119152c784e087fc9e61b9756aab59d867a8a9c4

Download Submit
memory/856-73-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/856-87-0x0000000073A70000-0x000000007415E000-memory.dmp

Filesize
6.9MB

Download
memory/856-122-0x0000000073A70000-0x000000007415E000-memory.dmp

Filesize
6.9MB

Download
memory/856-89-0x0000000000600000-0x0000000000626000-memory.dmp

Filesize
152KB

Download
memory/856-74-0x0000000073A70000-0x000000007415E000-memory.dmp

Filesize
6.9MB

Download
memory/856-69-0x0000000072400000-0x0000000073462000-memory.dmp

Filesize
16.4MB

Download
memory/856-72-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/856-71-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2516-70-0x0000000074300000-0x0000000074474000-memory.dmp

Filesize
1.5MB

Download
memory/2516-67-0x0000000074300000-0x0000000074474000-memory.dmp

Filesize
1.5MB

Download
memory/2516-66-0x0000000074300000-0x0000000074474000-memory.dmp

Filesize
1.5MB

Download
memory/2516-64-0x0000000074300000-0x0000000074474000-memory.dmp

Filesize
1.5MB

Download
memory/2516-10-0x0000000074300000-0x0000000074474000-memory.dmp

Filesize
1.5MB

Download
memory/2516-57-0x0000000074300000-0x0000000074474000-memory.dmp

Filesize
1.5MB

Download
memory/2516-12-0x0000000076E80000-0x0000000077029000-memory.dmp

Filesize
1.7MB

Download
memory/2588-0-0x0000000074300000-0x0000000074474000-memory.dmp

Filesize
1.5MB

Download
memory/2588-8-0x0000000074300000-0x0000000074474000-memory.dmp

Filesize
1.5MB

Download
memory/2588-7-0x0000000074300000-0x0000000074474000-memory.dmp

Filesize
1.5MB

Download
memory/2588-1-0x0000000076E80000-0x0000000077029000-memory.dmp

Filesize
1.7MB

Download