asyncrat | 34cef105cd8ee43da90df59fb3e7c0e257330240eea2faa4d37893b8e0d13ba5

Resubmissions

30-04-2024 15:51

240430-tamp6aad4v 10

30-04-2024 15:48

240430-s8w6taac8v 1

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30-04-2024 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5 NOTIFICACION DEMANDA/5 NOTIFICACION DEMANDA...exe
Size

135KB
MD5

a2d70fbab5181a509369d96b682fc641
SHA1

22afcdc180400c4d2b9e5a6db2b8a26bff54dd38
SHA256

8aed681ad8d660257c10d2f0e85ae673184055a341901643f27afc38e5ef8473
SHA512

219c6e7e88004fad9f4392be9a852c58fc43b7f6900e40370991427f37eaea5c18f48d2954f9479dde8bcb787345f4e292d5620add8224aec4d93d7968820b83
SSDEEP

1536:URLRDTAC1CMoR1CqabJWt7AQFYMGhw1ScCD28v2Vv428fmvxOuw03h9VC:URdV1CMoiqadTQFBGhw1ED28+94hGw

Score

10^/10

asyncrat trackmoney rat

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

TRACKMONEY

trackmoney.dynuddns.net:5959

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1912 set thread context of 2896	1912	5 NOTIFICACION DEMANDA...exe	28
PID 2896 set thread context of 2796	2896	cmd.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1912	5 NOTIFICACION DEMANDA...exe
1912	5 NOTIFICACION DEMANDA...exe
2896	cmd.exe
2896	cmd.exe
2796	MSBuild.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
1912	5 NOTIFICACION DEMANDA...exe
2896	cmd.exe
2896	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2796	MSBuild.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2796	MSBuild.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 2896	1912	5 NOTIFICACION DEMANDA...exe	28
PID 1912 wrote to memory of 2896	1912	5 NOTIFICACION DEMANDA...exe	28
PID 1912 wrote to memory of 2896	1912	5 NOTIFICACION DEMANDA...exe	28
PID 1912 wrote to memory of 2896	1912	5 NOTIFICACION DEMANDA...exe	28
PID 1912 wrote to memory of 2896	1912	5 NOTIFICACION DEMANDA...exe	28
PID 2896 wrote to memory of 2796	2896	cmd.exe	30
PID 2896 wrote to memory of 2796	2896	cmd.exe	30
PID 2896 wrote to memory of 2796	2896	cmd.exe	30
PID 2896 wrote to memory of 2796	2896	cmd.exe	30
PID 2896 wrote to memory of 2796	2896	cmd.exe	30
PID 2896 wrote to memory of 2796	2896	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\5 NOTIFICACION DEMANDA\5 NOTIFICACION DEMANDA...exe
"C:\Users\Admin\AppData\Local\Temp\5 NOTIFICACION DEMANDA\5 NOTIFICACION DEMANDA...exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8928ccf9

Filesize
741KB

MD5
871f132387acaa4a3f6e16c8c44b7ffc

SHA1
7ef07fda06ea0fd1dcc59278546ae8ec4d1de42f

SHA256
754e726c1abcd7a896f2c2c38b096fd8eb174107a7748aec3d41ae436fdd07e2

SHA512
a214ce80395ea843cc6ae3c98f18573573be70d8a849a5db66ccbe6514a5637fa86b5f1b74d3716010613cfa6c2d1866af2b3857dee1318962828593dec7ee08

Download Submit
memory/1912-15-0x0000000003200000-0x000000000330F000-memory.dmp

Filesize
1.1MB

Download
memory/1912-14-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/1912-0-0x0000000003200000-0x000000000330F000-memory.dmp

Filesize
1.1MB

Download
memory/1912-9-0x0000000074AE0000-0x0000000074C54000-memory.dmp

Filesize
1.5MB

Download
memory/1912-13-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/1912-10-0x0000000074AE0000-0x0000000074C54000-memory.dmp

Filesize
1.5MB

Download
memory/1912-12-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1912-1-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1912-3-0x0000000077590000-0x0000000077739000-memory.dmp

Filesize
1.7MB

Download
memory/1912-2-0x0000000074AE0000-0x0000000074C54000-memory.dmp

Filesize
1.5MB

Download
memory/2796-70-0x0000000000080000-0x0000000000096000-memory.dmp

Filesize
88KB

Download
memory/2796-69-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2796-68-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2796-66-0x0000000072B10000-0x0000000073B72000-memory.dmp

Filesize
16.4MB

Download
memory/2896-18-0x0000000077590000-0x0000000077739000-memory.dmp

Filesize
1.7MB

Download
memory/2896-63-0x0000000074AE0000-0x0000000074C54000-memory.dmp

Filesize
1.5MB

Download
memory/2896-64-0x0000000074AE0000-0x0000000074C54000-memory.dmp

Filesize
1.5MB

Download
memory/2896-67-0x0000000074AE0000-0x0000000074C54000-memory.dmp

Filesize
1.5MB

Download
memory/2896-16-0x0000000074AE0000-0x0000000074C54000-memory.dmp

Filesize
1.5MB

Download