asyncrat | 34cef105cd8ee43da90df59fb3e7c0e257330240eea2faa4d37893b8e0d13ba5

Resubmissions

30/04/2024, 15:51

240430-tamp6aad4v 10

30/04/2024, 15:48

240430-s8w6taac8v 1

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
30/04/2024, 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5 NOTIFICACION DEMANDA/5 NOTIFICACION DEMANDA...exe
Size

135KB
MD5

a2d70fbab5181a509369d96b682fc641
SHA1

22afcdc180400c4d2b9e5a6db2b8a26bff54dd38
SHA256

8aed681ad8d660257c10d2f0e85ae673184055a341901643f27afc38e5ef8473
SHA512

219c6e7e88004fad9f4392be9a852c58fc43b7f6900e40370991427f37eaea5c18f48d2954f9479dde8bcb787345f4e292d5620add8224aec4d93d7968820b83
SSDEEP

1536:URLRDTAC1CMoR1CqabJWt7AQFYMGhw1ScCD28v2Vv428fmvxOuw03h9VC:URdV1CMoiqadTQFBGhw1ED28+94hGw

Score

10^/10

asyncrat trackmoney rat

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

TRACKMONEY

trackmoney.dynuddns.net:5959

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2992 set thread context of 3260	2992	5 NOTIFICACION DEMANDA...exe	83
PID 3260 set thread context of 4580	3260	cmd.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2992	5 NOTIFICACION DEMANDA...exe
2992	5 NOTIFICACION DEMANDA...exe
3260	cmd.exe
3260	cmd.exe
4580	MSBuild.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2992	5 NOTIFICACION DEMANDA...exe
3260	cmd.exe
3260	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4580	MSBuild.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4580	MSBuild.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 3260	2992	5 NOTIFICACION DEMANDA...exe	83
PID 2992 wrote to memory of 3260	2992	5 NOTIFICACION DEMANDA...exe	83
PID 2992 wrote to memory of 3260	2992	5 NOTIFICACION DEMANDA...exe	83
PID 2992 wrote to memory of 3260	2992	5 NOTIFICACION DEMANDA...exe	83
PID 3260 wrote to memory of 4580	3260	cmd.exe	89
PID 3260 wrote to memory of 4580	3260	cmd.exe	89
PID 3260 wrote to memory of 4580	3260	cmd.exe	89
PID 3260 wrote to memory of 4580	3260	cmd.exe	89
PID 3260 wrote to memory of 4580	3260	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\5 NOTIFICACION DEMANDA\5 NOTIFICACION DEMANDA...exe
"C:\Users\Admin\AppData\Local\Temp\5 NOTIFICACION DEMANDA\5 NOTIFICACION DEMANDA...exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3260
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4580

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\825e5ba3

Filesize
741KB

MD5
f3ab8a9ddeeb55f242aaa367c76ae6d6

SHA1
b060366b552f388932df4f6fac3c6f15a84955c7

SHA256
7151430eef77e376f2a784e36b9ca04191797a983162999a0f1bfcb20fe7f2c7

SHA512
8a726d9aa9ea746920b307f56c79b066f974acdcbfc15c81a5c0e153ac63e997aceb53dbd3ad213a3403ea6ac29138c724bb05c09265a11657dea371bcc0b634

Download Submit
memory/2992-12-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2992-1-0x00000000028B0000-0x00000000029BF000-memory.dmp

Filesize
1.1MB

Download
memory/2992-2-0x0000000075490000-0x000000007560B000-memory.dmp

Filesize
1.5MB

Download
memory/2992-3-0x00007FFC126D0000-0x00007FFC128C5000-memory.dmp

Filesize
2.0MB

Download
memory/2992-9-0x0000000075490000-0x000000007560B000-memory.dmp

Filesize
1.5MB

Download
memory/2992-10-0x0000000075490000-0x000000007560B000-memory.dmp

Filesize
1.5MB

Download
memory/2992-13-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/2992-15-0x00000000028B0000-0x00000000029BF000-memory.dmp

Filesize
1.1MB

Download
memory/2992-0-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/2992-14-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/3260-18-0x00007FFC126D0000-0x00007FFC128C5000-memory.dmp

Filesize
2.0MB

Download
memory/3260-17-0x0000000075490000-0x000000007560B000-memory.dmp

Filesize
1.5MB

Download
memory/3260-20-0x0000000075490000-0x000000007560B000-memory.dmp

Filesize
1.5MB

Download
memory/3260-21-0x0000000075490000-0x000000007560B000-memory.dmp

Filesize
1.5MB

Download
memory/3260-24-0x0000000075490000-0x000000007560B000-memory.dmp

Filesize
1.5MB

Download
memory/4580-28-0x0000000074FF0000-0x00000000757A0000-memory.dmp

Filesize
7.7MB

Download
memory/4580-27-0x0000000000B10000-0x0000000000B26000-memory.dmp

Filesize
88KB

Download
memory/4580-23-0x0000000073920000-0x0000000074B74000-memory.dmp

Filesize
18.3MB

Download
memory/4580-29-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download
memory/4580-30-0x0000000005900000-0x0000000005EA4000-memory.dmp

Filesize
5.6MB

Download
memory/4580-31-0x0000000005530000-0x00000000055C2000-memory.dmp

Filesize
584KB

Download
memory/4580-32-0x0000000005510000-0x000000000551A000-memory.dmp

Filesize
40KB

Download
memory/4580-33-0x0000000074FF0000-0x00000000757A0000-memory.dmp

Filesize
7.7MB

Download
memory/4580-34-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download