asyncrat | 0e93a41edf1ca3e1723e5e0d73f3e0f54d6d672606b9dc0cda745f87e3fd0339

General

Target

01 PROCESO JUDICIAL EN SU CONTRA/01 PROCESO JUDICIAL.exe
Size

2.3MB
MD5

5d52ef45b6e5bf144307a84c2af1581b
SHA1

414a899ec327d4a9daa53983544245b209f25142
SHA256

26a24d3b0206c6808615c7049859c2fe62c4dcd87e7858be40ae8112b0482616
SHA512

458f47c1e4ccf41edaacc57abb663ee77ca098fffc596fad941bbdea67653aeabc79b34d607078b9ee5adb45614e26f5c28a09e8faf9532081fdd5dec9ac3c48
SSDEEP

49152:DzO+g39FbI0eQf/Z3CarWedoYAmXviDTMtT2wkqN5K:DzO19Fnf/hdoYAm9ZkqN5K

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

Default

C2

Dios123.kozow.com:1234

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Suspicious use of SetThreadContext 2 IoCs

Processes:

01 PROCESO JUDICIAL.execmd.exe

description	pid	process	target process
PID 3008 set thread context of 3040	3008	01 PROCESO JUDICIAL.exe	cmd.exe
PID 3040 set thread context of 2552	3040	cmd.exe	MSBuild.exe

Drops file in Windows directory 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Windows\Tasks\BMObeaconv1.job cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

01 PROCESO JUDICIAL.execmd.exeMSBuild.exe

pid process

3008 01 PROCESO JUDICIAL.exe
3008 01 PROCESO JUDICIAL.exe
3040 cmd.exe
3040 cmd.exe
2552 MSBuild.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

01 PROCESO JUDICIAL.execmd.exe

pid process

3008 01 PROCESO JUDICIAL.exe
3040 cmd.exe
3040 cmd.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description pid process

Token: SeDebugPrivilege 2552 MSBuild.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MSBuild.exe

pid process

2552 MSBuild.exe

description	ioc	process
File created	C:\Windows\Tasks\BMObeaconv1.job	cmd.exe

pid	process
3008	01 PROCESO JUDICIAL.exe
3008	01 PROCESO JUDICIAL.exe
3040	cmd.exe
3040	cmd.exe
2552	MSBuild.exe

pid	process
3008	01 PROCESO JUDICIAL.exe
3040	cmd.exe
3040	cmd.exe

description	pid	process
Token: SeDebugPrivilege	2552	MSBuild.exe

pid	process
2552	MSBuild.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

01 PROCESO JUDICIAL.execmd.exe

description	pid	process	target process
PID 3008 wrote to memory of 3040	3008	01 PROCESO JUDICIAL.exe	cmd.exe
PID 3008 wrote to memory of 3040	3008	01 PROCESO JUDICIAL.exe	cmd.exe
PID 3008 wrote to memory of 3040	3008	01 PROCESO JUDICIAL.exe	cmd.exe
PID 3008 wrote to memory of 3040	3008	01 PROCESO JUDICIAL.exe	cmd.exe
PID 3008 wrote to memory of 3040	3008	01 PROCESO JUDICIAL.exe	cmd.exe
PID 3040 wrote to memory of 2552	3040	cmd.exe	MSBuild.exe
PID 3040 wrote to memory of 2552	3040	cmd.exe	MSBuild.exe
PID 3040 wrote to memory of 2552	3040	cmd.exe	MSBuild.exe
PID 3040 wrote to memory of 2552	3040	cmd.exe	MSBuild.exe
PID 3040 wrote to memory of 2552	3040	cmd.exe	MSBuild.exe
PID 3040 wrote to memory of 2552	3040	cmd.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\01 PROCESO JUDICIAL EN SU CONTRA\01 PROCESO JUDICIAL.exe
"C:\Users\Admin\AppData\Local\Temp\01 PROCESO JUDICIAL EN SU CONTRA\01 PROCESO JUDICIAL.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bb532272

Filesize
777KB

MD5
e2cad048b9b84eac6cb89a9f65718d9a

SHA1
09c745e9dd7cb73f8a4a4acdddbb07d6f27e3840

SHA256
5b0cdf15c0889f5e8d79b93aa4462b82fbc560e56536d221ead5aee50486c503

SHA512
8859d89700d3dbf03ecc50e14ad4df541365e446767a6b6e960548d1e887e0c8c9286ec48b8f2c5309a459e370f9a1be7437889c00ed5f30c4fe0f9238d6274b

Download Submit
memory/2552-84-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2552-80-0x0000000073160000-0x00000000741C2000-memory.dmp

Filesize
16.4MB

Download
memory/2552-82-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2552-83-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/3008-16-0x0000000059800000-0x000000005986E000-memory.dmp

Filesize
440KB

Download
memory/3008-12-0x0000000075080000-0x00000000751F4000-memory.dmp

Filesize
1.5MB

Download
memory/3008-15-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/3008-1-0x0000000077BE0000-0x0000000077D89000-memory.dmp

Filesize
1.7MB

Download
memory/3008-20-0x0000000050310000-0x0000000050349000-memory.dmp

Filesize
228KB

Download
memory/3008-19-0x0000000057800000-0x0000000057812000-memory.dmp

Filesize
72KB

Download
memory/3008-17-0x0000000057000000-0x000000005703F000-memory.dmp

Filesize
252KB

Download
memory/3008-0-0x0000000075080000-0x00000000751F4000-memory.dmp

Filesize
1.5MB

Download
memory/3008-14-0x0000000000400000-0x0000000000698000-memory.dmp

Filesize
2.6MB

Download
memory/3008-18-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/3008-10-0x0000000075092000-0x0000000075094000-memory.dmp

Filesize
8KB

Download
memory/3008-11-0x0000000075080000-0x00000000751F4000-memory.dmp

Filesize
1.5MB

Download
memory/3040-23-0x0000000077BE0000-0x0000000077D89000-memory.dmp

Filesize
1.7MB

Download
memory/3040-78-0x0000000075080000-0x00000000751F4000-memory.dmp

Filesize
1.5MB

Download
memory/3040-81-0x0000000075080000-0x00000000751F4000-memory.dmp

Filesize
1.5MB

Download
memory/3040-77-0x0000000075080000-0x00000000751F4000-memory.dmp

Filesize
1.5MB

Download
memory/3040-74-0x0000000075080000-0x00000000751F4000-memory.dmp

Filesize
1.5MB

Download
memory/3040-68-0x0000000075080000-0x00000000751F4000-memory.dmp

Filesize
1.5MB

Download
memory/3040-21-0x0000000075080000-0x00000000751F4000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing