asyncrat | 56017b05352f3034ad5a1e34a51206b7240f8a982721e089a440172263963235

Resubmissions

17-07-2024 02:01

240717-cfmhxa1ckn 10

17-07-2024 01:54

240717-cb2f9stdmg 10

Analysis

max time kernel
12s
max time network
6s
platform
windows10-2004_x64
resource
win10v2004-20240709-es
resource tags

arch:x64arch:x86image:win10v2004-20240709-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
17-07-2024 01:54

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Cotizacion.exe
Size

3.8MB
MD5

4bcda20fcc420c83a19572e6b4610479
SHA1

7e3427c72ca845d2b66c901485ef3ca2c7cbf9f8
SHA256

56017b05352f3034ad5a1e34a51206b7240f8a982721e089a440172263963235
SHA512

a08fe40a64e5cf50560bf9a2644b35d2f30de966626919d1e9d9a657000ccadd4ff4b3cab7bbc292249a389eacb85e2f5be1ae3e98350dd9e43b12ba5327b88a
SSDEEP

98304:5mJVD97VAOltrWJP8SDUTYAA56RoeXN3cJvPd4Fm0fA0:5mJ7hAatrWJP8S+YAfSkN+vPjt0

Score

10^/10

asyncrat enviojulio persistence rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

ENVIOJULIO

hiperconection.duckdns.org:3030

Mutex

PRMBSRGT0kqWhLMuk3qtRg

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tiopLottt = "C:\\Users\\Admin\\Documents\\unaReversa\\simas.exe"	Cotizacion.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2476 set thread context of 2584	2476	Cotizacion.exe	96

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 2584	2476	Cotizacion.exe	96
PID 2476 wrote to memory of 2584	2476	Cotizacion.exe	96
PID 2476 wrote to memory of 2584	2476	Cotizacion.exe	96
PID 2476 wrote to memory of 2584	2476	Cotizacion.exe	96
PID 2476 wrote to memory of 2584	2476	Cotizacion.exe	96

C:\Users\Admin\AppData\Local\Temp\Cotizacion.exe
"C:\Users\Admin\AppData\Local\Temp\Cotizacion.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2476-0-0x0000000000400000-0x0000000000846000-memory.dmp

Filesize
4.3MB

Download
memory/2476-2-0x000000000043A000-0x0000000000453000-memory.dmp

Filesize
100KB

Download
memory/2476-3-0x0000000000400000-0x0000000000846000-memory.dmp

Filesize
4.3MB

Download
memory/2584-4-0x0000000000810000-0x0000000000822000-memory.dmp

Filesize
72KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads