asyncrat | 6690c8fe22bef50e4ea21298c3dffee89f2d89cd2b2fc91c06c25bde5f0b549d

General

Target

zip_contents/01 CITACION DEMANDA.exe
Size

3.1MB
MD5

b841d408448f2a07f308ced1589e7673
SHA1

f5b5095c0ed69d42110df6d39810d12b1fa32a1e
SHA256

69a90665113bd73b30360d87f7f6ed2c789a90a67f3b6e86474e21273a64f699
SHA512

a689734048109ab7bec9491bbb7781686c19c7885166b3ca2975e2f49e956fcc388cd8ca85a4e5a8bf9efe6056f1e0d80197b7f521d4f0d4cadb10ba9ef1fa93
SSDEEP

49152:pvFg5qg9BtIAHE3SM4ahx6LK2SamuZob+tCjNrv8:Jm5qGBHBLRKuZfkjNrv8

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

Default

C2

juanjuan20231.kozow.com:2107

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1864 set thread context of 768	1864	01 CITACION DEMANDA.exe	31
PID 768 set thread context of 2540	768	cmd.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1864	01 CITACION DEMANDA.exe
1864	01 CITACION DEMANDA.exe
768	cmd.exe
768	cmd.exe
2540	MSBuild.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
1864	01 CITACION DEMANDA.exe
768	cmd.exe
768	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2540	MSBuild.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2540	MSBuild.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1864 wrote to memory of 768	1864	01 CITACION DEMANDA.exe	31
PID 1864 wrote to memory of 768	1864	01 CITACION DEMANDA.exe	31
PID 1864 wrote to memory of 768	1864	01 CITACION DEMANDA.exe	31
PID 1864 wrote to memory of 768	1864	01 CITACION DEMANDA.exe	31
PID 1864 wrote to memory of 768	1864	01 CITACION DEMANDA.exe	31
PID 768 wrote to memory of 2540	768	cmd.exe	33
PID 768 wrote to memory of 2540	768	cmd.exe	33
PID 768 wrote to memory of 2540	768	cmd.exe	33
PID 768 wrote to memory of 2540	768	cmd.exe	33
PID 768 wrote to memory of 2540	768	cmd.exe	33
PID 768 wrote to memory of 2540	768	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\zip_contents\01 CITACION DEMANDA.exe
"C:\Users\Admin\AppData\Local\Temp\zip_contents\01 CITACION DEMANDA.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:768
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ba602901

Filesize
774KB

MD5
c9e866cb553a316810b6aa623589a48f

SHA1
bfab6b7d5fe1b82c89028e63d0c22ee935d0fd27

SHA256
9bd3bae0253e90e61f01e44ce26a3ffd2cf1aa702a62010a129604336e4a013e

SHA512
b349180fe2550f31a3f3a5e223a832e4cca0deda7cd15dc4e1a6c6a0b555e726b3597cad44ab2e18ec1c851022ceb2ae21498e3ea03e37deff17e26939bdf15a

Download Submit
memory/768-63-0x0000000074B90000-0x0000000074D04000-memory.dmp

Filesize
1.5MB

Download
memory/768-17-0x0000000074B90000-0x0000000074D04000-memory.dmp

Filesize
1.5MB

Download
memory/768-67-0x0000000074B90000-0x0000000074D04000-memory.dmp

Filesize
1.5MB

Download
memory/768-18-0x0000000077770000-0x0000000077919000-memory.dmp

Filesize
1.7MB

Download
memory/768-64-0x0000000074B90000-0x0000000074D04000-memory.dmp

Filesize
1.5MB

Download
memory/1864-15-0x0000000074B90000-0x0000000074D04000-memory.dmp

Filesize
1.5MB

Download
memory/1864-14-0x0000000000230000-0x000000000033B000-memory.dmp

Filesize
1.0MB

Download
memory/1864-2-0x0000000077770000-0x0000000077919000-memory.dmp

Filesize
1.7MB

Download
memory/1864-8-0x0000000074BA2000-0x0000000074BA4000-memory.dmp

Filesize
8KB

Download
memory/1864-9-0x0000000074B90000-0x0000000074D04000-memory.dmp

Filesize
1.5MB

Download
memory/1864-0-0x0000000000230000-0x000000000033B000-memory.dmp

Filesize
1.0MB

Download
memory/1864-12-0x0000000000400000-0x0000000000711000-memory.dmp

Filesize
3.1MB

Download
memory/1864-13-0x000000004A600000-0x000000004A6EC000-memory.dmp

Filesize
944KB

Download
memory/1864-1-0x0000000074B90000-0x0000000074D04000-memory.dmp

Filesize
1.5MB

Download
memory/2540-70-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2540-69-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2540-68-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2540-66-0x0000000072CF0000-0x0000000073D52000-memory.dmp

Filesize
16.4MB

Download

Analysis

Sharing