asyncrat | 6690c8fe22bef50e4ea21298c3dffee89f2d89cd2b2fc91c06c25bde5f0b549d

General

Target

zip_contents/01 CITACION DEMANDA.exe
Size

3.1MB
MD5

b841d408448f2a07f308ced1589e7673
SHA1

f5b5095c0ed69d42110df6d39810d12b1fa32a1e
SHA256

69a90665113bd73b30360d87f7f6ed2c789a90a67f3b6e86474e21273a64f699
SHA512

a689734048109ab7bec9491bbb7781686c19c7885166b3ca2975e2f49e956fcc388cd8ca85a4e5a8bf9efe6056f1e0d80197b7f521d4f0d4cadb10ba9ef1fa93
SSDEEP

49152:pvFg5qg9BtIAHE3SM4ahx6LK2SamuZob+tCjNrv8:Jm5qGBHBLRKuZfkjNrv8

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

Default

C2

juanjuan20231.kozow.com:2107

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2016 set thread context of 2908	2016	01 CITACION DEMANDA.exe	85
PID 2908 set thread context of 2576	2908	cmd.exe	97

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2016	01 CITACION DEMANDA.exe
2016	01 CITACION DEMANDA.exe
2908	cmd.exe
2908	cmd.exe
2576	MSBuild.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2016	01 CITACION DEMANDA.exe
2908	cmd.exe
2908	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2576	MSBuild.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2576	MSBuild.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 2908	2016	01 CITACION DEMANDA.exe	85
PID 2016 wrote to memory of 2908	2016	01 CITACION DEMANDA.exe	85
PID 2016 wrote to memory of 2908	2016	01 CITACION DEMANDA.exe	85
PID 2016 wrote to memory of 2908	2016	01 CITACION DEMANDA.exe	85
PID 2908 wrote to memory of 2576	2908	cmd.exe	97
PID 2908 wrote to memory of 2576	2908	cmd.exe	97
PID 2908 wrote to memory of 2576	2908	cmd.exe	97
PID 2908 wrote to memory of 2576	2908	cmd.exe	97
PID 2908 wrote to memory of 2576	2908	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\zip_contents\01 CITACION DEMANDA.exe
"C:\Users\Admin\AppData\Local\Temp\zip_contents\01 CITACION DEMANDA.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\176d9371

Filesize
774KB

MD5
912a699df1bf008b2d1663ba62aebfe8

SHA1
23a440eeaf1a72f41d048024485a3ed39c8f6646

SHA256
f5f6b0c29f181773f5683091a9ede485d86f95c9c625180a00fbccb10aef2f09

SHA512
496159d83c3f9ce25ed24e27230e97bdf92b5b5b11e7ed7366ff50721e7c7f8b4fc2f758fc4cefb0ef2e65f48833d1724ed038423839d33de9a737f9102d1900

Download Submit
memory/2016-13-0x000000004A600000-0x000000004A6EC000-memory.dmp

Filesize
944KB

Download
memory/2016-8-0x00000000741B2000-0x00000000741B4000-memory.dmp

Filesize
8KB

Download
memory/2016-1-0x00000000741A0000-0x000000007431B000-memory.dmp

Filesize
1.5MB

Download
memory/2016-12-0x0000000000400000-0x0000000000711000-memory.dmp

Filesize
3.1MB

Download
memory/2016-10-0x00000000741A0000-0x000000007431B000-memory.dmp

Filesize
1.5MB

Download
memory/2016-0-0x0000000000CE0000-0x0000000000DEB000-memory.dmp

Filesize
1.0MB

Download
memory/2016-14-0x0000000000CE0000-0x0000000000DEB000-memory.dmp

Filesize
1.0MB

Download
memory/2016-9-0x00000000741A0000-0x000000007431B000-memory.dmp

Filesize
1.5MB

Download
memory/2016-2-0x00007FFADAEB0000-0x00007FFADB0A5000-memory.dmp

Filesize
2.0MB

Download
memory/2576-28-0x0000000072490000-0x0000000072C40000-memory.dmp

Filesize
7.7MB

Download
memory/2576-29-0x0000000005950000-0x0000000005EF4000-memory.dmp

Filesize
5.6MB

Download
memory/2576-32-0x000000007249E000-0x000000007249F000-memory.dmp

Filesize
4KB

Download
memory/2576-31-0x0000000005600000-0x000000000560A000-memory.dmp

Filesize
40KB

Download
memory/2576-30-0x0000000005560000-0x00000000055F2000-memory.dmp

Filesize
584KB

Download
memory/2576-22-0x0000000072C40000-0x0000000073E94000-memory.dmp

Filesize
18.3MB

Download
memory/2576-26-0x000000007249E000-0x000000007249F000-memory.dmp

Filesize
4KB

Download
memory/2576-27-0x0000000000B60000-0x0000000000B76000-memory.dmp

Filesize
88KB

Download
memory/2576-33-0x0000000072490000-0x0000000072C40000-memory.dmp

Filesize
7.7MB

Download
memory/2908-15-0x00000000741A0000-0x000000007431B000-memory.dmp

Filesize
1.5MB

Download
memory/2908-23-0x00000000741A0000-0x000000007431B000-memory.dmp

Filesize
1.5MB

Download
memory/2908-20-0x00000000741A0000-0x000000007431B000-memory.dmp

Filesize
1.5MB

Download
memory/2908-19-0x00000000741A0000-0x000000007431B000-memory.dmp

Filesize
1.5MB

Download
memory/2908-17-0x00007FFADAEB0000-0x00007FFADB0A5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing