asyncrat | f894d3df8c6df4117d44d958382a5ba47ab288e2cc5e7fd8c793ceef1a21a220

Resubmissions

30/07/2024, 22:59 UTC

240730-2ynw5ayajh 10

30/07/2024, 22:56 UTC

240730-2wvlwsxhma 10

30/07/2024, 22:49 UTC

240730-2rrpfatbrk 10

Analysis

max time kernel
83s
max time network
87s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
30/07/2024, 22:56 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05 CITACION DEMANDA EN SU CONTRA - JUZGADO PENAL 01 DEL CIRCUITO RAMA JUDICIAL ESPECIALIZADO/02 CITACION DEMANDA..exe
Size

2.3MB
MD5

5d52ef45b6e5bf144307a84c2af1581b
SHA1

414a899ec327d4a9daa53983544245b209f25142
SHA256

26a24d3b0206c6808615c7049859c2fe62c4dcd87e7858be40ae8112b0482616
SHA512

458f47c1e4ccf41edaacc57abb663ee77ca098fffc596fad941bbdea67653aeabc79b34d607078b9ee5adb45614e26f5c28a09e8faf9532081fdd5dec9ac3c48
SSDEEP

49152:DzO+g39FbI0eQf/Z3CarWedoYAmXviDTMtT2wkqN5K:DzO19Fnf/hdoYAm9ZkqN5K

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

Default

gfbvhbh2024.kozow.com:2000

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

1
nVXWogDuo1uuoQDBFT3XagpvKlaE7c8o

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3040 set thread context of 1728	3040	02 CITACION DEMANDA..exe	30
PID 1728 set thread context of 1392	1728	cmd.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	02 CITACION DEMANDA..exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3040	02 CITACION DEMANDA..exe
3040	02 CITACION DEMANDA..exe
1728	cmd.exe
1728	cmd.exe
1392	MSBuild.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
3040	02 CITACION DEMANDA..exe
1728	cmd.exe
1728	cmd.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1392	MSBuild.exe
Token: 33	2800	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2800	AUDIODG.EXE
Token: 33	2800	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2800	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1392	MSBuild.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 1728	3040	02 CITACION DEMANDA..exe	30
PID 3040 wrote to memory of 1728	3040	02 CITACION DEMANDA..exe	30
PID 3040 wrote to memory of 1728	3040	02 CITACION DEMANDA..exe	30
PID 3040 wrote to memory of 1728	3040	02 CITACION DEMANDA..exe	30
PID 3040 wrote to memory of 1728	3040	02 CITACION DEMANDA..exe	30
PID 1728 wrote to memory of 1392	1728	cmd.exe	32
PID 1728 wrote to memory of 1392	1728	cmd.exe	32
PID 1728 wrote to memory of 1392	1728	cmd.exe	32
PID 1728 wrote to memory of 1392	1728	cmd.exe	32
PID 1728 wrote to memory of 1392	1728	cmd.exe	32
PID 1728 wrote to memory of 1392	1728	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\05 CITACION DEMANDA EN SU CONTRA - JUZGADO PENAL 01 DEL CIRCUITO RAMA JUDICIAL ESPECIALIZADO\02 CITACION DEMANDA..exe
"C:\Users\Admin\AppData\Local\Temp\05 CITACION DEMANDA EN SU CONTRA - JUZGADO PENAL 01 DEL CIRCUITO RAMA JUDICIAL ESPECIALIZADO\02 CITACION DEMANDA..exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1392

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:3044

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x504
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2800

Network

DNS

gfbvhbh2024.kozow.com

MSBuild.exe

Remote address:

8.8.8.8:53

Request

gfbvhbh2024.kozow.com

IN A

Response

gfbvhbh2024.kozow.com

IN A

45.32.169.187

45.32.169.187:2000

gfbvhbh2024.kozow.com

MSBuild.exe

152 B
3
45.32.169.187:2000

gfbvhbh2024.kozow.com

MSBuild.exe

152 B
3
45.32.169.187:2000

gfbvhbh2024.kozow.com

MSBuild.exe

104 B
2

8.8.8.8:53

gfbvhbh2024.kozow.com

dns

MSBuild.exe

67 B
83 B
1
1

DNS Request

gfbvhbh2024.kozow.com

DNS Response

45.32.169.187

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2d11ead3

Filesize
774KB

MD5
bd33abf7657af0252a76ed7487b9ca5e

SHA1
520ea77a7996fad943498d9ffe72a1035b4825f1

SHA256
f634943c0bf92f1da9d378b4fee790daa8636adecf0e61b10f07bc5f9fa9a559

SHA512
b82030c8b4266b947b74c56d34e8185cbe4f765a81e9d4f32a37126416a8dd422e4cfd47f3f87a7ea34005bde2536d759abd20c6fd9dc4a3920c1b47bab0a8db

Download Submit
memory/1392-75-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1392-71-0x0000000072E40000-0x0000000073EA2000-memory.dmp

Filesize
16.4MB

Download
memory/1392-74-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1392-73-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1728-23-0x00000000778C0000-0x0000000077A69000-memory.dmp

Filesize
1.7MB

Download
memory/1728-72-0x0000000074CD0000-0x0000000074E44000-memory.dmp

Filesize
1.5MB

Download
memory/1728-69-0x0000000074CD0000-0x0000000074E44000-memory.dmp

Filesize
1.5MB

Download
memory/1728-21-0x0000000074CD0000-0x0000000074E44000-memory.dmp

Filesize
1.5MB

Download
memory/1728-68-0x0000000074CD0000-0x0000000074E44000-memory.dmp

Filesize
1.5MB

Download
memory/3040-14-0x0000000000400000-0x0000000000698000-memory.dmp

Filesize
2.6MB

Download
memory/3040-18-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/3040-16-0x0000000059800000-0x000000005986E000-memory.dmp

Filesize
440KB

Download
memory/3040-15-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/3040-19-0x0000000057800000-0x0000000057812000-memory.dmp

Filesize
72KB

Download
memory/3040-20-0x0000000050310000-0x0000000050349000-memory.dmp

Filesize
228KB

Download
memory/3040-17-0x0000000057000000-0x000000005703F000-memory.dmp

Filesize
252KB

Download
memory/3040-0-0x0000000074CD0000-0x0000000074E44000-memory.dmp

Filesize
1.5MB

Download
memory/3040-12-0x0000000074CD0000-0x0000000074E44000-memory.dmp

Filesize
1.5MB

Download
memory/3040-10-0x0000000074CE2000-0x0000000074CE4000-memory.dmp

Filesize
8KB

Download
memory/3040-11-0x0000000074CD0000-0x0000000074E44000-memory.dmp

Filesize
1.5MB

Download
memory/3040-1-0x00000000778C0000-0x0000000077A69000-memory.dmp

Filesize
1.7MB

Download