asyncrat | f894d3df8c6df4117d44d958382a5ba47ab288e2cc5e7fd8c793ceef1a21a220

Resubmissions

30-07-2024 22:59

240730-2ynw5ayajh 10

30-07-2024 22:56

240730-2wvlwsxhma 10

30-07-2024 22:49

240730-2rrpfatbrk 10

Analysis

max time kernel
298s
max time network
303s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
30-07-2024 22:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05 CITACION DEMANDA EN SU CONTRA - JUZGADO PENAL 01 DEL CIRCUITO RAMA JUDICIAL ESPECIALIZADO/02 CITACION DEMANDA..exe
Size

2.3MB
MD5

5d52ef45b6e5bf144307a84c2af1581b
SHA1

414a899ec327d4a9daa53983544245b209f25142
SHA256

26a24d3b0206c6808615c7049859c2fe62c4dcd87e7858be40ae8112b0482616
SHA512

458f47c1e4ccf41edaacc57abb663ee77ca098fffc596fad941bbdea67653aeabc79b34d607078b9ee5adb45614e26f5c28a09e8faf9532081fdd5dec9ac3c48
SSDEEP

49152:DzO+g39FbI0eQf/Z3CarWedoYAmXviDTMtT2wkqN5K:DzO19Fnf/hdoYAm9ZkqN5K

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

Default

gfbvhbh2024.kozow.com:2000

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 212 set thread context of 840	212	02 CITACION DEMANDA..exe	84
PID 840 set thread context of 632	840	cmd.exe	87

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	02 CITACION DEMANDA..exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
212	02 CITACION DEMANDA..exe
212	02 CITACION DEMANDA..exe
840	cmd.exe
840	cmd.exe
632	MSBuild.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
212	02 CITACION DEMANDA..exe
840	cmd.exe
840	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	632	MSBuild.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
632	MSBuild.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 840	212	02 CITACION DEMANDA..exe	84
PID 212 wrote to memory of 840	212	02 CITACION DEMANDA..exe	84
PID 212 wrote to memory of 840	212	02 CITACION DEMANDA..exe	84
PID 212 wrote to memory of 840	212	02 CITACION DEMANDA..exe	84
PID 840 wrote to memory of 632	840	cmd.exe	87
PID 840 wrote to memory of 632	840	cmd.exe	87
PID 840 wrote to memory of 632	840	cmd.exe	87
PID 840 wrote to memory of 632	840	cmd.exe	87
PID 840 wrote to memory of 632	840	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\05 CITACION DEMANDA EN SU CONTRA - JUZGADO PENAL 01 DEL CIRCUITO RAMA JUDICIAL ESPECIALIZADO\02 CITACION DEMANDA..exe
"C:\Users\Admin\AppData\Local\Temp\05 CITACION DEMANDA EN SU CONTRA - JUZGADO PENAL 01 DEL CIRCUITO RAMA JUDICIAL ESPECIALIZADO\02 CITACION DEMANDA..exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:212
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\49656686

Filesize
774KB

MD5
aae7737c89ed9240d276bd0aa72e0ee7

SHA1
f4b7c0c0400ea2d70e2a905be38a4fa44b8dbcb3

SHA256
3a47427ccc04b02942950fde1d7c62a5aa447c9a3417deee0ae6e954ad81f785

SHA512
8ad80bde85cddb054dbf71ea7cdd4bd9c959b4aef5aad05bc131adc8238ba01383723838c9fa1586a9b0d8153e3afdda94617007eee11988686be85a484154ac

Download Submit
memory/212-15-0x0000000059800000-0x000000005986E000-memory.dmp

Filesize
440KB

Download
memory/212-11-0x00000000743F0000-0x000000007456B000-memory.dmp

Filesize
1.5MB

Download
memory/212-14-0x0000000000400000-0x0000000000698000-memory.dmp

Filesize
2.6MB

Download
memory/212-12-0x00000000743F0000-0x000000007456B000-memory.dmp

Filesize
1.5MB

Download
memory/212-10-0x0000000074402000-0x0000000074404000-memory.dmp

Filesize
8KB

Download
memory/212-20-0x0000000050310000-0x0000000050349000-memory.dmp

Filesize
228KB

Download
memory/212-19-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/212-1-0x00007FFD9C930000-0x00007FFD9CB25000-memory.dmp

Filesize
2.0MB

Download
memory/212-18-0x0000000057800000-0x0000000057812000-memory.dmp

Filesize
72KB

Download
memory/212-17-0x0000000057000000-0x000000005703F000-memory.dmp

Filesize
252KB

Download
memory/212-16-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/212-0-0x00000000743F0000-0x000000007456B000-memory.dmp

Filesize
1.5MB

Download
memory/632-35-0x0000000005A60000-0x0000000006004000-memory.dmp

Filesize
5.6MB

Download
memory/632-34-0x00000000747D0000-0x0000000074F80000-memory.dmp

Filesize
7.7MB

Download
memory/632-38-0x00000000747DE000-0x00000000747DF000-memory.dmp

Filesize
4KB

Download
memory/632-37-0x0000000005820000-0x000000000582A000-memory.dmp

Filesize
40KB

Download
memory/632-29-0x0000000072E90000-0x00000000740E4000-memory.dmp

Filesize
18.3MB

Download
memory/632-39-0x00000000747D0000-0x0000000074F80000-memory.dmp

Filesize
7.7MB

Download
memory/632-32-0x00000000747DE000-0x00000000747DF000-memory.dmp

Filesize
4KB

Download
memory/632-33-0x0000000000990000-0x00000000009A6000-memory.dmp

Filesize
88KB

Download
memory/632-36-0x0000000005690000-0x0000000005722000-memory.dmp

Filesize
584KB

Download
memory/840-21-0x00000000743F0000-0x000000007456B000-memory.dmp

Filesize
1.5MB

Download
memory/840-28-0x00000000743F0000-0x000000007456B000-memory.dmp

Filesize
1.5MB

Download
memory/840-26-0x00000000743F0000-0x000000007456B000-memory.dmp

Filesize
1.5MB

Download
memory/840-25-0x00000000743F0000-0x000000007456B000-memory.dmp

Filesize
1.5MB

Download
memory/840-23-0x00007FFD9C930000-0x00007FFD9CB25000-memory.dmp

Filesize
2.0MB

Download