asyncrat | 27164ab014dd29fe1a866da3871a93b423e2a91a41bdea14f1694034474ab524

General

Target

08-CITACION DEMANDA-JUZGADO PENAL 09- RAMA JUDICIAL ESPECIALIZADA/04 CITACION DEMANDA.exe
Size

3.8MB
MD5

27b6f3b8e8bdce591e5164edba28584d
SHA1

3a150c9db17a94feddec8268073336d030b97dad
SHA256

46d06d06984466e0e8082f8bba8d274c37145ec71f26da0904dd93ea2e7f3087
SHA512

f91aea8e4dc987703926fef287178fc680d450597ad524ea0ca44255c7e3e7127c5dce8362be2f241d7a7aace2b7760467bdfc6117ce467d2bc1459045bb842f
SSDEEP

49152:QDdgK6jyazbFza8IBn2cpi7cSgWVh07Z2GBc024xF6QKRTTzLAUd+JOugbW:+OK62azbMB2kZ2rUF6QKR3Vd+JAb

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

Default

C2

remotald.duckdns.org:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2296 set thread context of 2756	2296	04 CITACION DEMANDA.exe	30
PID 2756 set thread context of 2224	2756	cmd.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04 CITACION DEMANDA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2296	04 CITACION DEMANDA.exe
2296	04 CITACION DEMANDA.exe
2296	04 CITACION DEMANDA.exe
2296	04 CITACION DEMANDA.exe
2756	cmd.exe
2224	MSBuild.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2296	04 CITACION DEMANDA.exe
2756	cmd.exe
2756	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2224	MSBuild.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2224	MSBuild.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2756	2296	04 CITACION DEMANDA.exe	30
PID 2296 wrote to memory of 2756	2296	04 CITACION DEMANDA.exe	30
PID 2296 wrote to memory of 2756	2296	04 CITACION DEMANDA.exe	30
PID 2296 wrote to memory of 2756	2296	04 CITACION DEMANDA.exe	30
PID 2296 wrote to memory of 2756	2296	04 CITACION DEMANDA.exe	30
PID 2756 wrote to memory of 2224	2756	cmd.exe	32
PID 2756 wrote to memory of 2224	2756	cmd.exe	32
PID 2756 wrote to memory of 2224	2756	cmd.exe	32
PID 2756 wrote to memory of 2224	2756	cmd.exe	32
PID 2756 wrote to memory of 2224	2756	cmd.exe	32
PID 2756 wrote to memory of 2224	2756	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\08-CITACION DEMANDA-JUZGADO PENAL 09- RAMA JUDICIAL ESPECIALIZADA\04 CITACION DEMANDA.exe
"C:\Users\Admin\AppData\Local\Temp\08-CITACION DEMANDA-JUZGADO PENAL 09- RAMA JUDICIAL ESPECIALIZADA\04 CITACION DEMANDA.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ba01c581

Filesize
780KB

MD5
c400b56c0e6e96072a1f5f436f6a6e52

SHA1
620561f3722d475f423479da70f97425d96f8ab3

SHA256
6e7f09fb11b1ee65fcfd39b919fc8360d429d93664f8c575f089b43eca6212c4

SHA512
0688c76b4c8b1d0a8a9294a736600f3101711bfdcb93ab509fcb85402423f26ae9df8d224598810ba164976a51f89ea4c710335829ed7f76420dd2ae23755129

Download Submit
memory/2224-62-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2224-59-0x0000000072780000-0x00000000737E2000-memory.dmp

Filesize
16.4MB

Download
memory/2224-61-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2224-60-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2296-7-0x00000000745F0000-0x0000000074764000-memory.dmp

Filesize
1.5MB

Download
memory/2296-0-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2296-9-0x0000000000400000-0x000000000080F000-memory.dmp

Filesize
4.1MB

Download
memory/2296-10-0x0000000004A30000-0x0000000004B46000-memory.dmp

Filesize
1.1MB

Download
memory/2296-3-0x0000000077200000-0x00000000773A9000-memory.dmp

Filesize
1.7MB

Download
memory/2296-2-0x00000000745F0000-0x0000000074764000-memory.dmp

Filesize
1.5MB

Download
memory/2296-1-0x0000000004A30000-0x0000000004B46000-memory.dmp

Filesize
1.1MB

Download
memory/2756-12-0x0000000077200000-0x00000000773A9000-memory.dmp

Filesize
1.7MB

Download
memory/2756-57-0x00000000745F0000-0x0000000074764000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing