asyncrat | 6bb1378a0801ff75e9fb86c34539d6b05255a17297810b2e7eccd155e5063c5d

General

Target

03201-LEER COPIA DE LA NITIFICACION ENVIADA/02 LEER COPIA NOTIFICACION.exe
Size

966KB
MD5

e634616d3b445fc1cd55ee79cf5326ea
SHA1

ca27a368d87bc776884322ca996f3b24e20645f4
SHA256

1fcd04fe1a3d519c7d585216b414cd947d16997d77d81a2892821f588c630937
SHA512

7d491c0a97ce60e22238a1a3530f45fbb3c82377b400d7986db09eccad05c9c22fb5daa2b4781882f870ab088326e5f6156613124caa67b54601cbad8f66aa90
SSDEEP

24576:we3xAibB85Z1HrWtB8z1L1OTJu5zzz3zzzozzz3zzzSZ:HxAibBEZ1LWtBzQrZ

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

Default

C2

vulcansy.duckdns.org:1415

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Suspicious use of SetThreadContext 2 IoCs

Processes:

02 LEER COPIA NOTIFICACION.execmd.exe

description	pid	process	target process
PID 3520 set thread context of 1256	3520	02 LEER COPIA NOTIFICACION.exe	cmd.exe
PID 1256 set thread context of 2940	1256	cmd.exe	MSBuild.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exeMSBuild.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

02 LEER COPIA NOTIFICACION.execmd.exe

pid process

3520 02 LEER COPIA NOTIFICACION.exe
3520 02 LEER COPIA NOTIFICACION.exe
1256 cmd.exe
1256 cmd.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

02 LEER COPIA NOTIFICACION.execmd.exe

pid process

3520 02 LEER COPIA NOTIFICACION.exe
1256 cmd.exe
1256 cmd.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description pid process

Token: SeDebugPrivilege 2940 MSBuild.exe

pid	process
3520	02 LEER COPIA NOTIFICACION.exe
3520	02 LEER COPIA NOTIFICACION.exe
1256	cmd.exe
1256	cmd.exe

pid	process
3520	02 LEER COPIA NOTIFICACION.exe
1256	cmd.exe
1256	cmd.exe

description	pid	process
Token: SeDebugPrivilege	2940	MSBuild.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

02 LEER COPIA NOTIFICACION.execmd.exe

description	pid	process	target process
PID 3520 wrote to memory of 1256	3520	02 LEER COPIA NOTIFICACION.exe	cmd.exe
PID 3520 wrote to memory of 1256	3520	02 LEER COPIA NOTIFICACION.exe	cmd.exe
PID 3520 wrote to memory of 1256	3520	02 LEER COPIA NOTIFICACION.exe	cmd.exe
PID 3520 wrote to memory of 1256	3520	02 LEER COPIA NOTIFICACION.exe	cmd.exe
PID 1256 wrote to memory of 2940	1256	cmd.exe	MSBuild.exe
PID 1256 wrote to memory of 2940	1256	cmd.exe	MSBuild.exe
PID 1256 wrote to memory of 2940	1256	cmd.exe	MSBuild.exe
PID 1256 wrote to memory of 2940	1256	cmd.exe	MSBuild.exe
PID 1256 wrote to memory of 2940	1256	cmd.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\03201-LEER COPIA DE LA NITIFICACION ENVIADA\02 LEER COPIA NOTIFICACION.exe
"C:\Users\Admin\AppData\Local\Temp\03201-LEER COPIA DE LA NITIFICACION ENVIADA\02 LEER COPIA NOTIFICACION.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\58def979

Filesize
777KB

MD5
6ab07e08b84c7c84f3a7488680497d16

SHA1
a76dfcb9ce55fbbc0539ad36f01824848211af8b

SHA256
b02f9f3d8b57681f078a8bba66e1144e3aa036a3d21fc48fc3ea0ae3500e463d

SHA512
a9732e4c93f640b68b7c126a783d276c2ec0ba4d8372da31f705233a9c9bd37509802ea3867bf1e3a35c5040ccc2694a46e3d2dc4f8abb39382846ac35bf6451

Download Submit
memory/1256-19-0x0000000075A50000-0x0000000075BCB000-memory.dmp

Filesize
1.5MB

Download
memory/1256-15-0x0000000075A50000-0x0000000075BCB000-memory.dmp

Filesize
1.5MB

Download
memory/1256-17-0x0000000075A50000-0x0000000075BCB000-memory.dmp

Filesize
1.5MB

Download
memory/1256-16-0x0000000075A5E000-0x0000000075A60000-memory.dmp

Filesize
8KB

Download
memory/1256-13-0x00007FFC22490000-0x00007FFC22685000-memory.dmp

Filesize
2.0MB

Download
memory/2940-27-0x0000000006120000-0x00000000066C4000-memory.dmp

Filesize
5.6MB

Download
memory/2940-28-0x0000000005B70000-0x0000000005BD6000-memory.dmp

Filesize
408KB

Download
memory/2940-34-0x00000000074D0000-0x0000000007562000-memory.dmp

Filesize
584KB

Download
memory/2940-33-0x0000000007110000-0x000000000712E000-memory.dmp

Filesize
120KB

Download
memory/2940-32-0x0000000005F20000-0x0000000005F34000-memory.dmp

Filesize
80KB

Download
memory/2940-31-0x0000000006E50000-0x0000000006EC6000-memory.dmp

Filesize
472KB

Download
memory/2940-30-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/2940-20-0x0000000073FD0000-0x0000000075224000-memory.dmp

Filesize
18.3MB

Download
memory/2940-23-0x000000007529E000-0x000000007529F000-memory.dmp

Filesize
4KB

Download
memory/2940-24-0x0000000000DD0000-0x0000000000DE6000-memory.dmp

Filesize
88KB

Download
memory/2940-25-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/2940-26-0x0000000005AD0000-0x0000000005B6C000-memory.dmp

Filesize
624KB

Download
memory/2940-29-0x000000007529E000-0x000000007529F000-memory.dmp

Filesize
4KB

Download
memory/3520-9-0x00007FF76EBB0000-0x00007FF76ECA8000-memory.dmp

Filesize
992KB

Download
memory/3520-0-0x00007FFC047B0000-0x00007FFC04922000-memory.dmp

Filesize
1.4MB

Download
memory/3520-5-0x00007FFC047C9000-0x00007FFC047CA000-memory.dmp

Filesize
4KB

Download
memory/3520-6-0x00007FFC047B0000-0x00007FFC04922000-memory.dmp

Filesize
1.4MB

Download
memory/3520-7-0x00007FFC047B0000-0x00007FFC04922000-memory.dmp

Filesize
1.4MB

Download
memory/3520-11-0x00007FFC04B20000-0x00007FFC04DD5000-memory.dmp

Filesize
2.7MB

Download
memory/3520-10-0x00007FFC180F0000-0x00007FFC18124000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads