asyncrat | 77415c05aa12f026ad33de88a70c7c771fce9d13249594aa9a22e6040cb249bc

General

Target

DESCARGAR NOTIFICACIÒN DE SENTENCIA JUDICIAL AGRADECEMOS CONFIRMAR RECIBIDO/0015 NotificacionElectronicaJudicial.exe
Size

141KB
MD5

704925ecfdb24ef81190b82de0e5453c
SHA1

1128b3063180419893615ca73ad4f9dd51ebeac6
SHA256

8cc871ee8760a4658189528b4a5d8afe9824f6a13faaf1fe7eb56f2a3ad2d04e
SHA512

ca187015812ddfcaa6515f3a5b780183b4a772801aa14b3f785d6dee9b9aa7db6402a7b346623fd24cf4a28f9856683022b10c3d812f8f2888e25bb218cbf216
SSDEEP

3072:fW6vjvEUEzozIGnKyvBhSVeoVdS5jO4yEWzJ1gKs4H+u1ERB:REJWC+SVeoVdSZOqWbgKs4HPQ

Score

10^/10

asyncrat 15 15 15 15 discovery rat

Malware Config

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

15 15 15 15

C2

120.duckdns.org:9003

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Suspicious use of SetThreadContext 2 IoCs

Processes:

0015 NotificacionElectronicaJudicial.execmd.exe

description	pid	process	target process
PID 3484 set thread context of 780	3484	0015 NotificacionElectronicaJudicial.exe	cmd.exe
PID 780 set thread context of 4940	780	cmd.exe	MSBuild.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

0015 NotificacionElectronicaJudicial.execmd.exeMSBuild.execmd.exetimeout.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0015 NotificacionElectronicaJudicial.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3908 timeout.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

0015 NotificacionElectronicaJudicial.execmd.exe

pid process

3484 0015 NotificacionElectronicaJudicial.exe
3484 0015 NotificacionElectronicaJudicial.exe
780 cmd.exe
780 cmd.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

0015 NotificacionElectronicaJudicial.execmd.exe

pid process

3484 0015 NotificacionElectronicaJudicial.exe
780 cmd.exe
780 cmd.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description pid process

Token: SeDebugPrivilege 4940 MSBuild.exe

pid	process
3908	timeout.exe

pid	process
3484	0015 NotificacionElectronicaJudicial.exe
3484	0015 NotificacionElectronicaJudicial.exe
780	cmd.exe
780	cmd.exe

pid	process
3484	0015 NotificacionElectronicaJudicial.exe
780	cmd.exe
780	cmd.exe

description	pid	process
Token: SeDebugPrivilege	4940	MSBuild.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

0015 NotificacionElectronicaJudicial.execmd.exeMSBuild.execmd.exe

description	pid	process	target process
PID 3484 wrote to memory of 780	3484	0015 NotificacionElectronicaJudicial.exe	cmd.exe
PID 3484 wrote to memory of 780	3484	0015 NotificacionElectronicaJudicial.exe	cmd.exe
PID 3484 wrote to memory of 780	3484	0015 NotificacionElectronicaJudicial.exe	cmd.exe
PID 3484 wrote to memory of 780	3484	0015 NotificacionElectronicaJudicial.exe	cmd.exe
PID 780 wrote to memory of 4940	780	cmd.exe	MSBuild.exe
PID 780 wrote to memory of 4940	780	cmd.exe	MSBuild.exe
PID 780 wrote to memory of 4940	780	cmd.exe	MSBuild.exe
PID 780 wrote to memory of 4940	780	cmd.exe	MSBuild.exe
PID 780 wrote to memory of 4940	780	cmd.exe	MSBuild.exe
PID 4940 wrote to memory of 2860	4940	MSBuild.exe	cmd.exe
PID 4940 wrote to memory of 2860	4940	MSBuild.exe	cmd.exe
PID 4940 wrote to memory of 2860	4940	MSBuild.exe	cmd.exe
PID 2860 wrote to memory of 3908	2860	cmd.exe	timeout.exe
PID 2860 wrote to memory of 3908	2860	cmd.exe	timeout.exe
PID 2860 wrote to memory of 3908	2860	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\DESCARGAR NOTIFICACIÒN DE SENTENCIA JUDICIAL AGRADECEMOS CONFIRMAR RECIBIDO\0015 NotificacionElectronicaJudicial.exe
"C:\Users\Admin\AppData\Local\Temp\DESCARGAR NOTIFICACIÒN DE SENTENCIA JUDICIAL AGRADECEMOS CONFIRMAR RECIBIDO\0015 NotificacionElectronicaJudicial.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp18E8.tmp.bat""
4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\SysWOW64\timeout.exe
timeout 3
5⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f0099fcd

Filesize
777KB

MD5
7a18a69ebbbac0b605140a5c7478d6db

SHA1
22dc61c362f291efca31100135baab5208366fc6

SHA256
6688dc1cec401ea394ec8c81749bb686604b31711abd78dc8a0d5bfaf14a1d2a

SHA512
2b5de47d85811fdb1da9f504f41b20aa553b2b5d8d652ecd41dc13ee6b75101aeab7c773caeb48332b5f49e9bf567f1967430a59a267b119d1774ac533f40213

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp18E8.tmp.bat

Filesize
171B

MD5
0d421eba1e45ef0e774f52aebace8b62

SHA1
29fce01957eb5c27c591b77ed5cc138838123fa6

SHA256
61da56f7624ef1a930f2c06100e34ef33ff2ab3f356546ed22496d9dd975a711

SHA512
4c7af8bdfe85203ae85be1116f2b57b7b9c2398260f233b896e13b8a8e231bb505c08b31def179a51939965d236d148133275dec325720f2534bffd0f09f8984

Download Submit
memory/780-10-0x0000000074EB0000-0x000000007502B000-memory.dmp

Filesize
1.5MB

Download
memory/780-12-0x00007FF81C330000-0x00007FF81C525000-memory.dmp

Filesize
2.0MB

Download
memory/780-14-0x0000000074EB0000-0x000000007502B000-memory.dmp

Filesize
1.5MB

Download
memory/780-15-0x0000000074EB0000-0x000000007502B000-memory.dmp

Filesize
1.5MB

Download
memory/780-17-0x0000000074EB0000-0x000000007502B000-memory.dmp

Filesize
1.5MB

Download
memory/3484-0-0x0000000074EB0000-0x000000007502B000-memory.dmp

Filesize
1.5MB

Download
memory/3484-1-0x00007FF81C330000-0x00007FF81C525000-memory.dmp

Filesize
2.0MB

Download
memory/3484-6-0x0000000074EC3000-0x0000000074EC5000-memory.dmp

Filesize
8KB

Download
memory/3484-7-0x0000000074EB0000-0x000000007502B000-memory.dmp

Filesize
1.5MB

Download
memory/3484-8-0x0000000074EB0000-0x000000007502B000-memory.dmp

Filesize
1.5MB

Download
memory/4940-21-0x0000000000D30000-0x0000000000D46000-memory.dmp

Filesize
88KB

Download
memory/4940-30-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/4940-23-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/4940-26-0x0000000005DC0000-0x0000000005E5C000-memory.dmp

Filesize
624KB

Download
memory/4940-27-0x0000000006410000-0x00000000069B4000-memory.dmp

Filesize
5.6MB

Download
memory/4940-28-0x0000000005ED0000-0x0000000005F36000-memory.dmp

Filesize
408KB

Download
memory/4940-29-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/4940-22-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/4940-31-0x0000000006150000-0x00000000061C6000-memory.dmp

Filesize
472KB

Download
memory/4940-32-0x0000000005E90000-0x0000000005EA4000-memory.dmp

Filesize
80KB

Download
memory/4940-33-0x00000000063F0000-0x000000000640E000-memory.dmp

Filesize
120KB

Download
memory/4940-34-0x0000000007150000-0x00000000071E2000-memory.dmp

Filesize
584KB

Download
memory/4940-35-0x00000000059E0000-0x0000000005A04000-memory.dmp

Filesize
144KB

Download
memory/4940-18-0x0000000073340000-0x0000000074594000-memory.dmp

Filesize
18.3MB

Download
memory/4940-40-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads