asyncrat | d2dd89534869bb9d806c255437154a5ad7e26e67050dbcb73df4e7d2382b9db4

General

Target

DEMANDA JUDICIAL ESPECIAL 13252548/01Aviso juridico especial.exe
Size

58KB
MD5

d31086fca1a6d45927d90963ffd1989b
SHA1

bce4e7984ca862c678ee9395e94c10d60a868aa1
SHA256

ead20929594f6bfb4004c08c45c5567131d88abde650a2d2a87fbd3d441ddb98
SHA512

00c4866cec9717ed0d470e9dcd257c92132c5707c3fb04c49788f7b59b5723c9ae212982cbdda70be56310ffb1cf40b10f84181b91eb213d0a8a7f3c6ddf6133
SSDEEP

1536:k0d0prGh3Sh+apyRv3ERiPkYOSREd7AyF:k3Ga+HsDYOSR0L

Score

10^/10

asyncrat powermoney discovery rat

Malware Config

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

POWERMONEY

C2

powermaster1.kozow.com:6161

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Suspicious use of SetThreadContext 2 IoCs

Processes:

01Aviso juridico especial.execmd.exe

description	pid	process	target process
PID 2108 set thread context of 1708	2108	01Aviso juridico especial.exe	cmd.exe
PID 1708 set thread context of 2204	1708	cmd.exe	MSBuild.exe

Drops file in Windows directory 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Windows\Tasks\superUpdate_alpha.job cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Tasks\superUpdate_alpha.job	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exeMSBuild.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

01Aviso juridico especial.execmd.exeMSBuild.exe

pid process

2108 01Aviso juridico especial.exe
2108 01Aviso juridico especial.exe
1708 cmd.exe
1708 cmd.exe
2204 MSBuild.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

01Aviso juridico especial.execmd.exe

pid process

2108 01Aviso juridico especial.exe
1708 cmd.exe
1708 cmd.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description pid process

Token: SeDebugPrivilege 2204 MSBuild.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MSBuild.exe

pid process

2204 MSBuild.exe

pid	process
2108	01Aviso juridico especial.exe
2108	01Aviso juridico especial.exe
1708	cmd.exe
1708	cmd.exe
2204	MSBuild.exe

pid	process
2108	01Aviso juridico especial.exe
1708	cmd.exe
1708	cmd.exe

description	pid	process
Token: SeDebugPrivilege	2204	MSBuild.exe

pid	process
2204	MSBuild.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

01Aviso juridico especial.execmd.exe

description	pid	process	target process
PID 2108 wrote to memory of 1708	2108	01Aviso juridico especial.exe	cmd.exe
PID 2108 wrote to memory of 1708	2108	01Aviso juridico especial.exe	cmd.exe
PID 2108 wrote to memory of 1708	2108	01Aviso juridico especial.exe	cmd.exe
PID 2108 wrote to memory of 1708	2108	01Aviso juridico especial.exe	cmd.exe
PID 2108 wrote to memory of 1708	2108	01Aviso juridico especial.exe	cmd.exe
PID 1708 wrote to memory of 2204	1708	cmd.exe	MSBuild.exe
PID 1708 wrote to memory of 2204	1708	cmd.exe	MSBuild.exe
PID 1708 wrote to memory of 2204	1708	cmd.exe	MSBuild.exe
PID 1708 wrote to memory of 2204	1708	cmd.exe	MSBuild.exe
PID 1708 wrote to memory of 2204	1708	cmd.exe	MSBuild.exe
PID 1708 wrote to memory of 2204	1708	cmd.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\DEMANDA JUDICIAL ESPECIAL 13252548\01Aviso juridico especial.exe
"C:\Users\Admin\AppData\Local\Temp\DEMANDA JUDICIAL ESPECIAL 13252548\01Aviso juridico especial.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
2⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\45ca1d4a

Filesize
780KB

MD5
e310396a9ecbafec36bbde4a8375593b

SHA1
7a434fe34285e920dd843b30adeec444ee9c1e6f

SHA256
74b475b5859191d490cb95e0e3fddfc33b8567cb2f28afd10fc31000efb26e1e

SHA512
477b40d103e39882b44253786230e7d8d0b438a5f21646647bc87d5a431ae9d5b1f5b8c201db7f19ffcc4756c310dc5370823593e91c0d71a639c54e0b2a8706

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab16AE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar67EC.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/1708-67-0x0000000074580000-0x00000000746F4000-memory.dmp

Filesize
1.5MB

Download
memory/1708-73-0x000000007458E000-0x0000000074592000-memory.dmp

Filesize
16KB

Download
memory/1708-11-0x0000000076E90000-0x0000000077039000-memory.dmp

Filesize
1.7MB

Download
memory/1708-57-0x000000007458E000-0x0000000074592000-memory.dmp

Filesize
16KB

Download
memory/1708-56-0x0000000074580000-0x00000000746F4000-memory.dmp

Filesize
1.5MB

Download
memory/1708-63-0x0000000074580000-0x00000000746F4000-memory.dmp

Filesize
1.5MB

Download
memory/1708-66-0x0000000074580000-0x00000000746F4000-memory.dmp

Filesize
1.5MB

Download
memory/1708-70-0x0000000074580000-0x00000000746F4000-memory.dmp

Filesize
1.5MB

Download
memory/2108-0-0x000007FEF5AE0000-0x000007FEF5C38000-memory.dmp

Filesize
1.3MB

Download
memory/2108-8-0x000007FEF5AE0000-0x000007FEF5C38000-memory.dmp

Filesize
1.3MB

Download
memory/2108-6-0x000007FEF5AF9000-0x000007FEF5AFA000-memory.dmp

Filesize
4KB

Download
memory/2108-7-0x000007FEF5AE0000-0x000007FEF5C38000-memory.dmp

Filesize
1.3MB

Download
memory/2204-72-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2204-75-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2204-74-0x0000000073A8E000-0x0000000073A8F000-memory.dmp

Filesize
4KB

Download
memory/2204-69-0x0000000072410000-0x0000000073472000-memory.dmp

Filesize
16.4MB

Download
memory/2204-92-0x0000000073A8E000-0x0000000073A8F000-memory.dmp

Filesize
4KB

Download
memory/2204-93-0x0000000000690000-0x00000000006A4000-memory.dmp

Filesize
80KB

Download
memory/2204-71-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2204-112-0x0000000001FE0000-0x0000000002004000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads