asyncrat | fb8d6728adba5d6b14fdd198213abc38825a1209e9910b6453706c2490e535e8

Analysis

max time kernel
177s
max time network
183s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
28-10-2024 20:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

-2530021045-ARCHIVO JUDICIAL- DEMANDA LABORAL EN PROCESO/1 DEMANDA.exe
Size

163KB
MD5

0588ce0c39da3283e779c1d5b21d283b
SHA1

1f264a47972d63db2cde18dc8311bc46551380eb
SHA256

d5a6714ab95caa92ef1a712465a44c1827122b971bdb28ffa33221e07651d6f7
SHA512

a5f97ac156d081cb4d9b3f32948eea387725c88af0f19e8bc8db2058a19e211648b7fd86708ff5e1db8f7b57ca3ab8edeba771c9d684c53bcb228ca71adab02a
SSDEEP

3072:yK2FRsfrS8Ywp3GKJ7hDD/vRvDTX8QlevsqYau7j7/EecxurY:x1TSG/XT5Fau7pXk

Score

10^/10

asyncrat server discovery rat

Malware Config

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

SERVER

asxyz.duckdns.org:52350

Mutex

AsyncMutex_6SI6TOGjnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Suspicious use of SetThreadContext 2 IoCs

Processes:

1 DEMANDA.execmd.exe

description	pid	process	target process
PID 2344 set thread context of 2040	2344	1 DEMANDA.exe	cmd.exe
PID 2040 set thread context of 2396	2040	cmd.exe	MSBuild.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exeMSBuild.exe1 DEMANDA.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1 DEMANDA.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

1 DEMANDA.execmd.exe

pid process

2344 1 DEMANDA.exe
2344 1 DEMANDA.exe
2040 cmd.exe
2040 cmd.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

1 DEMANDA.execmd.exe

pid process

2344 1 DEMANDA.exe
2040 cmd.exe
2040 cmd.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description pid process

Token: SeDebugPrivilege 2396 MSBuild.exe

pid	process
2344	1 DEMANDA.exe
2344	1 DEMANDA.exe
2040	cmd.exe
2040	cmd.exe

pid	process
2344	1 DEMANDA.exe
2040	cmd.exe
2040	cmd.exe

description	pid	process
Token: SeDebugPrivilege	2396	MSBuild.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

1 DEMANDA.execmd.exe

description	pid	process	target process
PID 2344 wrote to memory of 2040	2344	1 DEMANDA.exe	cmd.exe
PID 2344 wrote to memory of 2040	2344	1 DEMANDA.exe	cmd.exe
PID 2344 wrote to memory of 2040	2344	1 DEMANDA.exe	cmd.exe
PID 2344 wrote to memory of 2040	2344	1 DEMANDA.exe	cmd.exe
PID 2344 wrote to memory of 2040	2344	1 DEMANDA.exe	cmd.exe
PID 2040 wrote to memory of 2396	2040	cmd.exe	MSBuild.exe
PID 2040 wrote to memory of 2396	2040	cmd.exe	MSBuild.exe
PID 2040 wrote to memory of 2396	2040	cmd.exe	MSBuild.exe
PID 2040 wrote to memory of 2396	2040	cmd.exe	MSBuild.exe
PID 2040 wrote to memory of 2396	2040	cmd.exe	MSBuild.exe
PID 2040 wrote to memory of 2396	2040	cmd.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\-2530021045-ARCHIVO JUDICIAL- DEMANDA LABORAL EN PROCESO\1 DEMANDA.exe
"C:\Users\Admin\AppData\Local\Temp\-2530021045-ARCHIVO JUDICIAL- DEMANDA LABORAL EN PROCESO\1 DEMANDA.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2122d85c

Filesize
777KB

MD5
31ab838caa07e05955252e6665753990

SHA1
f68dadd4149ae9b2750d112e3b4b339159e75ab4

SHA256
34d96e84ba243698fdfb141b0320ba88e2bc41ade99228117efdbf9263f40e32

SHA512
b876cb9fc81d9f8158224901416f98061bf37830f4c6510ebb9697b52b2deabad728e3c0675b90c6f7a19616014f6537e84ddd03cb534b9d5e68ac1775e6c147

Download Submit
memory/2040-76-0x0000000074E90000-0x0000000075004000-memory.dmp

Filesize
1.5MB

Download
memory/2040-73-0x0000000074E90000-0x0000000075004000-memory.dmp

Filesize
1.5MB

Download
memory/2040-72-0x0000000074E90000-0x0000000075004000-memory.dmp

Filesize
1.5MB

Download
memory/2040-27-0x0000000077A90000-0x0000000077C39000-memory.dmp

Filesize
1.7MB

Download
memory/2040-26-0x0000000074E90000-0x0000000075004000-memory.dmp

Filesize
1.5MB

Download
memory/2344-16-0x0000000057800000-0x0000000057812000-memory.dmp

Filesize
72KB

Download
memory/2344-11-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2344-14-0x0000000057000000-0x000000005703F000-memory.dmp

Filesize
252KB

Download
memory/2344-12-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/2344-17-0x0000000074E90000-0x0000000075004000-memory.dmp

Filesize
1.5MB

Download
memory/2344-15-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/2344-0-0x0000000074E90000-0x0000000075004000-memory.dmp

Filesize
1.5MB

Download
memory/2344-13-0x0000000059800000-0x000000005986E000-memory.dmp

Filesize
440KB

Download
memory/2344-10-0x0000000074E90000-0x0000000075004000-memory.dmp

Filesize
1.5MB

Download
memory/2344-9-0x0000000074EA3000-0x0000000074EA5000-memory.dmp

Filesize
8KB

Download
memory/2344-1-0x0000000077A90000-0x0000000077C39000-memory.dmp

Filesize
1.7MB

Download
memory/2396-77-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2396-78-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2396-75-0x0000000073010000-0x0000000074072000-memory.dmp

Filesize
16.4MB

Download
memory/2396-79-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download