asyncrat | 978bba74d1745fba180d88a6fc4179cc52e86b3b9455a9652d30d686ffbd6c60

Analysis

max time kernel
44s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-11-2024 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Notificacion Demanda Laboral 698787/01Demanda laboral .exe
Size

163KB
MD5

0588ce0c39da3283e779c1d5b21d283b
SHA1

1f264a47972d63db2cde18dc8311bc46551380eb
SHA256

d5a6714ab95caa92ef1a712465a44c1827122b971bdb28ffa33221e07651d6f7
SHA512

a5f97ac156d081cb4d9b3f32948eea387725c88af0f19e8bc8db2058a19e211648b7fd86708ff5e1db8f7b57ca3ab8edeba771c9d684c53bcb228ca71adab02a
SSDEEP

3072:yK2FRsfrS8Ywp3GKJ7hDD/vRvDTX8QlevsqYau7j7/EecxurY:x1TSG/XT5Fau7pXk

Score

10^/10

asyncrat warrose discovery rat

Malware Config

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

WARrose

proxa.kozow.com:7373

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Suspicious use of SetThreadContext 2 IoCs

Processes:

01Demanda laboral .execmd.exe

description	pid	process	target process
PID 3408 set thread context of 212	3408	01Demanda laboral .exe	cmd.exe
PID 212 set thread context of 2588	212	cmd.exe	MSBuild.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

01Demanda laboral .execmd.exeMSBuild.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	01Demanda laboral .exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1572 timeout.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

01Demanda laboral .execmd.exeMSBuild.exe

pid process

3408 01Demanda laboral .exe
3408 01Demanda laboral .exe
212 cmd.exe
212 cmd.exe
2588 MSBuild.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

01Demanda laboral .execmd.exe

pid process

3408 01Demanda laboral .exe
212 cmd.exe
212 cmd.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MSBuild.exe

description pid process

Token: SeDebugPrivilege 2588 MSBuild.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MSBuild.exe

pid process

2588 MSBuild.exe

pid	process
1572	timeout.exe

pid	process
3408	01Demanda laboral .exe
3408	01Demanda laboral .exe
212	cmd.exe
212	cmd.exe
2588	MSBuild.exe

pid	process
3408	01Demanda laboral .exe
212	cmd.exe
212	cmd.exe

description	pid	process
Token: SeDebugPrivilege	2588	MSBuild.exe

pid	process
2588	MSBuild.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

01Demanda laboral .execmd.exe

description	pid	process	target process
PID 3408 wrote to memory of 212	3408	01Demanda laboral .exe	cmd.exe
PID 3408 wrote to memory of 212	3408	01Demanda laboral .exe	cmd.exe
PID 3408 wrote to memory of 212	3408	01Demanda laboral .exe	cmd.exe
PID 3408 wrote to memory of 212	3408	01Demanda laboral .exe	cmd.exe
PID 212 wrote to memory of 2588	212	cmd.exe	MSBuild.exe
PID 212 wrote to memory of 2588	212	cmd.exe	MSBuild.exe
PID 212 wrote to memory of 2588	212	cmd.exe	MSBuild.exe
PID 212 wrote to memory of 2588	212	cmd.exe	MSBuild.exe
PID 212 wrote to memory of 2588	212	cmd.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\Notificacion Demanda Laboral 698787\01Demanda laboral .exe
"C:\Users\Admin\AppData\Local\Temp\Notificacion Demanda Laboral 698787\01Demanda laboral .exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp94D8.tmp.bat""
4⤵
PID:2776

C:\Windows\SysWOW64\timeout.exe
timeout 3
5⤵
- Delays execution with timeout.exe
PID:1572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6b11947d

Filesize
780KB

MD5
849c00e9ac6fbe622614cfa9fb2c3c89

SHA1
4332c208529019589af2595e649b98bf147e94fd

SHA256
fa9f852bcdec8fe5b6c9a833c6da113bbb162db85ca39a36758f690982cf3480

SHA512
45c0e3d1f580783d7882bbe30aa35b9a969f8348c9113c785bea34fc0e3df3c618878ab4b9617418e49dbeb560f70039fd07201623bf350ab641a3981d300f1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp94D8.tmp.bat

Filesize
171B

MD5
db8beac6c396aff8a873860a332e722a

SHA1
efa08e139a9d55b8d6e374e53d8000726700e6cc

SHA256
ed34a3a7e636193a8514b12972f53a2f3a0cce2bd3752273559b1f786561c597

SHA512
cf68db2c6b5d49b8ab024b823101a181c36572629ab6c5d563588dfca2259e42ee499931c4f2e669284b6bdc54eb4a29d76bb98c982000d4a169bb6f2209ddd8

Download Submit
memory/212-21-0x00007FFFA91F0000-0x00007FFFA93E5000-memory.dmp

Filesize
2.0MB

Download
memory/212-26-0x0000000074810000-0x000000007498B000-memory.dmp

Filesize
1.5MB

Download
memory/212-24-0x0000000074810000-0x000000007498B000-memory.dmp

Filesize
1.5MB

Download
memory/212-23-0x0000000074810000-0x000000007498B000-memory.dmp

Filesize
1.5MB

Download
memory/212-19-0x0000000074810000-0x000000007498B000-memory.dmp

Filesize
1.5MB

Download
memory/2588-38-0x0000000006DA0000-0x0000000006E3C000-memory.dmp

Filesize
624KB

Download
memory/2588-40-0x00000000724FE000-0x00000000724FF000-memory.dmp

Filesize
4KB

Download
memory/2588-49-0x00000000724F0000-0x0000000072CA0000-memory.dmp

Filesize
7.7MB

Download
memory/2588-44-0x00000000076D0000-0x00000000076EE000-memory.dmp

Filesize
120KB

Download
memory/2588-42-0x0000000007700000-0x0000000007776000-memory.dmp

Filesize
472KB

Download
memory/2588-43-0x0000000006900000-0x0000000006926000-memory.dmp

Filesize
152KB

Download
memory/2588-41-0x00000000724F0000-0x0000000072CA0000-memory.dmp

Filesize
7.7MB

Download
memory/2588-39-0x0000000006890000-0x00000000068F6000-memory.dmp

Filesize
408KB

Download
memory/2588-35-0x0000000005B50000-0x0000000005B5A000-memory.dmp

Filesize
40KB

Download
memory/2588-33-0x0000000005F70000-0x0000000006514000-memory.dmp

Filesize
5.6MB

Download
memory/2588-27-0x0000000072CA0000-0x0000000073EF4000-memory.dmp

Filesize
18.3MB

Download
memory/2588-30-0x00000000724FE000-0x00000000724FF000-memory.dmp

Filesize
4KB

Download
memory/2588-31-0x0000000001160000-0x0000000001176000-memory.dmp

Filesize
88KB

Download
memory/2588-32-0x00000000724F0000-0x0000000072CA0000-memory.dmp

Filesize
7.7MB

Download
memory/2588-34-0x0000000005B60000-0x0000000005BF2000-memory.dmp

Filesize
584KB

Download
memory/3408-9-0x0000000074823000-0x0000000074825000-memory.dmp

Filesize
8KB

Download
memory/3408-10-0x0000000074810000-0x000000007498B000-memory.dmp

Filesize
1.5MB

Download
memory/3408-0-0x0000000074810000-0x000000007498B000-memory.dmp

Filesize
1.5MB

Download
memory/3408-17-0x0000000057800000-0x0000000057812000-memory.dmp

Filesize
72KB

Download
memory/3408-15-0x0000000059800000-0x000000005986E000-memory.dmp

Filesize
440KB

Download
memory/3408-16-0x0000000057000000-0x000000005703F000-memory.dmp

Filesize
252KB

Download
memory/3408-11-0x0000000074810000-0x000000007498B000-memory.dmp

Filesize
1.5MB

Download
memory/3408-13-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3408-14-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/3408-18-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/3408-1-0x00007FFFA91F0000-0x00007FFFA93E5000-memory.dmp

Filesize
2.0MB

Download