asyncrat | b8f366240cbdb9ea13f40802c94338b3105ded521f5c7a8899215b7941e55be8

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NOTIFICACIÓN ELECTRÓNICA ESM AGRADECEMOS CONFIRMAR RECIBIDO 21/000021 Notificacion Electronica.exe
Size

2.7MB
MD5

8915b9ccb4372a418729166dcedc5a44
SHA1

8f6ca11bcb5a53fe90007ec83b638b0c642d2a92
SHA256

6f7f390b2012e7dfef9fcbd673a4a0256e2e217b11831e9a27a9d460ba57c0d2
SHA512

fd7bd3a8d3a8331d4fdd331a41dc1b3efcdbb29062a8d316cf07edccc05e7eb81153f01ec95df68f9d1466ecee0be49684737f6cf895fe6e55ccf163f1058e66
SSDEEP

49152:YjVyoNKekkfTfR6RYC/9+xsO60ispMBHQ1rYHFRnb8omQsNh:zgi0iskHQ1MEN

Score

10^/10

asyncrat === 21 ===discovery rat

Malware Config

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

=== 21 ===

19nov2024.duckdns.org:9003

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2380 set thread context of 3060	2380	000021 Notificacion Electronica.exe	31
PID 3060 set thread context of 2576	3060	cmd.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1204	timeout.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2380	000021 Notificacion Electronica.exe
2380	000021 Notificacion Electronica.exe
3060	cmd.exe
3060	cmd.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2380	000021 Notificacion Electronica.exe
3060	cmd.exe
3060	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2576	MSBuild.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 3060	2380	000021 Notificacion Electronica.exe	31
PID 2380 wrote to memory of 3060	2380	000021 Notificacion Electronica.exe	31
PID 2380 wrote to memory of 3060	2380	000021 Notificacion Electronica.exe	31
PID 2380 wrote to memory of 3060	2380	000021 Notificacion Electronica.exe	31
PID 2380 wrote to memory of 3060	2380	000021 Notificacion Electronica.exe	31
PID 3060 wrote to memory of 2576	3060	cmd.exe	33
PID 3060 wrote to memory of 2576	3060	cmd.exe	33
PID 3060 wrote to memory of 2576	3060	cmd.exe	33
PID 3060 wrote to memory of 2576	3060	cmd.exe	33
PID 3060 wrote to memory of 2576	3060	cmd.exe	33
PID 3060 wrote to memory of 2576	3060	cmd.exe	33
PID 2576 wrote to memory of 2136	2576	MSBuild.exe	35
PID 2576 wrote to memory of 2136	2576	MSBuild.exe	35
PID 2576 wrote to memory of 2136	2576	MSBuild.exe	35
PID 2576 wrote to memory of 2136	2576	MSBuild.exe	35
PID 2136 wrote to memory of 1204	2136	cmd.exe	37
PID 2136 wrote to memory of 1204	2136	cmd.exe	37
PID 2136 wrote to memory of 1204	2136	cmd.exe	37
PID 2136 wrote to memory of 1204	2136	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\NOTIFICACIÓN ELECTRÓNICA ESM AGRADECEMOS CONFIRMAR RECIBIDO 21\000021 Notificacion Electronica.exe
"C:\Users\Admin\AppData\Local\Temp\NOTIFICACIÓN ELECTRÓNICA ESM AGRADECEMOS CONFIRMAR RECIBIDO 21\000021 Notificacion Electronica.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp19EF.tmp.bat""
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2136
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab6808.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar196F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc0c3e1a

Filesize
777KB

MD5
5e973ec6bc0499e3b8500351a2ab2ce7

SHA1
e0f0b56f9cc6f40bd5016841ac7091b79b374e5e

SHA256
9334a375f913fa96e537abc58ab4efda15a70d937d9b012675dc32b40bfb8395

SHA512
f0b998e930d6866b809ca58d4bedaf0bc8efebfd55b64b4cf896e3e1ba3268fa5e0d70ed0a8e90c37dce6a73c429d55ccd12a4d0fe3ead024ccf43b04ed494f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp19EF.tmp.bat

Filesize
171B

MD5
4fe340c69bfb61e0cecf746ea2506339

SHA1
8d71119f3fb4a441b032ec60978f05e17b8a6232

SHA256
2f052970db51064f06c1a523ec58e1bc5d553f45ccd3948240942496ae6a74b6

SHA512
386d722b4ce339c8d81a90839ccd00b89e65e2a111021970860560e9759d773d845bde7defdd65ddf90f5fbe0b969658c89fae3d7e84d68fd6743628ece38ada

Download Submit
memory/2380-0-0x000007FEF62F0000-0x000007FEF683E000-memory.dmp

Filesize
5.3MB

Download
memory/2380-1-0x000007FEF52E0000-0x000007FEF5438000-memory.dmp

Filesize
1.3MB

Download
memory/2380-12-0x000007FEF52F9000-0x000007FEF52FA000-memory.dmp

Filesize
4KB

Download
memory/2380-13-0x000007FEF52E0000-0x000007FEF5438000-memory.dmp

Filesize
1.3MB

Download
memory/2380-14-0x000007FEF52E0000-0x000007FEF5438000-memory.dmp

Filesize
1.3MB

Download
memory/2576-69-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2576-68-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2576-66-0x0000000072920000-0x0000000073982000-memory.dmp

Filesize
16.4MB

Download
memory/2576-70-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2576-87-0x00000000005C0000-0x00000000005E4000-memory.dmp

Filesize
144KB

Download
memory/3060-67-0x0000000074A40000-0x0000000074BB4000-memory.dmp

Filesize
1.5MB

Download
memory/3060-64-0x0000000074A40000-0x0000000074BB4000-memory.dmp

Filesize
1.5MB

Download
memory/3060-62-0x0000000074A40000-0x0000000074BB4000-memory.dmp

Filesize
1.5MB

Download
memory/3060-63-0x0000000074A4E000-0x0000000074A50000-memory.dmp

Filesize
8KB

Download
memory/3060-17-0x00000000772F0000-0x0000000077499000-memory.dmp

Filesize
1.7MB

Download