asyncrat | 9d7daa994fb35d004b0dbff4e6073177b46e00b00ee28a51d949c40dfe91b4fc

Analysis

max time kernel
276s
max time network
296s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2024, 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Copia de la citacion notificacion electronica/00-Envio copia de la notificacion.exe
Size

6.2MB
MD5

11c8962675b6d535c018a63be0821e4c
SHA1

a150fa871e10919a1d626ffe37b1a400142f452b
SHA256

421e36788bfcb4433178c657d49aa711446b3a783f7697a4d7d402a503c1f273
SHA512

3973c23fc652e82f2415ff81f2756b55e46c6807cc4a8c37e5e31009cec45ab47c5d4228c03b5e3a972cacd6547cf0d3273965f263b1b2d608af89f5be6e459a
SSDEEP

98304:u4bRxuHuFP2rHLpHPA477yNRgoPbfnRROWR721LYfs17u0kcFrXLEJfwY:u4NxuOFI1AEyrbf/52BYfs1LkcFrXL+X

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

Default

envier45w.duckdns.org:3030

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4960 set thread context of 1048	4960	00-Envio copia de la notificacion.exe	84
PID 1048 set thread context of 384	1048	cmd.exe	93

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	00-Envio copia de la notificacion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4960	00-Envio copia de la notificacion.exe
4960	00-Envio copia de la notificacion.exe
1048	cmd.exe
1048	cmd.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
4960	00-Envio copia de la notificacion.exe
1048	cmd.exe
1048	cmd.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4960 wrote to memory of 1048	4960	00-Envio copia de la notificacion.exe	84
PID 4960 wrote to memory of 1048	4960	00-Envio copia de la notificacion.exe	84
PID 4960 wrote to memory of 1048	4960	00-Envio copia de la notificacion.exe	84
PID 4960 wrote to memory of 1048	4960	00-Envio copia de la notificacion.exe	84
PID 1048 wrote to memory of 384	1048	cmd.exe	93
PID 1048 wrote to memory of 384	1048	cmd.exe	93
PID 1048 wrote to memory of 384	1048	cmd.exe	93
PID 1048 wrote to memory of 384	1048	cmd.exe	93
PID 1048 wrote to memory of 384	1048	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\Copia de la citacion notificacion electronica\00-Envio copia de la notificacion.exe
"C:\Users\Admin\AppData\Local\Temp\Copia de la citacion notificacion electronica\00-Envio copia de la notificacion.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1048
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6259ad5b

Filesize
777KB

MD5
a80c438568c20f1dc7c67cc479ce7c42

SHA1
969968b2a751529865b426dae286e33877a48e8e

SHA256
99549a4c4014148f47c67423c67974a75bc00d78cafef05306ec0bed24513f20

SHA512
d0af0341312e8cc1ec82c28c0b57f8cdddecfb7b33b92f3f85bae6f3401351df9ec1163613c389bab1be50e7a6d6706265a90332f9822bfea1914d374a040c46

Download Submit
memory/384-23-0x0000000072720000-0x0000000073974000-memory.dmp

Filesize
18.3MB

Download
memory/384-30-0x0000000073EE0000-0x0000000074690000-memory.dmp

Filesize
7.7MB

Download
memory/384-29-0x0000000073EEE000-0x0000000073EEF000-memory.dmp

Filesize
4KB

Download
memory/384-28-0x0000000073EE0000-0x0000000074690000-memory.dmp

Filesize
7.7MB

Download
memory/384-27-0x0000000001330000-0x0000000001346000-memory.dmp

Filesize
88KB

Download
memory/384-26-0x0000000073EEE000-0x0000000073EEF000-memory.dmp

Filesize
4KB

Download
memory/1048-19-0x0000000073C80000-0x0000000073DFB000-memory.dmp

Filesize
1.5MB

Download
memory/1048-20-0x0000000073C80000-0x0000000073DFB000-memory.dmp

Filesize
1.5MB

Download
memory/1048-22-0x0000000073C80000-0x0000000073DFB000-memory.dmp

Filesize
1.5MB

Download
memory/1048-17-0x00007FFD9DB90000-0x00007FFD9DD85000-memory.dmp

Filesize
2.0MB

Download
memory/1048-15-0x0000000073C80000-0x0000000073DFB000-memory.dmp

Filesize
1.5MB

Download
memory/4960-0-0x0000000073C80000-0x0000000073DFB000-memory.dmp

Filesize
1.5MB

Download
memory/4960-13-0x0000000073C80000-0x0000000073DFB000-memory.dmp

Filesize
1.5MB

Download
memory/4960-12-0x0000000073C80000-0x0000000073DFB000-memory.dmp

Filesize
1.5MB

Download
memory/4960-11-0x0000000073C93000-0x0000000073C95000-memory.dmp

Filesize
8KB

Download
memory/4960-1-0x00007FFD9DB90000-0x00007FFD9DD85000-memory.dmp

Filesize
2.0MB

Download