asyncrat | fdebbf313b6c8bf7a2db3ef7a19425c32ce87c5874b5d62ea65e4c0dacfa175a

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 07:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

URGENTE Oficio 391 NOTIFICACIÓN ELECTRÓNICA CENDO RAMA RADICADO 153153135 000 6562.tar.uue.tar
Size

8.6MB
MD5

dd9d133f09ddd0a864b843313af08cab
SHA1

b09affaba79f8ddd94863340d7d43b3fae850bbb
SHA256

fdebbf313b6c8bf7a2db3ef7a19425c32ce87c5874b5d62ea65e4c0dacfa175a
SHA512

9729fb43c0bea49b84c90bee8cd227489f07916488d406a0bf71ebaccea488a1b86247da95aec9dff5faade155c0a79d51e510da7d2430cc6fc54c708ece604e
SSDEEP

98304:QzFcHtyue0g27TTwiMfeEA5KFLOAkGkzdnEVomFHKnPAHxkPsqfL:0Ity50g2H8kEHFLOyomFHKnPAHxkPd

Score

10^/10

asyncrat 12 noviembre discovery rat

Malware Config

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

12 noviembre

12novwins.duckdns.org:9003

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Executes dropped EXE 1 IoCs

pid	Process
4676	00012 NotificacionElectronica.exe

Loads dropped DLL 6 IoCs

pid	Process
4676	00012 NotificacionElectronica.exe
4676	00012 NotificacionElectronica.exe
4676	00012 NotificacionElectronica.exe
4676	00012 NotificacionElectronica.exe
4676	00012 NotificacionElectronica.exe
4676	00012 NotificacionElectronica.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4676 set thread context of 1568	4676	00012 NotificacionElectronica.exe	106
PID 1568 set thread context of 3212	1568	cmd.exe	112

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	7zFM.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4676	00012 NotificacionElectronica.exe
4676	00012 NotificacionElectronica.exe
1568	cmd.exe
1568	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3548	7zFM.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
4676	00012 NotificacionElectronica.exe
1568	cmd.exe
1568	cmd.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	3548	7zFM.exe
Token: 35	3548	7zFM.exe
Token: SeSecurityPrivilege	3548	7zFM.exe
Token: SeDebugPrivilege	3212	MSBuild.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3548	7zFM.exe
3548	7zFM.exe
3548	7zFM.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 1568	4676	00012 NotificacionElectronica.exe	106
PID 4676 wrote to memory of 1568	4676	00012 NotificacionElectronica.exe	106
PID 4676 wrote to memory of 1568	4676	00012 NotificacionElectronica.exe	106
PID 4676 wrote to memory of 1568	4676	00012 NotificacionElectronica.exe	106
PID 1568 wrote to memory of 3212	1568	cmd.exe	112
PID 1568 wrote to memory of 3212	1568	cmd.exe	112
PID 1568 wrote to memory of 3212	1568	cmd.exe	112
PID 1568 wrote to memory of 3212	1568	cmd.exe	112
PID 1568 wrote to memory of 3212	1568	cmd.exe	112

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\URGENTE Oficio 391 NOTIFICACIÓN ELECTRÓNICA CENDO RAMA RADICADO 153153135 000 6562.tar.uue.tar"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3548

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1548

C:\Users\Admin\Desktop\URGENTE Oficio 391 NOTIFICACIÓN ELECTRÓNICA CENDO RAMA RADICADO 153153135 000 6562\00012 NotificacionElectronica.exe
"C:\Users\Admin\Desktop\URGENTE Oficio 391 NOTIFICACIÓN ELECTRÓNICA CENDO RAMA RADICADO 153153135 000 6562\00012 NotificacionElectronica.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\55808526

Filesize
777KB

MD5
782164b365b1f29177846887c2433ad9

SHA1
f95d68a231d4265afb03eae4783bee559e71f911

SHA256
873b61a8ab9387ab642c0a75a48b4554ce8198d81b94636c9304324b655a77f4

SHA512
8c50323926233f02fea0894dd735f71f63a39425510bc08faa1f8cd1dc57a0716fe614bd3f384c00f5de2b92bbfa8d083cff8faed8d9ffa791f97f04dc8f0afd

Download Submit
C:\Users\Admin\Desktop\URGENTE Oficio 391 NOTIFICACIÓN ELECTRÓNICA CENDO RAMA RADICADO 153153135 000 6562\00012 NotificacionElectronica.exe

Filesize
455KB

MD5
c544a0e2e173c94fa9069c73e7af6367

SHA1
1b8040c145d6cb2af6d1d9c1dc6878d51820e53b

SHA256
9d8547266c90cae7e2f5f5a81af27fb6bc6ade56a798b429cdb6588a89cec874

SHA512
f47694025fad1c67b727c9836d3663fa0f251a46e855e78e4c323beac1d82d13632e10d16e06e0d81718953ed6e06ee5e918195268ba988f3e555b432f1784a7

Download Submit
C:\Users\Admin\Desktop\URGENTE Oficio 391 NOTIFICACIÓN ELECTRÓNICA CENDO RAMA RADICADO 153153135 000 6562\GSLogging.dll

Filesize
44KB

MD5
a3b858a04592d13335a9e43804f0527a

SHA1
8f0386a0a240676b7cfdfcb2f70888a2033fc84a

SHA256
7d42e121560bc79a2375a15168ac536872399bf80de08e5cc8b3f0240cdc693a

SHA512
26baad23d4ec8c4911bf801bdcb2aa541116da60df8c9aa1c8e31bc0979c87c84e0e3a843544d6be185dded2073cfdb223ccf9a7f3c0725cd37427d39f747848

Download Submit
C:\Users\Admin\Desktop\URGENTE Oficio 391 NOTIFICACIÓN ELECTRÓNICA CENDO RAMA RADICADO 153153135 000 6562\MSVCP100.dll

Filesize
593KB

MD5
d029339c0f59cf662094eddf8c42b2b5

SHA1
a0b6de44255ce7bfade9a5b559dd04f2972bfdc8

SHA256
934d882efd3c0f3f1efbc238ef87708f3879f5bb456d30af62f3368d58b6aa4c

SHA512
021d9af52e68cb7a3b0042d9ed6c9418552ee16df966f9ccedd458567c47d70471cb8851a69d3982d64571369664faeeae3be90e2e88a909005b9cdb73679c82

Download Submit
C:\Users\Admin\Desktop\URGENTE Oficio 391 NOTIFICACIÓN ELECTRÓNICA CENDO RAMA RADICADO 153153135 000 6562\MigrationLibrary.dll

Filesize
107KB

MD5
86d02c85056a2f0540babc63212bb1b6

SHA1
0b622c4943c8cc31cbcdbfec5324d4d7495cc94f

SHA256
ea748caf0ed2aac4008ccb9fd9761993f9583e3bc35783cfa42593e6ba3eb393

SHA512
359476a5d66e97ed21b1f0b2ea80ed6e791ab531a215b1eba8e32ca97258c471a7b74ecfc86f964f31d07e6b8cbfe16dd0b5bacce282ed801a1c59bb605e0367

Download Submit
C:\Users\Admin\Desktop\URGENTE Oficio 391 NOTIFICACIÓN ELECTRÓNICA CENDO RAMA RADICADO 153153135 000 6562\hqg

Filesize
535KB

MD5
8be1eed996c72faff144110d8b39fd25

SHA1
cddbb8864a030b8db985f589fa0eaf8417750dbd

SHA256
cfc5e02bb0c9723ade1e0eab4f267802879afb6f356e4f73137ad70864d9029d

SHA512
1f1036db916fb8a838e76e8d6d7c9d6c46f6a70cdc6dcd1fbc01b873d2a450f54bfadd5d5a978e3aeff8615b76c857d6493a785415c7a18b10652c5aba14d114

Download Submit
C:\Users\Admin\Desktop\URGENTE Oficio 391 NOTIFICACIÓN ELECTRÓNICA CENDO RAMA RADICADO 153153135 000 6562\mfc100enu.dll

Filesize
53KB

MD5
5e2f28a979a0ce9b43f1815a593617c5

SHA1
a2414a20ffcfd558a9ef5c10bfd6be96c91d87eb

SHA256
ce0905a140d0f72775ea5895c01910e4a492f39c2e35edce9e9b8886a9821fb1

SHA512
4687af53512eb29ad72c213cbcd27bfd5454c3791a727a8f35808f5fc74c54f2bdfe3267e708433041ed2acd65a8fe59a791a83f497dfc0131c45ee1c7693390

Download Submit
C:\Users\Admin\Desktop\URGENTE Oficio 391 NOTIFICACIÓN ELECTRÓNICA CENDO RAMA RADICADO 153153135 000 6562\mfc100u.dll

Filesize
5.3MB

MD5
85ed13922df97474af9979ca456c6748

SHA1
d79cdd200b6543e06d18ed67e44c7bba50de7d85

SHA256
4c33d4179fff5d7aa7e046e878cd80c0146b0b134ae0092ce7547607abc76a49

SHA512
dcf9bb66a621d49d036f418337c2c454c3a3212c3d008c2dfe764b374ffaed1ce7ea3c6fb30f0c30a64ae3b901146fe474427e9bf4931e01e1a5cb5dcf2b5033

Download Submit
C:\Users\Admin\Desktop\URGENTE Oficio 391 NOTIFICACIÓN ELECTRÓNICA CENDO RAMA RADICADO 153153135 000 6562\msvcr100.dll

Filesize
809KB

MD5
366fd6f3a451351b5df2d7c4ecf4c73a

SHA1
50db750522b9630757f91b53df377fd4ed4e2d66

SHA256
ae3cb6c6afba9a4aa5c85f66023c35338ca579b30326dd02918f9d55259503d5

SHA512
2de764772b68a85204b7435c87e9409d753c2196cf5b2f46e7796c99a33943e167f62a92e8753eaa184cd81fb14361e83228eb1b474e0c3349ed387ec93e6130

Download Submit
C:\Users\Admin\Desktop\URGENTE Oficio 391 NOTIFICACIÓN ELECTRÓNICA CENDO RAMA RADICADO 153153135 000 6562\ogyui

Filesize
26KB

MD5
8d5b7d9283a48f2b83081da8265c6253

SHA1
f8649706c6c958666fae1e63322afe26ecd9e05d

SHA256
5a1f8f488e151b589c8e9cb5740b060f3f33b4897ef483782cc125d13f51d436

SHA512
7dd98450d672578a6e176c4548220713a27ee95ebebf0842a287e523debc1fca0a0c42685076cae041ccc12dd0e1a8c1ac5ef9c4748eba8b890fc804102412a6

Download Submit
C:\Users\Admin\Desktop\URGENTE Oficio 391 NOTIFICACIÓN ELECTRÓNICA CENDO RAMA RADICADO 153153135 000 6562\sqlite3.dll

Filesize
723KB

MD5
c66a7d728dda63a285388f4bd7fd35dc

SHA1
859f3e4c140a76a12ff7fda9b384480cc4479b7e

SHA256
eda647ca391f1a46070e6ff493d6e1b6a28320ed6758f9b08bd3474519f1544c

SHA512
e58c5ca8a3275c9d5ba59f04a8c6aabdac6c8adeca162588166da52e90f7cabf5616a0ca8cb2430a6885d36e4cbb16a5d6bb8c5979d86444686f09045d958765

Download Submit
memory/1568-52-0x00007FFE57530000-0x00007FFE57725000-memory.dmp

Filesize
2.0MB

Download
memory/1568-54-0x0000000075920000-0x0000000075A9B000-memory.dmp

Filesize
1.5MB

Download
memory/3212-56-0x0000000073EA0000-0x00000000750F4000-memory.dmp

Filesize
18.3MB

Download
memory/3212-59-0x0000000000B80000-0x0000000000B96000-memory.dmp

Filesize
88KB

Download
memory/4676-36-0x00007FFE38070000-0x00007FFE381E2000-memory.dmp

Filesize
1.4MB

Download
memory/4676-47-0x00007FFE38089000-0x00007FFE3808A000-memory.dmp

Filesize
4KB

Download
memory/4676-48-0x00007FFE38070000-0x00007FFE381E2000-memory.dmp

Filesize
1.4MB

Download
memory/4676-49-0x00007FFE38070000-0x00007FFE381E2000-memory.dmp

Filesize
1.4MB

Download