Overview

overview

10

Static

static

1

Radicado_L...23.rar

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/01/2025, 20:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Radicado_Legal.N°001982913812-81281312-66523.rar

  • Size

    1017KB

  • MD5

    d52f419bdb15a4c2167deedc8c5447fa

  • SHA1

    702553b0fa2eeb6721e009c74dcc1472b6212ead

  • SHA256

    d59adb5bf6e39573c7a302b4f91c9daec8d50dda97198f58d210e9358f499a64

  • SHA512

    c02037f3857a04f4061283ab8747efb0569cf9e63e1e86fcb302da39d0a029a89840e232f5008df87da9b50fe9e65832dbaca71028b79fcdf00385d31283eb70

  • SSDEEP

    24576:Api39bokSeyY4+luISo861pR5XVqaQtAVpekc+uz17LH4p/VLa:ApixoCuK861pRGaQt2eN+g774p/pa

Score
10/10
asyncratdominios-iva-22discoverypersistencerat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

DOMINIOS-IVA-22

C2

pctrabajonuevo2.casacam.net:8849

Mutex

DcRatMutex_qwqdanchun

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Radicado_Legal.N°001982913812-81281312-66523.rar"
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2212
    • C:\Users\Admin\AppData\Local\Temp\7zO4A87A9D7\Radicado_Legal.N°001982913812-81281312-66523.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO4A87A9D7\Radicado_Legal.N°001982913812-81281312-66523.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3024
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3280
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2560
    • C:\Users\Admin\Downloads\Radicado_Legal.N°001982913812-81281312-66523.exe
      "C:\Users\Admin\Downloads\Radicado_Legal.N°001982913812-81281312-66523.exe"
      1⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:348
    • C:\Users\Admin\Downloads\Radicado_Legal.N°001982913812-81281312-66523.exe
      "C:\Users\Admin\Downloads\Radicado_Legal.N°001982913812-81281312-66523.exe"
      1⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4952
    • C:\Users\Admin\Downloads\Radicado_Legal.N°001982913812-81281312-66523.exe
      "C:\Users\Admin\Downloads\Radicado_Legal.N°001982913812-81281312-66523.exe"
      1⤵
        PID:5032
      • C:\Users\Admin\Downloads\Radicado_Legal.N°001982913812-81281312-66523.exe
        "C:\Users\Admin\Downloads\Radicado_Legal.N°001982913812-81281312-66523.exe"
        1⤵
          PID:3748

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\7zO4A87A9D7\Radicado_Legal.N°001982913812-81281312-66523.exe
          Filesize

          2.7MB

          MD5

          45a6e7fe6d7e833f374dabe4a3e08ba3

          SHA1

          77cd883b68f9c678c3b3228958d1170755147ac6

          SHA256

          ad5a5fd9f54b29d1bb9f6a9e6915cf059e1560b68f493323ba77bf3fb5a12c12

          SHA512

          719b980cfee0f645ed89a29817081b7feb9c064b274bc1730599991e758ddd7eb1a44d887bb1f18c186c5dba040ddd93e4dc793427b4b5c32b40c60a86092b31

          Download Submit

        • memory/348-32-0x0000000000400000-0x00000000006BE000-memory.dmp

          Filesize

          2.7MB

          Download

        • memory/348-29-0x0000000000400000-0x00000000006BE000-memory.dmp

          Filesize

          2.7MB

          Download

        • memory/3024-11-0x0000000000400000-0x00000000006BE000-memory.dmp

          Filesize

          2.7MB

          Download

        • memory/3024-13-0x0000000000400000-0x00000000006BE000-memory.dmp

          Filesize

          2.7MB

          Download

        • memory/3024-15-0x0000000002530000-0x000000000255D000-memory.dmp

          Filesize

          180KB

          Download

        • memory/3024-18-0x00000000025A0000-0x00000000025FC000-memory.dmp

          Filesize

          368KB

          Download

        • memory/3280-22-0x00000000067E0000-0x0000000006D84000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/3280-21-0x0000000006190000-0x000000000622C000-memory.dmp

          Filesize

          624KB

          Download

        • memory/3280-23-0x0000000006230000-0x0000000006296000-memory.dmp

          Filesize

          408KB

          Download

        • memory/3280-24-0x000000007452E000-0x000000007452F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3280-17-0x0000000001440000-0x0000000001452000-memory.dmp

          Filesize

          72KB

          Download

        • memory/3280-16-0x000000007452E000-0x000000007452F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3748-36-0x0000000000400000-0x00000000006BE000-memory.dmp

          Filesize

          2.7MB

          Download

        • memory/4952-31-0x0000000000400000-0x00000000006BE000-memory.dmp

          Filesize

          2.7MB

          Download

        • memory/5032-34-0x0000000000400000-0x00000000006BE000-memory.dmp

          Filesize

          2.7MB

          Download

        • memory/5032-37-0x0000000000400000-0x00000000006BE000-memory.dmp

          Filesize

          2.7MB

          Download