asyncrat | 33d0bc76fa1c09fe48e29f19ffd56325f1b435c4eac6c81ae7bd2ae26ab7444e

General

Target

archivo.exe
Size

1.3MB
MD5

240a6bf157e337dea52e7bf5a27f1cb8
SHA1

2773987e599d7b37e3848fadfd114b5cef35dc37
SHA256

06d02c153a476e7f2487b757c7c63685c3abd38b406acc598ad9fb76a4fb99c8
SHA512

c565881c347b9770cbbf183e50fa816a97a50601d4a537914c90d06e8eea790c8946062df1f86e0a764572c6afb0c2f01ee238ec2976aafc44f9bdfb25a583e8
SSDEEP

24576:YS+jvg5q5Dl0+FzYWWI5H4R09Y3h2OsDStIRWziIvH4Rh:YS+jvbDO6zDRUiah2OsDStI8JO

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

Default

C2

llechematerna02.kozow.com:7575

Mutex

AsyncMutex_alosh

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1488 set thread context of 3020	1488	archivo.exe	29
PID 3020 set thread context of 2884	3020	cmd.exe	31

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1488	archivo.exe
1488	archivo.exe
3020	cmd.exe
3020	cmd.exe
2884	MSBuild.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
1488	archivo.exe
3020	cmd.exe
3020	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2884	MSBuild.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2884	MSBuild.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 3020	1488	archivo.exe	29
PID 1488 wrote to memory of 3020	1488	archivo.exe	29
PID 1488 wrote to memory of 3020	1488	archivo.exe	29
PID 1488 wrote to memory of 3020	1488	archivo.exe	29
PID 1488 wrote to memory of 3020	1488	archivo.exe	29
PID 3020 wrote to memory of 2884	3020	cmd.exe	31
PID 3020 wrote to memory of 2884	3020	cmd.exe	31
PID 3020 wrote to memory of 2884	3020	cmd.exe	31
PID 3020 wrote to memory of 2884	3020	cmd.exe	31
PID 3020 wrote to memory of 2884	3020	cmd.exe	31
PID 3020 wrote to memory of 2884	3020	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\archivo.exe
"C:\Users\Admin\AppData\Local\Temp\archivo.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\568e1c8a

Filesize
779KB

MD5
7c909442d4bfdc35e9d2f9ab9f5b71d8

SHA1
dd0ec117e9b4767705d35df99aaa498994ee25af

SHA256
08b9a6f90040d327ed56aa230c7075b2ab9539a0fd45172aa2edb69e730178c5

SHA512
d051401f2b560d6837057efdc6d112233c853067cfb2e51368f740b078a5944b48bd6b00b709c773eb9d0181149eaa519ebbd8d78c5b58c22f85a1912cab5748

Download Submit
memory/1488-0-0x000007FEF64F0000-0x000007FEF6648000-memory.dmp

Filesize
1.3MB

Download
memory/1488-7-0x000007FEF6509000-0x000007FEF650A000-memory.dmp

Filesize
4KB

Download
memory/1488-8-0x000007FEF64F0000-0x000007FEF6648000-memory.dmp

Filesize
1.3MB

Download
memory/1488-9-0x000007FEF64F0000-0x000007FEF6648000-memory.dmp

Filesize
1.3MB

Download
memory/2884-33-0x0000000073C4E000-0x0000000073C4F000-memory.dmp

Filesize
4KB

Download
memory/2884-28-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2884-32-0x0000000073C40000-0x000000007432E000-memory.dmp

Filesize
6.9MB

Download
memory/2884-31-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2884-30-0x0000000073C4E000-0x0000000073C4F000-memory.dmp

Filesize
4KB

Download
memory/2884-34-0x0000000073C40000-0x000000007432E000-memory.dmp

Filesize
6.9MB

Download
memory/2884-25-0x00000000723C0000-0x0000000073422000-memory.dmp

Filesize
16.4MB

Download
memory/2884-27-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/3020-23-0x0000000074730000-0x00000000748A4000-memory.dmp

Filesize
1.5MB

Download
memory/3020-26-0x0000000074730000-0x00000000748A4000-memory.dmp

Filesize
1.5MB

Download
memory/3020-29-0x000000007473E000-0x0000000074742000-memory.dmp

Filesize
16KB

Download
memory/3020-22-0x0000000074730000-0x00000000748A4000-memory.dmp

Filesize
1.5MB

Download
memory/3020-15-0x0000000074730000-0x00000000748A4000-memory.dmp

Filesize
1.5MB

Download
memory/3020-13-0x0000000074730000-0x00000000748A4000-memory.dmp

Filesize
1.5MB

Download
memory/3020-12-0x0000000076D90000-0x0000000076F39000-memory.dmp

Filesize
1.7MB

Download
memory/3020-14-0x000000007473E000-0x0000000074742000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing