| File name: | RADICADO_SEGUNDO AVISO 4111889-22-005-2024-0333745-33 Orden Tribunal Superor de la Judicatura Mayo 14 de 2023 Juez Camilo Mercado Ordena Adobe Acrobat Reader (1).rar |
| Full analysis: | https://app.any.run/tasks/f7f20005-8606-48c7-ab61-ceb9710803bb |
| Verdict: | Malicious activity |
| Threats: | AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. |
| Analysis date: | May 22, 2024, 18:11:00 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-rar |
| File info: | RAR archive data, flags: EncryptedBlockHeader |
| MD5: | FFFEE07C26262DABF302341ED094FA2F |
| SHA1: | 4EE2081C00EEDB9389A7127E2D1A5F7080A05D10 |
| SHA256: | BE9F9DE0F35B47502558668A9D9AC969F460E6EDB831864D823BFA189DC27424 |
| SSDEEP: | 98304:iZvIQCfvX61v7L5R7BSOcJLAEtMXTBqY1yQ0zO4Psbu6DsSetpWnRjk02pbP8JRl:u |
MALICIOUS
Changes the autorun value in the registry
- RADICADO_SEGUNDO AVISO 4111889-22-005-2024-0333745-33 Orden Tribunal Superor de la Judicatura Mayo 14 de 2023 Juez Camilo Mercado Ordena Adobe Acrobat Reader.exe (PID: 4020)
Drops the executable file immediately after the start
- RADICADO_SEGUNDO AVISO 4111889-22-005-2024-0333745-33 Orden Tribunal Superor de la Judicatura Mayo 14 de 2023 Juez Camilo Mercado Ordena Adobe Acrobat Reader.exe (PID: 4020)
ASYNCRAT has been detected (YARA)
- InstallUtil.exe (PID: 4068)
SUSPICIOUS
Reads security settings of Internet Explorer
- WinRAR.exe (PID: 3980)
Executable content was dropped or overwritten
- RADICADO_SEGUNDO AVISO 4111889-22-005-2024-0333745-33 Orden Tribunal Superor de la Judicatura Mayo 14 de 2023 Juez Camilo Mercado Ordena Adobe Acrobat Reader.exe (PID: 4020)
Connects to unusual port
- InstallUtil.exe (PID: 4068)
INFO
Checks supported languages
- RADICADO_SEGUNDO AVISO 4111889-22-005-2024-0333745-33 Orden Tribunal Superor de la Judicatura Mayo 14 de 2023 Juez Camilo Mercado Ordena Adobe Acrobat Reader.exe (PID: 4020)
- InstallUtil.exe (PID: 4068)
Reads the computer name
- RADICADO_SEGUNDO AVISO 4111889-22-005-2024-0333745-33 Orden Tribunal Superor de la Judicatura Mayo 14 de 2023 Juez Camilo Mercado Ordena Adobe Acrobat Reader.exe (PID: 4020)
- InstallUtil.exe (PID: 4068)
Drops the executable file immediately after the start
- WinRAR.exe (PID: 3980)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 3980)
Reads the machine GUID from the registry
- RADICADO_SEGUNDO AVISO 4111889-22-005-2024-0333745-33 Orden Tribunal Superor de la Judicatura Mayo 14 de 2023 Juez Camilo Mercado Ordena Adobe Acrobat Reader.exe (PID: 4020)
- InstallUtil.exe (PID: 4068)
Creates files or folders in the user directory
- RADICADO_SEGUNDO AVISO 4111889-22-005-2024-0333745-33 Orden Tribunal Superor de la Judicatura Mayo 14 de 2023 Juez Camilo Mercado Ordena Adobe Acrobat Reader.exe (PID: 4020)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
AsyncRat
(PID) Process(4068) InstallUtil.exe
C2 (6)20232023juliosefue.ddns.net
dominioseternosgraciasadios20230230230.duckdns.org
laazcarate202120212021.duckdns.org
dominiogeneral20240202402024.duckdns.org
superabrilabrilabril20242024.con-ip.com
arannsasaaransasaturituri2024.duckdns.org
Ports (1)3008
Version0.5.7B
BotnetOMAYO
Options
AutoRunfalse
Mutexytppeppsllfd_fefre
InstallFolder%AppData%
BSoDfalse
AntiVMfalse
Certificates
Cert1MIIE8jCCAtqgAwIBAgIQAKxLlAkF1WRT8tAExBlQyzANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjIwOTIwMTQyNzUwWhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKrrWexesJSLqGeYC6kTxL6e4fbMdbCF6T1opNgSYFlyavRm733h8x2GXmzipr8dl/UHWmWcPmk8...
Server_SignatureHZrRF+rZ/ygo3xDjnfZ2NbSMAfK8JLjwO0WDHxihaJH3UIbLZQflXRoT9ikaMxVuCuy29cqcq/WtJHQNMvtBInmxbFPH7j02lXt0DPDAPlofp4XGU9Ql956CIiEfDraS9dp8xyluYzxgnFlVHhNQ9UMNYiWVXqLRkOkoCAsy4KH2Ebtb0FUexL5FlTEwnb98yvCztuAHYAYjWCTKNcvAOxo3GMX8CpSTbO6L8WCpHBCMnbc6WiHmdYY1VbmR1fKWxHVvGTLqsdUstmmgPaqC2CEfAuDiSAQB+BDyyeKbEzkH...
Keys
AES85dd68d17bfa07ccdc9a6313a51f04808e4b0fd822851ce815cf05f7b1c431e3
Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
TRiD
| .rar | | | RAR compressed archive (v-4.x) (58.3) |
|---|---|---|
| .rar | | | RAR compressed archive (gen) (41.6) |
Total processes
34
Monitored processes
3
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 3980 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\f7f20005-8606-48c7-ab61-ceb9710803bb.rar | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
| 4020 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb3980.28833\RADICADO_SEGUNDO AVISO 4111889-22-005-2024-0333745-33 Orden Tribunal Superor de la Judicatura Mayo 14 de 2023 Juez Camilo Mercado Ordena Adobe Acrobat Reader.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb3980.28833\RADICADO_SEGUNDO AVISO 4111889-22-005-2024-0333745-33 Orden Tribunal Superor de la Judicatura Mayo 14 de 2023 Juez Camilo Mercado Ordena Adobe Acrobat Reader.exe | WinRAR.exe | ||||||||||||
User: admin Company: AOMEI Technology Co., Ltd Integrity Level: MEDIUM Description: Extend Partition Wizard Exit code: 0 Version: 5.5.0.0 Modules
| |||||||||||||||
| 4068 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | RADICADO_SEGUNDO AVISO 4111889-22-005-2024-0333745-33 Orden Tribunal Superor de la Judicatura Mayo 14 de 2023 Juez Camilo Mercado Ordena Adobe Acrobat Reader.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: .NET Framework installation utility Version: 4.8.3761.0 built by: NET48REL1 Modules
AsyncRat(PID) Process(4068) InstallUtil.exe C2 (6)20232023juliosefue.ddns.net dominioseternosgraciasadios20230230230.duckdns.org laazcarate202120212021.duckdns.org dominiogeneral20240202402024.duckdns.org superabrilabrilabril20242024.con-ip.com arannsasaaransasaturituri2024.duckdns.org Ports (1)3008 Version0.5.7B BotnetOMAYO Options AutoRunfalse Mutexytppeppsllfd_fefre InstallFolder%AppData% BSoDfalse AntiVMfalse Certificates Cert1MIIE8jCCAtqgAwIBAgIQAKxLlAkF1WRT8tAExBlQyzANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjIwOTIwMTQyNzUwWhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKrrWexesJSLqGeYC6kTxL6e4fbMdbCF6T1opNgSYFlyavRm733h8x2GXmzipr8dl/UHWmWcPmk8... Server_SignatureHZrRF+rZ/ygo3xDjnfZ2NbSMAfK8JLjwO0WDHxihaJH3UIbLZQflXRoT9ikaMxVuCuy29cqcq/WtJHQNMvtBInmxbFPH7j02lXt0DPDAPlofp4XGU9Ql956CIiEfDraS9dp8xyluYzxgnFlVHhNQ9UMNYiWVXqLRkOkoCAsy4KH2Ebtb0FUexL5FlTEwnb98yvCztuAHYAYjWCTKNcvAOxo3GMX8CpSTbO6L8WCpHBCMnbc6WiHmdYY1VbmR1fKWxHVvGTLqsdUstmmgPaqC2CEfAuDiSAQB+BDyyeKbEzkH... Keys AES85dd68d17bfa07ccdc9a6313a51f04808e4b0fd822851ce815cf05f7b1c431e3 Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941 | |||||||||||||||
Total events
4 098
Read events
4 063
Write events
35
Delete events
0
Modification events
| (PID) Process: | (3980) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (3980) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (3980) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3980) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface |
| Operation: | write | Name: | ShowPassword |
Value: 0 | |||
| (PID) Process: | (3980) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (3980) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (3980) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (3980) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\f7f20005-8606-48c7-ab61-ceb9710803bb.rar | |||
| (PID) Process: | (3980) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3980) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
Executable files
2
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4020 | RADICADO_SEGUNDO AVISO 4111889-22-005-2024-0333745-33 Orden Tribunal Superor de la Judicatura Mayo 14 de 2023 Juez Camilo Mercado Ordena Adobe Acrobat Reader.exe | C:\Users\admin\AppData\Roaming\Pficax.exe | executable | |
MD5:07C3FEDDBBC055797A2885B889BC83EA | SHA256:555B0C29548401EBB21BE6CB27CBF6A1C60AFFC6BA19F68A1AAE372FC740AB33 | |||
| 3980 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb3980.28833\RADICADO_SEGUNDO AVISO 4111889-22-005-2024-0333745-33 Orden Tribunal Superor de la Judicatura Mayo 14 de 2023 Juez Camilo Mercado Ordena Adobe Acrobat Reader.exe | executable | |
MD5:07C3FEDDBBC055797A2885B889BC83EA | SHA256:555B0C29548401EBB21BE6CB27CBF6A1C60AFFC6BA19F68A1AAE372FC740AB33 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
5
Threats
9
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1088 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4068 | InstallUtil.exe | 181.205.239.138:3008 | laazcarate202120212021.duckdns.org | EPM Telecomunicaciones S.A. E.S.P. | CO | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
20232023juliosefue.ddns.net |
| unknown |
laazcarate202120212021.duckdns.org |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1088 | svchost.exe | Potentially Bad Traffic | ET POLICY DNS Query to DynDNS Domain *.ddns .net |
1088 | svchost.exe | Potentially Bad Traffic | ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain |
1088 | svchost.exe | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Potentially Bad Traffic | ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Potentially Bad Traffic | ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
— | — | Potentially Bad Traffic | ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain |