Malware Analysis Report

2025-08-10 17:43

Sample ID 230317-dwrcgaea72
Target Christine-Fink_ByZ‮rar.scr
SHA256 b9ddb91a6de8542f1bbf920fbf40cc84780e18a3865b4f6407b4b168af0d13c5
Tags
asyncrat default rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b9ddb91a6de8542f1bbf920fbf40cc84780e18a3865b4f6407b4b168af0d13c5

Threat Level: Known bad

The file Christine-Fink_ByZ‮rar.scr was found to be: Known bad.

Malicious Activity Summary

asyncrat default rat

AsyncRat

Async RAT payload

Checks computer location settings

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-17 03:22

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-17 03:21

Reported

2023-03-17 03:23

Platform

win10v2004-20230220-en

Max time kernel

20s

Max time network

35s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Christine-Fink_ByZ‮rar.scr" /S

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Christine-Fink_ByZ‮rar.scr N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Christine-Fink_ByZ‮rar.scr N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\Christine-Fink_ByZ‮rar.scr N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\csrss.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Christine-Fink_ByZ‮rar.scr

"C:\Users\Admin\AppData\Local\Temp\Christine-Fink_ByZ‮rar.scr" /S

C:\Users\Admin\AppData\Local\Temp\csrss.exe

"C:\Users\Admin\AppData\Local\Temp\csrss.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
NL 88.221.25.155:80 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 240.232.18.117.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 143.67.20.104.in-addr.arpa udp

Files

memory/4404-133-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss.exe

MD5 80536cf3325d6dbd0d961300bce4e707
SHA1 58c1868bc443e509d9fa2d268c6bd0be66e52ebd
SHA256 ddef87f68cddede60375bb1dc0b44842166362d04040851894a9583805bfd831
SHA512 5786ffe93fa20e6adf359d2af94a6d27a793279361a6dbb0ab117b1aae93c306333dccaeeedfe7e6f435624a19a705afde9b4775d78d296f8caa1c2a71db298b

C:\Users\Admin\AppData\Local\Temp\csrss.exe

MD5 80536cf3325d6dbd0d961300bce4e707
SHA1 58c1868bc443e509d9fa2d268c6bd0be66e52ebd
SHA256 ddef87f68cddede60375bb1dc0b44842166362d04040851894a9583805bfd831
SHA512 5786ffe93fa20e6adf359d2af94a6d27a793279361a6dbb0ab117b1aae93c306333dccaeeedfe7e6f435624a19a705afde9b4775d78d296f8caa1c2a71db298b

C:\Users\Admin\AppData\Local\Temp\csrss.exe

MD5 80536cf3325d6dbd0d961300bce4e707
SHA1 58c1868bc443e509d9fa2d268c6bd0be66e52ebd
SHA256 ddef87f68cddede60375bb1dc0b44842166362d04040851894a9583805bfd831
SHA512 5786ffe93fa20e6adf359d2af94a6d27a793279361a6dbb0ab117b1aae93c306333dccaeeedfe7e6f435624a19a705afde9b4775d78d296f8caa1c2a71db298b

memory/4680-214-0x0000000000E10000-0x0000000000E22000-memory.dmp