Malware Analysis Report

2025-08-10 17:44

Sample ID 230319-sv716aba4w
Target 0x000300000002287f-434.dat
SHA256 4f4432ddc88c1bca9f139589c8ce1fcaf016ff167d189e6fb6231057fdf1fff7
Tags
rat default asyncrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4f4432ddc88c1bca9f139589c8ce1fcaf016ff167d189e6fb6231057fdf1fff7

Threat Level: Known bad

The file 0x000300000002287f-434.dat was found to be: Known bad.

Malicious Activity Summary

rat default asyncrat

Async RAT payload

AsyncRat

Asyncrat family

Async RAT payload

Checks computer location settings

Executes dropped EXE

Enumerates physical storage devices

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Delays execution with timeout.exe

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-19 15:27

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-19 15:27

Reported

2023-03-19 15:30

Platform

win7-20230220-en

Max time kernel

122s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x000300000002287f-434.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\syscall.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x000300000002287f-434.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0x000300000002287f-434.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\syscall.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1236 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\0x000300000002287f-434.exe C:\Windows\System32\cmd.exe
PID 1236 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\0x000300000002287f-434.exe C:\Windows\System32\cmd.exe
PID 1236 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\0x000300000002287f-434.exe C:\Windows\System32\cmd.exe
PID 1236 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\0x000300000002287f-434.exe C:\Windows\system32\cmd.exe
PID 1236 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\0x000300000002287f-434.exe C:\Windows\system32\cmd.exe
PID 1236 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\0x000300000002287f-434.exe C:\Windows\system32\cmd.exe
PID 876 wrote to memory of 1156 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 876 wrote to memory of 1156 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 876 wrote to memory of 1156 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 684 wrote to memory of 1900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 684 wrote to memory of 1900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 684 wrote to memory of 1900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 684 wrote to memory of 1280 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\syscall.exe
PID 684 wrote to memory of 1280 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\syscall.exe
PID 684 wrote to memory of 1280 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\syscall.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0x000300000002287f-434.exe

"C:\Users\Admin\AppData\Local\Temp\0x000300000002287f-434.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "syscall" /tr '"C:\Users\Admin\AppData\Roaming\syscall.exe"' & exit

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp19D8.tmp.bat""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "syscall" /tr '"C:\Users\Admin\AppData\Roaming\syscall.exe"'

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\syscall.exe

"C:\Users\Admin\AppData\Roaming\syscall.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ii-usd.at.ply.gg udp
US 209.25.141.223:25036 ii-usd.at.ply.gg tcp
US 209.25.141.223:25036 ii-usd.at.ply.gg tcp
US 209.25.141.223:25036 ii-usd.at.ply.gg tcp
US 209.25.141.223:25036 ii-usd.at.ply.gg tcp
US 209.25.141.223:25036 ii-usd.at.ply.gg tcp

Files

memory/1236-54-0x0000000001370000-0x0000000001386000-memory.dmp

memory/1236-55-0x000000001AA60000-0x000000001AAE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp19D8.tmp.bat

MD5 ca0b9c176f48414491de060a94c604a6
SHA1 8c7e229f28d3694db2cb311b25edc15fc0e81dab
SHA256 46f72042397ac4749b3143ac1f648d1f9d7088f5bae9655f2e46d3f9cae62cea
SHA512 18ffdd92fbfdc622278e4c3e34feee7a526d3605bb5378620d65d4ce9eb07ee9c78584da27f573e2093415c63cd9796e287795c3ce7e2c946b0890008952e12f

C:\Users\Admin\AppData\Local\Temp\tmp19D8.tmp.bat

MD5 ca0b9c176f48414491de060a94c604a6
SHA1 8c7e229f28d3694db2cb311b25edc15fc0e81dab
SHA256 46f72042397ac4749b3143ac1f648d1f9d7088f5bae9655f2e46d3f9cae62cea
SHA512 18ffdd92fbfdc622278e4c3e34feee7a526d3605bb5378620d65d4ce9eb07ee9c78584da27f573e2093415c63cd9796e287795c3ce7e2c946b0890008952e12f

C:\Users\Admin\AppData\Roaming\syscall.exe

MD5 2d7e104a199600d550879e132d877ee7
SHA1 9a702148bcb48c8f666d275b0b08bf2b1711e069
SHA256 4f4432ddc88c1bca9f139589c8ce1fcaf016ff167d189e6fb6231057fdf1fff7
SHA512 c78a6954104da75ffb6a98447fe36f8297d27929a1eab540eed67e4ec42d35ad46fe0037bf29d7904f36433dce34a27b92556e4e376ef79c1914cc54676adc33

C:\Users\Admin\AppData\Roaming\syscall.exe

MD5 2d7e104a199600d550879e132d877ee7
SHA1 9a702148bcb48c8f666d275b0b08bf2b1711e069
SHA256 4f4432ddc88c1bca9f139589c8ce1fcaf016ff167d189e6fb6231057fdf1fff7
SHA512 c78a6954104da75ffb6a98447fe36f8297d27929a1eab540eed67e4ec42d35ad46fe0037bf29d7904f36433dce34a27b92556e4e376ef79c1914cc54676adc33

memory/1280-68-0x0000000001360000-0x0000000001376000-memory.dmp

memory/1280-69-0x000000001A920000-0x000000001A9A0000-memory.dmp

memory/1280-70-0x000000001A920000-0x000000001A9A0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-19 15:27

Reported

2023-03-19 15:30

Platform

win10v2004-20230220-en

Max time kernel

139s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x000300000002287f-434.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0x000300000002287f-434.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\syscall.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x000300000002287f-434.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x000300000002287f-434.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x000300000002287f-434.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x000300000002287f-434.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x000300000002287f-434.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x000300000002287f-434.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x000300000002287f-434.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x000300000002287f-434.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x000300000002287f-434.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x000300000002287f-434.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x000300000002287f-434.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x000300000002287f-434.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x000300000002287f-434.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x000300000002287f-434.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x000300000002287f-434.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x000300000002287f-434.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x000300000002287f-434.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x000300000002287f-434.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x000300000002287f-434.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x000300000002287f-434.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x000300000002287f-434.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x000300000002287f-434.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x000300000002287f-434.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0x000300000002287f-434.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\syscall.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0x000300000002287f-434.exe

"C:\Users\Admin\AppData\Local\Temp\0x000300000002287f-434.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "syscall" /tr '"C:\Users\Admin\AppData\Roaming\syscall.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAF8E.tmp.bat""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "syscall" /tr '"C:\Users\Admin\AppData\Roaming\syscall.exe"'

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\syscall.exe

"C:\Users\Admin\AppData\Roaming\syscall.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
US 8.8.8.8:53 202.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 ii-usd.at.ply.gg udp
US 209.25.141.223:25036 ii-usd.at.ply.gg tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 52.168.112.66:443 tcp
US 209.25.141.223:25036 ii-usd.at.ply.gg tcp
US 8.8.8.8:53 199.176.139.52.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 209.25.141.223:25036 ii-usd.at.ply.gg tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 52.152.110.14:443 tcp
US 209.25.141.223:25036 ii-usd.at.ply.gg tcp
US 52.152.110.14:443 tcp
US 209.25.141.223:25036 ii-usd.at.ply.gg tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 209.25.141.223:25036 ii-usd.at.ply.gg tcp

Files

memory/2044-133-0x000002085E090000-0x000002085E0A6000-memory.dmp

memory/2044-134-0x000002085FD80000-0x000002085FD90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpAF8E.tmp.bat

MD5 61f5339dbab00d413994520055e6d203
SHA1 0f6802af5a184d33a01ff80251f2c11db65d3d4a
SHA256 0a0b313be845e2db6ae73c10bc737b3bca555c7ae520ca3abb94dca3e033d5b4
SHA512 904161371c674c3f9598e3b2331938b81d7472fe270b0fc4cb199a1fe69b283cfe281625e045a951372417e33a11bd4aceb5b77952807a276d31155541bafc21

C:\Users\Admin\AppData\Roaming\syscall.exe

MD5 2d7e104a199600d550879e132d877ee7
SHA1 9a702148bcb48c8f666d275b0b08bf2b1711e069
SHA256 4f4432ddc88c1bca9f139589c8ce1fcaf016ff167d189e6fb6231057fdf1fff7
SHA512 c78a6954104da75ffb6a98447fe36f8297d27929a1eab540eed67e4ec42d35ad46fe0037bf29d7904f36433dce34a27b92556e4e376ef79c1914cc54676adc33

C:\Users\Admin\AppData\Roaming\syscall.exe

MD5 2d7e104a199600d550879e132d877ee7
SHA1 9a702148bcb48c8f666d275b0b08bf2b1711e069
SHA256 4f4432ddc88c1bca9f139589c8ce1fcaf016ff167d189e6fb6231057fdf1fff7
SHA512 c78a6954104da75ffb6a98447fe36f8297d27929a1eab540eed67e4ec42d35ad46fe0037bf29d7904f36433dce34a27b92556e4e376ef79c1914cc54676adc33

memory/3484-143-0x000002D4FBAC0000-0x000002D4FBAD0000-memory.dmp

memory/3484-144-0x000002D4FBAC0000-0x000002D4FBAD0000-memory.dmp