Malware Analysis Report

2025-08-10 17:43

Sample ID 230321-c5xp6sae51
Target Testing FR.exe
SHA256 c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3
Tags
rat default asyncrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3

Threat Level: Known bad

The file Testing FR.exe was found to be: Known bad.

Malicious Activity Summary

rat default asyncrat

AsyncRat

Async RAT payload

Asyncrat family

Async RAT payload

Executes dropped EXE

Checks computer location settings

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-21 02:40

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-21 02:40

Reported

2023-03-21 02:42

Platform

win7-20230220-en

Max time kernel

133s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Testing FR.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Services.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Testing FR.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Testing FR.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft Services.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1388 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\Testing FR.exe C:\Windows\System32\cmd.exe
PID 1388 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\Testing FR.exe C:\Windows\System32\cmd.exe
PID 1388 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\Testing FR.exe C:\Windows\System32\cmd.exe
PID 1388 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\Testing FR.exe C:\Windows\system32\cmd.exe
PID 1388 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\Testing FR.exe C:\Windows\system32\cmd.exe
PID 1388 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\Testing FR.exe C:\Windows\system32\cmd.exe
PID 916 wrote to memory of 1924 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 916 wrote to memory of 1924 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 916 wrote to memory of 1924 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1928 wrote to memory of 472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1928 wrote to memory of 472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1928 wrote to memory of 472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1928 wrote to memory of 1756 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft Services.exe
PID 1928 wrote to memory of 1756 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft Services.exe
PID 1928 wrote to memory of 1756 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft Services.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Testing FR.exe

"C:\Users\Admin\AppData\Local\Temp\Testing FR.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Services" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Services.exe"' & exit

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1BDB.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Services" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Services.exe"'

C:\Users\Admin\AppData\Roaming\Microsoft Services.exe

"C:\Users\Admin\AppData\Roaming\Microsoft Services.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:8809 tcp
N/A 127.0.0.1:8809 tcp
US 8.8.8.8:53 thebest39393.ddns.net udp
US 99.114.251.177:8809 thebest39393.ddns.net tcp
N/A 127.0.0.1:8809 tcp
N/A 127.0.0.1:8809 tcp
N/A 127.0.0.1:8809 tcp
N/A 127.0.0.1:8809 tcp
N/A 127.0.0.1:8809 tcp
N/A 127.0.0.1:8809 tcp
N/A 127.0.0.1:8809 tcp
US 8.8.8.8:53 thebest39393.ddns.net udp
US 99.114.251.177:8809 thebest39393.ddns.net tcp
US 99.114.251.177:8809 thebest39393.ddns.net tcp

Files

memory/1388-54-0x0000000000AF0000-0x0000000000B02000-memory.dmp

memory/1388-55-0x000000001B1B0000-0x000000001B230000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1BDB.tmp.bat

MD5 4959e505a839493f0bbe8358195f0c72
SHA1 79d8f3ddf4dcac2c13dc4d9798e517c56bcf0cf3
SHA256 f1a87a1dad274a575804bc2a9e56ea0595ac2f7c560e361ddd051c2cd15a2b98
SHA512 be6c46ff0a1cc07f2bf4a569495cfbd8788e5f0b2414cd0416e1a62ceae3d3391598cf5972aba144efd488595700a46b7c866c8ef70db2ab79bf920acda67e89

C:\Users\Admin\AppData\Local\Temp\tmp1BDB.tmp.bat

MD5 4959e505a839493f0bbe8358195f0c72
SHA1 79d8f3ddf4dcac2c13dc4d9798e517c56bcf0cf3
SHA256 f1a87a1dad274a575804bc2a9e56ea0595ac2f7c560e361ddd051c2cd15a2b98
SHA512 be6c46ff0a1cc07f2bf4a569495cfbd8788e5f0b2414cd0416e1a62ceae3d3391598cf5972aba144efd488595700a46b7c866c8ef70db2ab79bf920acda67e89

C:\Users\Admin\AppData\Roaming\Microsoft Services.exe

MD5 0c2353b8b6923a16f523944d6514bb8f
SHA1 d66baa60bcfbc057466b3ca0ef3076c5fd02210b
SHA256 c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3
SHA512 857a0dbf2cd41349d72df6a68ad4743bd1d0b2cbdf245be4e3abda10e0323678beb5d0b78ebd968db751a3de58b924e792f64cc6ca1e7b0f27b42869179c979d

C:\Users\Admin\AppData\Roaming\Microsoft Services.exe

MD5 0c2353b8b6923a16f523944d6514bb8f
SHA1 d66baa60bcfbc057466b3ca0ef3076c5fd02210b
SHA256 c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3
SHA512 857a0dbf2cd41349d72df6a68ad4743bd1d0b2cbdf245be4e3abda10e0323678beb5d0b78ebd968db751a3de58b924e792f64cc6ca1e7b0f27b42869179c979d

memory/1756-68-0x00000000002D0000-0x00000000002E2000-memory.dmp

memory/1756-69-0x000000001AF50000-0x000000001AFD0000-memory.dmp

memory/1756-70-0x000000001AF50000-0x000000001AFD0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-21 02:40

Reported

2023-03-21 02:42

Platform

win10v2004-20230220-en

Max time kernel

145s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Testing FR.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Testing FR.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Services.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Testing FR.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft Services.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Testing FR.exe

"C:\Users\Admin\AppData\Local\Temp\Testing FR.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Services" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Services.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7823.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Services" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Services.exe"'

C:\Users\Admin\AppData\Roaming\Microsoft Services.exe

"C:\Users\Admin\AppData\Roaming\Microsoft Services.exe"

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 93.184.220.29:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
US 8.8.8.8:53 thebest39393.ddns.net udp
US 99.114.251.177:8809 thebest39393.ddns.net tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 52.152.108.96:443 tcp
US 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
US 99.114.251.177:8809 thebest39393.ddns.net tcp
NL 52.178.17.3:443 tcp
US 8.8.8.8:53 160.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 151.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 151.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
N/A 127.0.0.1:8809 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 254.138.241.8.in-addr.arpa udp
NL 173.223.113.164:443 tcp
US 8.8.8.8:53 thebest39393.ddns.net udp
US 99.114.251.177:8809 thebest39393.ddns.net tcp
US 8.8.8.8:53 254.130.241.8.in-addr.arpa udp
US 8.8.8.8:53 thebest39393.ddns.net udp
US 99.114.251.177:8809 thebest39393.ddns.net tcp
US 99.114.251.177:8809 thebest39393.ddns.net tcp
N/A 127.0.0.1:8809 tcp

Files

memory/4872-133-0x0000000000500000-0x0000000000512000-memory.dmp

memory/4872-134-0x000000001BD50000-0x000000001BD60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7823.tmp.bat

MD5 457aeb2377c735737a952ade1c443d6a
SHA1 46e485ca27d035aeff795d756f2c31547aa83a4d
SHA256 4ea8c80ae215bc81d056d1185364d29c45bb86f58345dea823a0a26318457aa7
SHA512 8b3f979e74fb47927bff8c51d29fca4eb9e93536a1315b578faadfcb149c36f4a277d7e959d842ab9d713ddb84119fefc41921e3c1c467ecb0b36edfd3794003

C:\Users\Admin\AppData\Roaming\Microsoft Services.exe

MD5 0c2353b8b6923a16f523944d6514bb8f
SHA1 d66baa60bcfbc057466b3ca0ef3076c5fd02210b
SHA256 c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3
SHA512 857a0dbf2cd41349d72df6a68ad4743bd1d0b2cbdf245be4e3abda10e0323678beb5d0b78ebd968db751a3de58b924e792f64cc6ca1e7b0f27b42869179c979d

C:\Users\Admin\AppData\Roaming\Microsoft Services.exe

MD5 0c2353b8b6923a16f523944d6514bb8f
SHA1 d66baa60bcfbc057466b3ca0ef3076c5fd02210b
SHA256 c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3
SHA512 857a0dbf2cd41349d72df6a68ad4743bd1d0b2cbdf245be4e3abda10e0323678beb5d0b78ebd968db751a3de58b924e792f64cc6ca1e7b0f27b42869179c979d

memory/972-143-0x000000001B690000-0x000000001B6A0000-memory.dmp

memory/972-144-0x000000001B690000-0x000000001B6A0000-memory.dmp