Malware Analysis Report

2025-08-10 17:43

Sample ID 230321-qph4qsce6w
Target c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.zip
SHA256 7e99509d08819ab9c8e1e4dd16bd0e55060c63d6a71751848b2643c95647a77a
Tags
asyncrat default rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7e99509d08819ab9c8e1e4dd16bd0e55060c63d6a71751848b2643c95647a77a

Threat Level: Known bad

The file c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.zip was found to be: Known bad.

Malicious Activity Summary

asyncrat default rat

Async RAT payload

AsyncRat

Asyncrat family

Async RAT payload

Checks computer location settings

Executes dropped EXE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Uses Task Scheduler COM API

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-21 13:26

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-21 13:26

Reported

2023-03-21 13:28

Platform

win7-20230220-en

Max time kernel

136s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Services.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft Services.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1196 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe C:\Windows\System32\cmd.exe
PID 1196 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe C:\Windows\System32\cmd.exe
PID 1196 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe C:\Windows\System32\cmd.exe
PID 860 wrote to memory of 712 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 860 wrote to memory of 712 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 860 wrote to memory of 712 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1196 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe C:\Windows\system32\cmd.exe
PID 1196 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe C:\Windows\system32\cmd.exe
PID 1196 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe C:\Windows\system32\cmd.exe
PID 1748 wrote to memory of 828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1748 wrote to memory of 828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1748 wrote to memory of 828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1748 wrote to memory of 1388 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft Services.exe
PID 1748 wrote to memory of 1388 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft Services.exe
PID 1748 wrote to memory of 1388 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft Services.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe

"C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Services" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Services.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Services" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Services.exe"'

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpEEA4.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\Microsoft Services.exe

"C:\Users\Admin\AppData\Roaming\Microsoft Services.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 thebest39393.ddns.net udp
US 99.114.251.177:8809 thebest39393.ddns.net tcp
US 99.114.251.177:8809 thebest39393.ddns.net tcp
US 99.114.251.177:8809 thebest39393.ddns.net tcp
US 8.8.8.8:53 thebest39393.ddns.net udp
US 99.114.251.177:8809 thebest39393.ddns.net tcp

Files

memory/1196-54-0x00000000001B0000-0x00000000001C2000-memory.dmp

memory/1196-55-0x000000001B220000-0x000000001B2A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpEEA4.tmp.bat

MD5 a0c4dbd8171b25def4dd6b440110a194
SHA1 ff5fa174fa1fd86cd101c4e58cfd81d0d0d06d62
SHA256 4dc0db246e42c8343404587ea61b7857f86aa87e287aa8f2f00ea909d7624714
SHA512 be7c082fadc57ed2edc7fcc879d053dbd39f543b395f63a88695923be04cd6cd6f29cdb0c1d3bb947967d021434e4ebe24b3f34b733bec9bd12b7db58a435716

C:\Users\Admin\AppData\Local\Temp\tmpEEA4.tmp.bat

MD5 a0c4dbd8171b25def4dd6b440110a194
SHA1 ff5fa174fa1fd86cd101c4e58cfd81d0d0d06d62
SHA256 4dc0db246e42c8343404587ea61b7857f86aa87e287aa8f2f00ea909d7624714
SHA512 be7c082fadc57ed2edc7fcc879d053dbd39f543b395f63a88695923be04cd6cd6f29cdb0c1d3bb947967d021434e4ebe24b3f34b733bec9bd12b7db58a435716

C:\Users\Admin\AppData\Roaming\Microsoft Services.exe

MD5 0c2353b8b6923a16f523944d6514bb8f
SHA1 d66baa60bcfbc057466b3ca0ef3076c5fd02210b
SHA256 c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3
SHA512 857a0dbf2cd41349d72df6a68ad4743bd1d0b2cbdf245be4e3abda10e0323678beb5d0b78ebd968db751a3de58b924e792f64cc6ca1e7b0f27b42869179c979d

C:\Users\Admin\AppData\Roaming\Microsoft Services.exe

MD5 0c2353b8b6923a16f523944d6514bb8f
SHA1 d66baa60bcfbc057466b3ca0ef3076c5fd02210b
SHA256 c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3
SHA512 857a0dbf2cd41349d72df6a68ad4743bd1d0b2cbdf245be4e3abda10e0323678beb5d0b78ebd968db751a3de58b924e792f64cc6ca1e7b0f27b42869179c979d

memory/1388-68-0x0000000000BA0000-0x0000000000BB2000-memory.dmp

memory/1388-69-0x0000000000420000-0x00000000004A0000-memory.dmp

memory/1388-70-0x0000000000420000-0x00000000004A0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-21 13:26

Reported

2023-03-21 13:28

Platform

win10v2004-20230220-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Services.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft Services.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe

"C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Services" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Services.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBDA7.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Services" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Services.exe"'

C:\Users\Admin\AppData\Roaming\Microsoft Services.exe

"C:\Users\Admin\AppData\Roaming\Microsoft Services.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 154.25.221.88.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 32.18.126.40.in-addr.arpa udp
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 thebest39393.ddns.net udp
US 99.114.251.177:8809 thebest39393.ddns.net tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 202.74.101.95.in-addr.arpa udp
US 20.189.173.2:443 tcp
N/A 127.0.0.1:8809 tcp
US 209.197.3.8:80 tcp
N/A 127.0.0.1:8809 tcp
N/A 127.0.0.1:8809 tcp
US 8.8.8.8:53 0.77.109.52.in-addr.arpa udp
US 99.114.251.177:8809 thebest39393.ddns.net tcp
US 13.107.4.50:80 tcp
US 8.8.8.8:53 thebest39393.ddns.net udp
US 99.114.251.177:8809 thebest39393.ddns.net tcp
N/A 127.0.0.1:8809 tcp
US 99.114.251.177:8809 thebest39393.ddns.net tcp
N/A 127.0.0.1:8809 tcp
US 8.8.8.8:53 thebest39393.ddns.net udp
US 99.114.251.177:8809 thebest39393.ddns.net tcp

Files

memory/2052-136-0x00000000005A0000-0x00000000005B2000-memory.dmp

memory/2052-137-0x000000001BE80000-0x000000001BE90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpBDA7.tmp.bat

MD5 e9ac326b90f8604cb605f2738f65d4aa
SHA1 ab04adf8952896c26b5357e3ceae171122b73e09
SHA256 acc308780881e334770db26194bbf8949b18121e5c0b9eb785d579c22bc07bdf
SHA512 31a4a711c2dc97e77c4cd2afd83a5820e2bada62dafe971cab9e7346665503c6938e19ca828d6c5fcf7839809bb4608ce8825d8b2175ab4b5e690b203868c0d6

C:\Users\Admin\AppData\Roaming\Microsoft Services.exe

MD5 0c2353b8b6923a16f523944d6514bb8f
SHA1 d66baa60bcfbc057466b3ca0ef3076c5fd02210b
SHA256 c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3
SHA512 857a0dbf2cd41349d72df6a68ad4743bd1d0b2cbdf245be4e3abda10e0323678beb5d0b78ebd968db751a3de58b924e792f64cc6ca1e7b0f27b42869179c979d

C:\Users\Admin\AppData\Roaming\Microsoft Services.exe

MD5 0c2353b8b6923a16f523944d6514bb8f
SHA1 d66baa60bcfbc057466b3ca0ef3076c5fd02210b
SHA256 c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3
SHA512 857a0dbf2cd41349d72df6a68ad4743bd1d0b2cbdf245be4e3abda10e0323678beb5d0b78ebd968db751a3de58b924e792f64cc6ca1e7b0f27b42869179c979d

memory/3284-146-0x000000001BBC0000-0x000000001BBD0000-memory.dmp

memory/3284-147-0x000000001BBC0000-0x000000001BBD0000-memory.dmp