Malware Analysis Report

2025-08-10 17:43

Sample ID 230321-rvq7zaah94
Target c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.zip
SHA256 cd331d42e2ecc66b8a2f7388bea49900940830292e1f902c8fabbb2d8acec213
Tags
rat default asyncrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cd331d42e2ecc66b8a2f7388bea49900940830292e1f902c8fabbb2d8acec213

Threat Level: Known bad

The file c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.zip was found to be: Known bad.

Malicious Activity Summary

rat default asyncrat

Async RAT payload

AsyncRat

Asyncrat family

Async RAT payload

Checks computer location settings

Executes dropped EXE

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-21 14:31

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-21 14:31

Reported

2023-03-21 14:33

Platform

win7-20230220-en

Max time kernel

145s

Max time network

108s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Services.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft Services.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1368 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe C:\Windows\System32\cmd.exe
PID 1368 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe C:\Windows\System32\cmd.exe
PID 1368 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe C:\Windows\System32\cmd.exe
PID 1368 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe C:\Windows\system32\cmd.exe
PID 1368 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe C:\Windows\system32\cmd.exe
PID 1368 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe C:\Windows\system32\cmd.exe
PID 588 wrote to memory of 1748 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 588 wrote to memory of 1748 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 588 wrote to memory of 1748 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1880 wrote to memory of 1140 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1880 wrote to memory of 1140 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1880 wrote to memory of 1140 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1880 wrote to memory of 1952 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft Services.exe
PID 1880 wrote to memory of 1952 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft Services.exe
PID 1880 wrote to memory of 1952 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft Services.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe

"C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Services" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Services.exe"' & exit

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp42AC.tmp.bat""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Services" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Services.exe"'

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\Microsoft Services.exe

"C:\Users\Admin\AppData\Roaming\Microsoft Services.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 thebest39393.ddns.net udp
US 99.114.251.177:8809 thebest39393.ddns.net tcp
US 99.114.251.177:8809 thebest39393.ddns.net tcp
N/A 127.0.0.1:8809 tcp
N/A 127.0.0.1:8809 tcp
N/A 127.0.0.1:8809 tcp
N/A 127.0.0.1:8809 tcp
US 8.8.8.8:53 thebest39393.ddns.net udp
US 99.114.251.177:8809 thebest39393.ddns.net tcp
N/A 127.0.0.1:8809 tcp
N/A 127.0.0.1:8809 tcp
N/A 127.0.0.1:8809 tcp
N/A 127.0.0.1:8809 tcp

Files

memory/1368-54-0x0000000001200000-0x0000000001212000-memory.dmp

memory/1368-55-0x000000001B270000-0x000000001B2F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp42AC.tmp.bat

MD5 e7bd34576e0f8037cd53b4f2b6499a95
SHA1 94b9487ab6228771b668d99ecea3c2cbf3fbe2e5
SHA256 77db5c98c46e6a5eeaafc0239d8becfe1708570c2afd3ed22f77a1c41f3fadb3
SHA512 567091eaeb2128546913f7f9387ae77e58b58021c8d8969a2d1d6a1faa22292e3099590314c6d41fb5c312b51fe1e43b76c8e92e88b1b79ce334085efcfe8bd6

C:\Users\Admin\AppData\Local\Temp\tmp42AC.tmp.bat

MD5 e7bd34576e0f8037cd53b4f2b6499a95
SHA1 94b9487ab6228771b668d99ecea3c2cbf3fbe2e5
SHA256 77db5c98c46e6a5eeaafc0239d8becfe1708570c2afd3ed22f77a1c41f3fadb3
SHA512 567091eaeb2128546913f7f9387ae77e58b58021c8d8969a2d1d6a1faa22292e3099590314c6d41fb5c312b51fe1e43b76c8e92e88b1b79ce334085efcfe8bd6

C:\Users\Admin\AppData\Roaming\Microsoft Services.exe

MD5 0c2353b8b6923a16f523944d6514bb8f
SHA1 d66baa60bcfbc057466b3ca0ef3076c5fd02210b
SHA256 c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3
SHA512 857a0dbf2cd41349d72df6a68ad4743bd1d0b2cbdf245be4e3abda10e0323678beb5d0b78ebd968db751a3de58b924e792f64cc6ca1e7b0f27b42869179c979d

C:\Users\Admin\AppData\Roaming\Microsoft Services.exe

MD5 0c2353b8b6923a16f523944d6514bb8f
SHA1 d66baa60bcfbc057466b3ca0ef3076c5fd02210b
SHA256 c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3
SHA512 857a0dbf2cd41349d72df6a68ad4743bd1d0b2cbdf245be4e3abda10e0323678beb5d0b78ebd968db751a3de58b924e792f64cc6ca1e7b0f27b42869179c979d

memory/1952-68-0x00000000001D0000-0x00000000001E2000-memory.dmp

memory/1952-69-0x0000000000530000-0x00000000005B0000-memory.dmp

memory/1952-70-0x0000000000530000-0x00000000005B0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-21 14:31

Reported

2023-03-21 14:33

Platform

win10v2004-20230220-en

Max time kernel

130s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft Services.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft Services.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe

"C:\Users\Admin\AppData\Local\Temp\c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Services" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Services.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB77D.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Services" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Services.exe"'

C:\Users\Admin\AppData\Roaming\Microsoft Services.exe

"C:\Users\Admin\AppData\Roaming\Microsoft Services.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.154.139.52.in-addr.arpa udp
N/A 127.0.0.1:8809 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
N/A 127.0.0.1:8809 tcp
N/A 127.0.0.1:8809 tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
N/A 127.0.0.1:8809 tcp
US 20.189.173.4:443 tcp
US 8.8.8.8:53 thebest39393.ddns.net udp
US 99.114.251.177:8809 thebest39393.ddns.net tcp
US 93.184.221.240:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
US 8.8.8.8:53 216.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 233.141.123.20.in-addr.arpa udp
US 99.114.251.177:8809 thebest39393.ddns.net tcp
US 8.8.8.8:53 11.175.53.84.in-addr.arpa udp
US 99.114.251.177:8809 thebest39393.ddns.net tcp
N/A 127.0.0.1:8809 tcp
N/A 127.0.0.1:8809 tcp
US 8.8.8.8:53 thebest39393.ddns.net udp
US 99.114.251.177:8809 thebest39393.ddns.net tcp

Files

memory/3716-133-0x0000000000C30000-0x0000000000C42000-memory.dmp

memory/3716-134-0x0000000002D00000-0x0000000002D10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB77D.tmp.bat

MD5 5ca716bcb3f7a33e29b325b61d67dbd7
SHA1 b2671dad9b36d778611cf2239794102342d9c4c0
SHA256 3fc9801c82ecace3781a149c9b270d8ac00fd8ba37563fda87b8c6f736fda2e9
SHA512 f74abd29a27e414f15760f78e161eadea0bb5ed18b65aaea36fe8d95f9ca276053a961d26383f327d3ea9df52759bb08ec6ac9e21d864e6ae406eb926745c4ac

C:\Users\Admin\AppData\Roaming\Microsoft Services.exe

MD5 0c2353b8b6923a16f523944d6514bb8f
SHA1 d66baa60bcfbc057466b3ca0ef3076c5fd02210b
SHA256 c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3
SHA512 857a0dbf2cd41349d72df6a68ad4743bd1d0b2cbdf245be4e3abda10e0323678beb5d0b78ebd968db751a3de58b924e792f64cc6ca1e7b0f27b42869179c979d

C:\Users\Admin\AppData\Roaming\Microsoft Services.exe

MD5 0c2353b8b6923a16f523944d6514bb8f
SHA1 d66baa60bcfbc057466b3ca0ef3076c5fd02210b
SHA256 c69b81e6499b64d01ed7b231985f9061e8553309cbd64b00d1699e71d58fd4c3
SHA512 857a0dbf2cd41349d72df6a68ad4743bd1d0b2cbdf245be4e3abda10e0323678beb5d0b78ebd968db751a3de58b924e792f64cc6ca1e7b0f27b42869179c979d

memory/3688-143-0x0000000002AB0000-0x0000000002AC0000-memory.dmp

memory/3688-144-0x0000000002AB0000-0x0000000002AC0000-memory.dmp