Malware Analysis Report

2025-08-10 17:43

Sample ID 230322-2y63psdh4z
Target 166d6d5be18a889db530c818bf4fabc70a67b381b3d58d64652efbab55ad6bf1.exe
SHA256 166d6d5be18a889db530c818bf4fabc70a67b381b3d58d64652efbab55ad6bf1
Tags
rat default asyncrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

166d6d5be18a889db530c818bf4fabc70a67b381b3d58d64652efbab55ad6bf1

Threat Level: Known bad

The file 166d6d5be18a889db530c818bf4fabc70a67b381b3d58d64652efbab55ad6bf1.exe was found to be: Known bad.

Malicious Activity Summary

rat default asyncrat

Async RAT payload

Asyncrat family

AsyncRat

Async RAT payload

Legitimate hosting services abused for malware hosting/C2

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-22 23:00

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-22 23:00

Reported

2023-03-22 23:03

Platform

win7-20230220-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\166d6d5be18a889db530c818bf4fabc70a67b381b3d58d64652efbab55ad6bf1.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Processes

C:\Users\Admin\AppData\Local\Temp\166d6d5be18a889db530c818bf4fabc70a67b381b3d58d64652efbab55ad6bf1.exe

"C:\Users\Admin\AppData\Local\Temp\166d6d5be18a889db530c818bf4fabc70a67b381b3d58d64652efbab55ad6bf1.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.tcp.eu.ngrok.io udp
DE 18.157.68.73:11712 2.tcp.eu.ngrok.io tcp
DE 18.157.68.73:11712 2.tcp.eu.ngrok.io tcp
DE 18.157.68.73:11712 2.tcp.eu.ngrok.io tcp
DE 18.157.68.73:11712 2.tcp.eu.ngrok.io tcp
DE 18.157.68.73:11712 2.tcp.eu.ngrok.io tcp
DE 18.157.68.73:11712 2.tcp.eu.ngrok.io tcp
DE 18.157.68.73:11712 2.tcp.eu.ngrok.io tcp
DE 18.157.68.73:11712 2.tcp.eu.ngrok.io tcp
DE 18.157.68.73:11712 2.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 2.tcp.eu.ngrok.io udp
DE 18.197.239.5:11712 2.tcp.eu.ngrok.io tcp
DE 18.197.239.5:11712 2.tcp.eu.ngrok.io tcp
DE 18.197.239.5:11712 2.tcp.eu.ngrok.io tcp
DE 18.197.239.5:11712 2.tcp.eu.ngrok.io tcp
DE 18.197.239.5:11712 2.tcp.eu.ngrok.io tcp
DE 18.197.239.5:11712 2.tcp.eu.ngrok.io tcp
DE 18.197.239.5:11712 2.tcp.eu.ngrok.io tcp
DE 18.197.239.5:11712 2.tcp.eu.ngrok.io tcp
DE 18.197.239.5:11712 2.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 2.tcp.eu.ngrok.io udp
DE 3.126.37.18:11712 2.tcp.eu.ngrok.io tcp
DE 3.126.37.18:11712 2.tcp.eu.ngrok.io tcp
DE 3.126.37.18:11712 tcp

Files

memory/1376-54-0x0000000000D70000-0x0000000000D92000-memory.dmp

memory/1376-55-0x000000001B240000-0x000000001B2C0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-22 23:00

Reported

2023-03-22 23:03

Platform

win10v2004-20230220-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\166d6d5be18a889db530c818bf4fabc70a67b381b3d58d64652efbab55ad6bf1.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: 33 N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\166d6d5be18a889db530c818bf4fabc70a67b381b3d58d64652efbab55ad6bf1.exe

"C:\Users\Admin\AppData\Local\Temp\166d6d5be18a889db530c818bf4fabc70a67b381b3d58d64652efbab55ad6bf1.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /7

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 2.tcp.eu.ngrok.io udp
DE 18.156.13.209:11712 2.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 33.18.126.40.in-addr.arpa udp
US 8.8.8.8:53 199.176.139.52.in-addr.arpa udp
US 8.8.8.8:53 202.74.101.95.in-addr.arpa udp
DE 18.156.13.209:11712 2.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
DE 18.156.13.209:11712 2.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 18.156.13.209:11712 2.tcp.eu.ngrok.io tcp
IE 20.54.89.15:443 tcp
DE 18.156.13.209:11712 2.tcp.eu.ngrok.io tcp
DE 18.156.13.209:11712 2.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 216.74.101.95.in-addr.arpa udp
DE 18.156.13.209:11712 2.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 2.tcp.eu.ngrok.io udp
DE 18.157.68.73:11712 2.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
DE 18.157.68.73:11712 2.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 254.133.241.8.in-addr.arpa udp
US 8.8.8.8:53 2.tcp.eu.ngrok.io udp
DE 18.156.13.209:11712 2.tcp.eu.ngrok.io tcp
US 67.24.35.254:80 tcp
DE 18.156.13.209:11712 2.tcp.eu.ngrok.io tcp
DE 18.156.13.209:11712 2.tcp.eu.ngrok.io tcp
DE 18.156.13.209:11712 2.tcp.eu.ngrok.io tcp
DE 18.156.13.209:11712 2.tcp.eu.ngrok.io tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 api.msn.com tcp
DE 18.156.13.209:11712 2.tcp.eu.ngrok.io tcp
DE 18.156.13.209:11712 2.tcp.eu.ngrok.io tcp
DE 18.156.13.209:11712 2.tcp.eu.ngrok.io tcp
DE 18.156.13.209:11712 2.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 2.tcp.eu.ngrok.io udp
DE 3.127.138.57:11712 2.tcp.eu.ngrok.io tcp
DE 3.127.138.57:11712 2.tcp.eu.ngrok.io tcp
DE 3.127.138.57:11712 2.tcp.eu.ngrok.io tcp

Files

memory/4488-133-0x00000000001E0000-0x0000000000202000-memory.dmp

memory/4488-134-0x0000000000A40000-0x0000000000A50000-memory.dmp

memory/4488-135-0x0000000000A40000-0x0000000000A50000-memory.dmp

memory/4740-136-0x000001496DB70000-0x000001496DB71000-memory.dmp

memory/4740-137-0x000001496DB70000-0x000001496DB71000-memory.dmp

memory/4740-138-0x000001496DB70000-0x000001496DB71000-memory.dmp

memory/4740-142-0x000001496DB70000-0x000001496DB71000-memory.dmp

memory/4740-143-0x000001496DB70000-0x000001496DB71000-memory.dmp

memory/4740-144-0x000001496DB70000-0x000001496DB71000-memory.dmp

memory/4740-145-0x000001496DB70000-0x000001496DB71000-memory.dmp

memory/4740-146-0x000001496DB70000-0x000001496DB71000-memory.dmp

memory/4740-147-0x000001496DB70000-0x000001496DB71000-memory.dmp

memory/4740-148-0x000001496DB70000-0x000001496DB71000-memory.dmp