Analysis Overview
SHA256
b32c3079004939613c101ecc860fa21101596f0c81ea0580882576293c63b31f
Threat Level: Known bad
The file 8441ddb18dfbc80ddc5e814f2566ab54.exe was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Async RAT payload
Asyncrat family
Async RAT payload
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-03-23 11:51
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Asyncrat family
Analysis: behavioral2
Detonation Overview
Submitted
2023-03-23 11:51
Reported
2023-03-23 11:53
Platform
win10v2004-20230220-en
Max time kernel
78s
Max time network
145s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8441ddb18dfbc80ddc5e814f2566ab54.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\8441ddb18dfbc80ddc5e814f2566ab54.exe
"C:\Users\Admin\AppData\Local\Temp\8441ddb18dfbc80ddc5e814f2566ab54.exe"
Network
| Country | Destination | Domain | Proto |
| US | 117.18.237.29:80 | tcp | |
| US | 117.18.237.29:80 | tcp | |
| US | 8.8.8.8:53 | 154.210.82.20.in-addr.arpa | udp |
| TR | 45.155.158.187:1337 | tcp | |
| US | 8.8.8.8:53 | 187.158.155.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.145.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.38.195.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.252.72.23.in-addr.arpa | udp |
| IE | 20.54.89.15:443 | tcp | |
| US | 8.8.8.8:53 | 185.130.69.20.in-addr.arpa | udp |
| US | 20.189.173.4:443 | tcp | |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 62.13.109.52.in-addr.arpa | udp |
| US | 117.18.237.29:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp |
Files
memory/2344-133-0x00000000006F0000-0x0000000000702000-memory.dmp
memory/2344-134-0x0000000005120000-0x0000000005130000-memory.dmp
memory/2344-135-0x0000000005410000-0x00000000054AC000-memory.dmp
memory/2344-136-0x0000000005A60000-0x0000000006004000-memory.dmp
memory/2344-137-0x0000000005520000-0x0000000005586000-memory.dmp
memory/2344-138-0x0000000005120000-0x0000000005130000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-03-23 11:51
Reported
2023-03-23 11:53
Platform
win7-20230220-en
Max time kernel
28s
Max time network
147s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8441ddb18dfbc80ddc5e814f2566ab54.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\8441ddb18dfbc80ddc5e814f2566ab54.exe
"C:\Users\Admin\AppData\Local\Temp\8441ddb18dfbc80ddc5e814f2566ab54.exe"
Network
| Country | Destination | Domain | Proto |
| TR | 45.155.158.187:1337 | tcp |
Files
memory/2028-54-0x0000000000B80000-0x0000000000B92000-memory.dmp
memory/2028-55-0x0000000002070000-0x00000000020B0000-memory.dmp
memory/2028-73-0x0000000002070000-0x00000000020B0000-memory.dmp