Malware Analysis Report

2025-08-10 17:43

Sample ID 230323-nz5z5sfd53
Target 8441ddb18dfbc80ddc5e814f2566ab54.exe
SHA256 b32c3079004939613c101ecc860fa21101596f0c81ea0580882576293c63b31f
Tags
asyncrat default rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b32c3079004939613c101ecc860fa21101596f0c81ea0580882576293c63b31f

Threat Level: Known bad

The file 8441ddb18dfbc80ddc5e814f2566ab54.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat default rat

AsyncRat

Async RAT payload

Asyncrat family

Async RAT payload

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-03-23 11:51

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-23 11:51

Reported

2023-03-23 11:53

Platform

win10v2004-20230220-en

Max time kernel

78s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8441ddb18dfbc80ddc5e814f2566ab54.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8441ddb18dfbc80ddc5e814f2566ab54.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8441ddb18dfbc80ddc5e814f2566ab54.exe

"C:\Users\Admin\AppData\Local\Temp\8441ddb18dfbc80ddc5e814f2566ab54.exe"

Network

Country Destination Domain Proto
US 117.18.237.29:80 tcp
US 117.18.237.29:80 tcp
US 8.8.8.8:53 154.210.82.20.in-addr.arpa udp
TR 45.155.158.187:1337 tcp
US 8.8.8.8:53 187.158.155.45.in-addr.arpa udp
US 8.8.8.8:53 160.145.190.20.in-addr.arpa udp
US 8.8.8.8:53 161.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 160.252.72.23.in-addr.arpa udp
IE 20.54.89.15:443 tcp
US 8.8.8.8:53 185.130.69.20.in-addr.arpa udp
US 20.189.173.4:443 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
US 117.18.237.29:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp

Files

memory/2344-133-0x00000000006F0000-0x0000000000702000-memory.dmp

memory/2344-134-0x0000000005120000-0x0000000005130000-memory.dmp

memory/2344-135-0x0000000005410000-0x00000000054AC000-memory.dmp

memory/2344-136-0x0000000005A60000-0x0000000006004000-memory.dmp

memory/2344-137-0x0000000005520000-0x0000000005586000-memory.dmp

memory/2344-138-0x0000000005120000-0x0000000005130000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-23 11:51

Reported

2023-03-23 11:53

Platform

win7-20230220-en

Max time kernel

28s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8441ddb18dfbc80ddc5e814f2566ab54.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8441ddb18dfbc80ddc5e814f2566ab54.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8441ddb18dfbc80ddc5e814f2566ab54.exe

"C:\Users\Admin\AppData\Local\Temp\8441ddb18dfbc80ddc5e814f2566ab54.exe"

Network

Country Destination Domain Proto
TR 45.155.158.187:1337 tcp

Files

memory/2028-54-0x0000000000B80000-0x0000000000B92000-memory.dmp

memory/2028-55-0x0000000002070000-0x00000000020B0000-memory.dmp

memory/2028-73-0x0000000002070000-0x00000000020B0000-memory.dmp