Analysis Overview
SHA256
95bab70aa35fa3b403de445c883dcaa84998690ffb54d3a8f9d25a19e5e36f42
Threat Level: Known bad
The file AsyncRat.exe was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Async RAT payload
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-04-26 17:25
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-26 17:25
Reported
2023-04-26 17:28
Platform
win7-20230220-en
Max time kernel
143s
Max time network
149s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1148 set thread context of 1428 | N/A | C:\Users\Admin\AppData\Local\Temp\AsyncRat.exe | C:\Users\Admin\AppData\Local\Temp\AsyncRat.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AsyncRat.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AsyncRat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\AsyncRat.exe
"C:\Users\Admin\AppData\Local\Temp\AsyncRat.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
C:\Users\Admin\AppData\Local\Temp\AsyncRat.exe
C:\Users\Admin\AppData\Local\Temp\AsyncRat.exe
C:\Users\Admin\AppData\Local\Temp\AsyncRat.exe
C:\Users\Admin\AppData\Local\Temp\AsyncRat.exe
Network
| Country | Destination | Domain | Proto |
| SG | 15.235.130.74:7707 | tcp | |
| SG | 15.235.130.74:6606 | tcp | |
| SG | 15.235.130.74:7707 | tcp | |
| SG | 15.235.130.74:7707 | tcp | |
| SG | 15.235.130.74:7707 | tcp |
Files
memory/1148-54-0x0000000001070000-0x000000000131C000-memory.dmp
memory/1148-55-0x0000000004C50000-0x0000000004D94000-memory.dmp
memory/1148-56-0x0000000000B60000-0x0000000000BA0000-memory.dmp
memory/1148-57-0x0000000000E60000-0x0000000000EF2000-memory.dmp
memory/868-61-0x0000000001EF0000-0x0000000001F30000-memory.dmp
memory/868-60-0x0000000001EF0000-0x0000000001F30000-memory.dmp
memory/1148-62-0x0000000000B60000-0x0000000000BA0000-memory.dmp
memory/868-63-0x0000000001EF0000-0x0000000001F30000-memory.dmp
memory/1428-64-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1428-65-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1428-67-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1428-66-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1428-69-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1428-68-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1428-71-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1428-73-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1428-74-0x0000000004F90000-0x0000000004FD0000-memory.dmp
memory/1428-75-0x0000000004F90000-0x0000000004FD0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-04-26 17:25
Reported
2023-04-26 17:28
Platform
win10v2004-20230220-en
Max time kernel
143s
Max time network
154s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\AsyncRat.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5040 set thread context of 4864 | N/A | C:\Users\Admin\AppData\Local\Temp\AsyncRat.exe | C:\Users\Admin\AppData\Local\Temp\AsyncRat.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AsyncRat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AsyncRat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AsyncRat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AsyncRat.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AsyncRat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\AsyncRat.exe
"C:\Users\Admin\AppData\Local\Temp\AsyncRat.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
C:\Users\Admin\AppData\Local\Temp\AsyncRat.exe
C:\Users\Admin\AppData\Local\Temp\AsyncRat.exe
C:\Users\Admin\AppData\Local\Temp\AsyncRat.exe
C:\Users\Admin\AppData\Local\Temp\AsyncRat.exe
C:\Users\Admin\AppData\Local\Temp\AsyncRat.exe
C:\Users\Admin\AppData\Local\Temp\AsyncRat.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| IE | 20.54.89.15:443 | tcp | |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.113.223.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.103.197.20.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| SG | 15.235.130.74:6606 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 20.189.173.3:443 | tcp | |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| SG | 15.235.130.74:7707 | tcp | |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.113.223.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.255.255.239.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.131.241.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 117.18.237.29:80 | tcp | |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.232.18.117.in-addr.arpa | udp |
| SG | 15.235.130.74:7707 | tcp | |
| SG | 15.235.130.74:6606 | tcp | |
| SG | 15.235.130.74:6606 | tcp |
Files
memory/5040-133-0x0000000000310000-0x00000000005BC000-memory.dmp
memory/5040-134-0x00000000029F0000-0x0000000002A00000-memory.dmp
memory/5040-135-0x0000000005730000-0x0000000005752000-memory.dmp
memory/1556-136-0x00000000023E0000-0x0000000002416000-memory.dmp
memory/1556-137-0x0000000005070000-0x0000000005698000-memory.dmp
memory/1556-138-0x0000000004A30000-0x0000000004A40000-memory.dmp
memory/1556-139-0x0000000004A30000-0x0000000004A40000-memory.dmp
memory/1556-140-0x0000000004FB0000-0x0000000005016000-memory.dmp
memory/1556-141-0x0000000005710000-0x0000000005776000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u4ywawbd.yjz.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1556-151-0x0000000005CE0000-0x0000000005CFE000-memory.dmp
memory/1556-152-0x0000000004A30000-0x0000000004A40000-memory.dmp
memory/1556-153-0x0000000007320000-0x000000000799A000-memory.dmp
memory/1556-154-0x00000000061E0000-0x00000000061FA000-memory.dmp
memory/5040-155-0x00000000029F0000-0x0000000002A00000-memory.dmp
memory/1556-156-0x0000000004A30000-0x0000000004A40000-memory.dmp
memory/1556-157-0x0000000004A30000-0x0000000004A40000-memory.dmp
memory/1556-158-0x0000000004A30000-0x0000000004A40000-memory.dmp
memory/4864-162-0x0000000000400000-0x0000000000412000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AsyncRat.exe.log
| MD5 | 07dff301593b27ca4a2f0aedecd8eab8 |
| SHA1 | 443544108040876b5c291090d6f9a5ff231b8180 |
| SHA256 | 99e3f1c991f3d56f3d3d504ac80f0a1c995ef7a983a425b6701e743f455cf83c |
| SHA512 | 45bbd2963b6855e8840e43b66f0fc7ea91216c5bd7652a90b0c3db31bded2cdb23713a079231170464b1cd02252f3dd7633efc703e1a2b42e1e2bb4f8102c052 |
memory/4864-165-0x0000000005160000-0x0000000005170000-memory.dmp
memory/4864-166-0x0000000005160000-0x0000000005170000-memory.dmp