Analysis Overview
SHA256
4dcb2fbc2fcfc15556b81e2b07f84427f80435b1b312fea8b18e688a565eac6e
Threat Level: Known bad
The file AsyncClient.exe was found to be: Known bad.
Malicious Activity Summary
Async RAT payload
Asyncrat family
AsyncRat
Async RAT payload
Checks computer location settings
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-04-27 05:35
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Asyncrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-27 05:35
Reported
2023-04-27 05:51
Platform
win10-20230220-en
Max time kernel
554s
Max time network
870s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rescache\_merged\3720402701\2219095117.pri | C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:61288 | tcp | |
| US | 146.70.165.10:61288 | tcp | |
| US | 8.8.8.8:53 | 10.165.70.146.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 20.189.173.6:443 | tcp | |
| US | 146.70.165.10:61288 | tcp | |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| US | 146.70.165.10:61288 | tcp | |
| US | 146.70.165.10:61288 | tcp | |
| US | 146.70.165.10:61288 | tcp | |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| N/A | 127.0.0.1:61288 | tcp | |
| US | 146.70.165.10:61288 | tcp |
Files
memory/1872-118-0x00000000000A0000-0x00000000000B2000-memory.dmp
memory/1872-119-0x0000000004A30000-0x0000000004A40000-memory.dmp
memory/1872-122-0x0000000004FD0000-0x000000000506C000-memory.dmp
memory/1872-123-0x00000000058C0000-0x0000000005DBE000-memory.dmp
memory/1872-124-0x0000000005430000-0x0000000005496000-memory.dmp
memory/1872-125-0x0000000004A30000-0x0000000004A40000-memory.dmp
memory/1872-126-0x0000000006280000-0x00000000062F6000-memory.dmp
memory/1872-127-0x00000000058A0000-0x00000000058C6000-memory.dmp
memory/1872-128-0x0000000006250000-0x000000000626E000-memory.dmp
memory/1872-129-0x0000000006460000-0x00000000064F2000-memory.dmp
memory/1872-130-0x0000000006F10000-0x0000000006F32000-memory.dmp
memory/1872-131-0x0000000006FD0000-0x0000000006FDA000-memory.dmp
memory/1872-132-0x0000000004A30000-0x0000000004A40000-memory.dmp
memory/1872-133-0x0000000004A30000-0x0000000004A40000-memory.dmp
memory/1872-134-0x0000000005670000-0x0000000005696000-memory.dmp
memory/1872-135-0x00000000001D0000-0x0000000000200000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-04-27 05:35
Reported
2023-04-27 05:38
Platform
win10v2004-20230220-en
Max time kernel
135s
Max time network
153s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| N/A | 127.0.0.1:61288 | tcp | |
| N/A | 127.0.0.1:61288 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 127.0.0.1:61288 | tcp | |
| US | 20.189.173.6:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 146.70.165.10:61288 | tcp | |
| US | 8.8.8.8:53 | 10.165.70.146.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| NL | 84.53.175.11:80 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| US | 52.152.110.14:443 | tcp |
Files
memory/1648-133-0x0000000000800000-0x0000000000812000-memory.dmp
memory/1648-134-0x00000000050D0000-0x00000000050E0000-memory.dmp
memory/1648-135-0x00000000050D0000-0x00000000050E0000-memory.dmp
memory/1648-136-0x0000000005520000-0x00000000055BC000-memory.dmp
memory/1648-137-0x0000000005B70000-0x0000000006114000-memory.dmp
memory/1648-138-0x0000000005870000-0x00000000058D6000-memory.dmp