Malware Analysis Report

2025-08-06 03:43

Sample ID 230427-f99r3sfg6x
Target AsyncClient.exe
SHA256 4dcb2fbc2fcfc15556b81e2b07f84427f80435b1b312fea8b18e688a565eac6e
Tags
rat default asyncrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4dcb2fbc2fcfc15556b81e2b07f84427f80435b1b312fea8b18e688a565eac6e

Threat Level: Known bad

The file AsyncClient.exe was found to be: Known bad.

Malicious Activity Summary

rat default asyncrat

Async RAT payload

Asyncrat family

AsyncRat

Async RAT payload

Checks computer location settings

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-04-27 05:35

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-27 05:35

Reported

2023-04-27 05:51

Platform

win10-20230220-en

Max time kernel

554s

Max time network

870s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe

"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:61288 tcp
US 146.70.165.10:61288 tcp
US 8.8.8.8:53 10.165.70.146.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 20.189.173.6:443 tcp
US 146.70.165.10:61288 tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 146.70.165.10:61288 tcp
US 146.70.165.10:61288 tcp
US 146.70.165.10:61288 tcp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
N/A 127.0.0.1:61288 tcp
US 146.70.165.10:61288 tcp

Files

memory/1872-118-0x00000000000A0000-0x00000000000B2000-memory.dmp

memory/1872-119-0x0000000004A30000-0x0000000004A40000-memory.dmp

memory/1872-122-0x0000000004FD0000-0x000000000506C000-memory.dmp

memory/1872-123-0x00000000058C0000-0x0000000005DBE000-memory.dmp

memory/1872-124-0x0000000005430000-0x0000000005496000-memory.dmp

memory/1872-125-0x0000000004A30000-0x0000000004A40000-memory.dmp

memory/1872-126-0x0000000006280000-0x00000000062F6000-memory.dmp

memory/1872-127-0x00000000058A0000-0x00000000058C6000-memory.dmp

memory/1872-128-0x0000000006250000-0x000000000626E000-memory.dmp

memory/1872-129-0x0000000006460000-0x00000000064F2000-memory.dmp

memory/1872-130-0x0000000006F10000-0x0000000006F32000-memory.dmp

memory/1872-131-0x0000000006FD0000-0x0000000006FDA000-memory.dmp

memory/1872-132-0x0000000004A30000-0x0000000004A40000-memory.dmp

memory/1872-133-0x0000000004A30000-0x0000000004A40000-memory.dmp

memory/1872-134-0x0000000005670000-0x0000000005696000-memory.dmp

memory/1872-135-0x00000000001D0000-0x0000000000200000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-04-27 05:35

Reported

2023-04-27 05:38

Platform

win10v2004-20230220-en

Max time kernel

135s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe

"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
N/A 127.0.0.1:61288 tcp
N/A 127.0.0.1:61288 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 127.0.0.1:61288 tcp
US 20.189.173.6:443 tcp
US 52.152.110.14:443 tcp
US 146.70.165.10:61288 tcp
US 8.8.8.8:53 10.165.70.146.in-addr.arpa udp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
NL 84.53.175.11:80 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp

Files

memory/1648-133-0x0000000000800000-0x0000000000812000-memory.dmp

memory/1648-134-0x00000000050D0000-0x00000000050E0000-memory.dmp

memory/1648-135-0x00000000050D0000-0x00000000050E0000-memory.dmp

memory/1648-136-0x0000000005520000-0x00000000055BC000-memory.dmp

memory/1648-137-0x0000000005B70000-0x0000000006114000-memory.dmp

memory/1648-138-0x0000000005870000-0x00000000058D6000-memory.dmp