Malware Analysis Report

2025-08-05 12:32

Sample ID 230504-rcgktach23
Target 33650cc18d2e03d1cdf58b578a3383ed130b31ed641047d3a84ac4da124bea11
SHA256 33650cc18d2e03d1cdf58b578a3383ed130b31ed641047d3a84ac4da124bea11
Tags
asyncrat default persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

33650cc18d2e03d1cdf58b578a3383ed130b31ed641047d3a84ac4da124bea11

Threat Level: Known bad

The file 33650cc18d2e03d1cdf58b578a3383ed130b31ed641047d3a84ac4da124bea11 was found to be: Known bad.

Malicious Activity Summary

asyncrat default persistence rat

AsyncRat

Async RAT payload

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-04 14:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-04 14:02

Reported

2023-05-04 14:05

Platform

win7-20230220-en

Max time kernel

39s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\33650cc18d2e03d1cdf58b578a3383ed130b31ed641047d3a84ac4da124bea11.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\qgwp\adtaa.pif N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\qgwp\adtaa.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qgwp\\adtaa.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\qgwp\\xlsetqc.ppt" C:\Users\Admin\AppData\Local\Temp\qgwp\adtaa.pif N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1700 set thread context of 1708 N/A C:\Users\Admin\AppData\Local\Temp\qgwp\adtaa.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1984 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\33650cc18d2e03d1cdf58b578a3383ed130b31ed641047d3a84ac4da124bea11.exe C:\Windows\SysWOW64\wscript.exe
PID 1984 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\33650cc18d2e03d1cdf58b578a3383ed130b31ed641047d3a84ac4da124bea11.exe C:\Windows\SysWOW64\wscript.exe
PID 1984 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\33650cc18d2e03d1cdf58b578a3383ed130b31ed641047d3a84ac4da124bea11.exe C:\Windows\SysWOW64\wscript.exe
PID 1984 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\33650cc18d2e03d1cdf58b578a3383ed130b31ed641047d3a84ac4da124bea11.exe C:\Windows\SysWOW64\wscript.exe
PID 1596 wrote to memory of 1700 N/A C:\Windows\SysWOW64\wscript.exe C:\Users\Admin\AppData\Local\Temp\qgwp\adtaa.pif
PID 1596 wrote to memory of 1700 N/A C:\Windows\SysWOW64\wscript.exe C:\Users\Admin\AppData\Local\Temp\qgwp\adtaa.pif
PID 1596 wrote to memory of 1700 N/A C:\Windows\SysWOW64\wscript.exe C:\Users\Admin\AppData\Local\Temp\qgwp\adtaa.pif
PID 1596 wrote to memory of 1700 N/A C:\Windows\SysWOW64\wscript.exe C:\Users\Admin\AppData\Local\Temp\qgwp\adtaa.pif
PID 1700 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\qgwp\adtaa.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1700 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\qgwp\adtaa.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1700 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\qgwp\adtaa.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1700 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\qgwp\adtaa.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1700 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\qgwp\adtaa.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1700 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\qgwp\adtaa.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1700 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\qgwp\adtaa.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1700 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\qgwp\adtaa.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1700 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\qgwp\adtaa.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\33650cc18d2e03d1cdf58b578a3383ed130b31ed641047d3a84ac4da124bea11.exe

"C:\Users\Admin\AppData\Local\Temp\33650cc18d2e03d1cdf58b578a3383ed130b31ed641047d3a84ac4da124bea11.exe"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" Update-ed.l.vbe

C:\Users\Admin\AppData\Local\Temp\qgwp\adtaa.pif

"C:\Users\Admin\AppData\Local\Temp\qgwp\adtaa.pif" xlsetqc.ppt

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
JP 37.120.210.219:48408 tcp

Files

C:\Users\Admin\AppData\Local\Temp\qgwp\Update-ed.l.vbe

MD5 4d361bf174b8f3c66723f6064ee193bd
SHA1 3a02969739022aa8a505da0d7d88671d8a1acbdb
SHA256 c26727e311cb18de7dd06f1874771d04b54b97b3d674b13e59e2fd2e30242629
SHA512 a2991a75f1dba9747dfce7bc69b15c568aaa20b592703c9d9673be4394684deebb47be7c4d8d28461edec9caea6310c2f66ca464e65a1f3ec86e85cc79a94c33

C:\Users\Admin\AppData\Local\Temp\qgwp\adtaa.pif

MD5 d08467871656edc79c1dfe974d91c450
SHA1 226105367ba3663becdde32280b1714fdcacebcb
SHA256 0323b0cbc6726d09c091163fa80885b93d91ece8394cbad0bb87e4e38a756798
SHA512 fcb659bd06031e6b3b3b0c03620aeb8a526c6eae6f17db717dd4703a3edc98e8392a5e8118c47db52933c05e2f8fe0cc3eb747f85ff0f0a910bf6142ccbb2fa7

\Users\Admin\AppData\Local\Temp\qgwp\adtaa.pif

MD5 d08467871656edc79c1dfe974d91c450
SHA1 226105367ba3663becdde32280b1714fdcacebcb
SHA256 0323b0cbc6726d09c091163fa80885b93d91ece8394cbad0bb87e4e38a756798
SHA512 fcb659bd06031e6b3b3b0c03620aeb8a526c6eae6f17db717dd4703a3edc98e8392a5e8118c47db52933c05e2f8fe0cc3eb747f85ff0f0a910bf6142ccbb2fa7

C:\Users\Admin\AppData\Local\Temp\qgwp\adtaa.pif

MD5 d08467871656edc79c1dfe974d91c450
SHA1 226105367ba3663becdde32280b1714fdcacebcb
SHA256 0323b0cbc6726d09c091163fa80885b93d91ece8394cbad0bb87e4e38a756798
SHA512 fcb659bd06031e6b3b3b0c03620aeb8a526c6eae6f17db717dd4703a3edc98e8392a5e8118c47db52933c05e2f8fe0cc3eb747f85ff0f0a910bf6142ccbb2fa7

C:\Users\Admin\AppData\Local\Temp\qgwp\xlsetqc.ppt

MD5 ef053f9b9f535a7a446b31089da3e14f
SHA1 b34f1ed41e99fa59d3a81e1f94d9e0c442f8bd53
SHA256 aec4c6528ce074e4a90a7949a1acde52f58d469fec9600ff259a65e25299b449
SHA512 7f1990eb756fc21d59f18828eda6051d605bbc8f4206a4bc47047f15ae17565eae75fdfda1a217280c77b6b7f8fe9c3b72cac90466aa8b769ded166df1c45cf5

C:\Users\Admin\AppData\Local\Temp\qgwp\tbwh.dat

MD5 301e1eec6742011e08e120355c2b0764
SHA1 6e970f19e25d7fe0a065d0b7b30107eaaf775130
SHA256 ae3c368a3963c3537e502cc6607e8035c91a090eb60ff33361c49aef57a2af33
SHA512 b54ff0649341a09f15ef933f1bfc495a655c6ae0dd8e0cce1884af0fa7392b1376820bd429505e7b426537b522058877f90c07c7dfda29c6c7bb98ac62149c74

C:\Users\Admin\AppData\Local\Temp\qgwp\DOQAJM~1.DQO

MD5 3ae20ce17c62eb5f5245231299021949
SHA1 20d193dc3fdee620995e22f128c5f92414710ac1
SHA256 712d9958d3170f73f7bc4f7c6ed28caadbbeaf079050f58dda4fadfe0f4217f7
SHA512 d542ac65a223dc5c2d314a80ef2d87562e0dedea6f1c7b586ce94fa8751601ebd55482aa200816ad6f03709623d6936913f94404684ee278efb3b18f370e7aac

memory/1708-215-0x00000000004F0000-0x00000000009AA000-memory.dmp

memory/1708-216-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1708-217-0x00000000004F0000-0x00000000009AA000-memory.dmp

memory/1708-219-0x00000000004F0000-0x00000000009AA000-memory.dmp

memory/1708-221-0x00000000004F0000-0x00000000009AA000-memory.dmp

memory/1708-222-0x00000000004F0000-0x0000000000502000-memory.dmp

memory/1708-223-0x0000000005170000-0x00000000051B0000-memory.dmp

memory/1708-238-0x0000000005170000-0x00000000051B0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-04 14:02

Reported

2023-05-04 14:05

Platform

win10v2004-20230220-en

Max time kernel

135s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\33650cc18d2e03d1cdf58b578a3383ed130b31ed641047d3a84ac4da124bea11.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\33650cc18d2e03d1cdf58b578a3383ed130b31ed641047d3a84ac4da124bea11.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\qgwp\adtaa.pif N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\qgwp\adtaa.pif N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qgwp\\adtaa.pif C:\\Users\\Admin\\AppData\\Local\\Temp\\qgwp\\xlsetqc.ppt" C:\Users\Admin\AppData\Local\Temp\qgwp\adtaa.pif N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1708 set thread context of 984 N/A C:\Users\Admin\AppData\Local\Temp\qgwp\adtaa.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4800 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\33650cc18d2e03d1cdf58b578a3383ed130b31ed641047d3a84ac4da124bea11.exe C:\Windows\SysWOW64\wscript.exe
PID 4800 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\33650cc18d2e03d1cdf58b578a3383ed130b31ed641047d3a84ac4da124bea11.exe C:\Windows\SysWOW64\wscript.exe
PID 4800 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\33650cc18d2e03d1cdf58b578a3383ed130b31ed641047d3a84ac4da124bea11.exe C:\Windows\SysWOW64\wscript.exe
PID 4780 wrote to memory of 1708 N/A C:\Windows\SysWOW64\wscript.exe C:\Users\Admin\AppData\Local\Temp\qgwp\adtaa.pif
PID 4780 wrote to memory of 1708 N/A C:\Windows\SysWOW64\wscript.exe C:\Users\Admin\AppData\Local\Temp\qgwp\adtaa.pif
PID 4780 wrote to memory of 1708 N/A C:\Windows\SysWOW64\wscript.exe C:\Users\Admin\AppData\Local\Temp\qgwp\adtaa.pif
PID 1708 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\qgwp\adtaa.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1708 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\qgwp\adtaa.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1708 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\qgwp\adtaa.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1708 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\qgwp\adtaa.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1708 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\qgwp\adtaa.pif C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\33650cc18d2e03d1cdf58b578a3383ed130b31ed641047d3a84ac4da124bea11.exe

"C:\Users\Admin\AppData\Local\Temp\33650cc18d2e03d1cdf58b578a3383ed130b31ed641047d3a84ac4da124bea11.exe"

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" Update-ed.l.vbe

C:\Users\Admin\AppData\Local\Temp\qgwp\adtaa.pif

"C:\Users\Admin\AppData\Local\Temp\qgwp\adtaa.pif" xlsetqc.ppt

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
JP 37.120.210.219:48408 tcp
US 8.8.8.8:53 233.141.123.20.in-addr.arpa udp
US 8.8.8.8:53 219.210.120.37.in-addr.arpa udp
US 40.125.122.176:443 tcp
NL 13.69.109.131:443 tcp
US 93.184.221.240:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 40.125.122.176:443 tcp
US 93.184.221.240:80 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp

Files

C:\Users\Admin\AppData\Local\Temp\qgwp\Update-ed.l.vbe

MD5 4d361bf174b8f3c66723f6064ee193bd
SHA1 3a02969739022aa8a505da0d7d88671d8a1acbdb
SHA256 c26727e311cb18de7dd06f1874771d04b54b97b3d674b13e59e2fd2e30242629
SHA512 a2991a75f1dba9747dfce7bc69b15c568aaa20b592703c9d9673be4394684deebb47be7c4d8d28461edec9caea6310c2f66ca464e65a1f3ec86e85cc79a94c33

C:\Users\Admin\AppData\Local\Temp\qgwp\adtaa.pif

MD5 d08467871656edc79c1dfe974d91c450
SHA1 226105367ba3663becdde32280b1714fdcacebcb
SHA256 0323b0cbc6726d09c091163fa80885b93d91ece8394cbad0bb87e4e38a756798
SHA512 fcb659bd06031e6b3b3b0c03620aeb8a526c6eae6f17db717dd4703a3edc98e8392a5e8118c47db52933c05e2f8fe0cc3eb747f85ff0f0a910bf6142ccbb2fa7

C:\Users\Admin\AppData\Local\Temp\qgwp\adtaa.pif

MD5 d08467871656edc79c1dfe974d91c450
SHA1 226105367ba3663becdde32280b1714fdcacebcb
SHA256 0323b0cbc6726d09c091163fa80885b93d91ece8394cbad0bb87e4e38a756798
SHA512 fcb659bd06031e6b3b3b0c03620aeb8a526c6eae6f17db717dd4703a3edc98e8392a5e8118c47db52933c05e2f8fe0cc3eb747f85ff0f0a910bf6142ccbb2fa7

C:\Users\Admin\AppData\Local\Temp\qgwp\xlsetqc.ppt

MD5 ef053f9b9f535a7a446b31089da3e14f
SHA1 b34f1ed41e99fa59d3a81e1f94d9e0c442f8bd53
SHA256 aec4c6528ce074e4a90a7949a1acde52f58d469fec9600ff259a65e25299b449
SHA512 7f1990eb756fc21d59f18828eda6051d605bbc8f4206a4bc47047f15ae17565eae75fdfda1a217280c77b6b7f8fe9c3b72cac90466aa8b769ded166df1c45cf5

C:\Users\Admin\AppData\Local\Temp\qgwp\tbwh.dat

MD5 301e1eec6742011e08e120355c2b0764
SHA1 6e970f19e25d7fe0a065d0b7b30107eaaf775130
SHA256 ae3c368a3963c3537e502cc6607e8035c91a090eb60ff33361c49aef57a2af33
SHA512 b54ff0649341a09f15ef933f1bfc495a655c6ae0dd8e0cce1884af0fa7392b1376820bd429505e7b426537b522058877f90c07c7dfda29c6c7bb98ac62149c74

C:\Users\Admin\AppData\Local\Temp\qgwp\DOQAJM~1.DQO

MD5 3ae20ce17c62eb5f5245231299021949
SHA1 20d193dc3fdee620995e22f128c5f92414710ac1
SHA256 712d9958d3170f73f7bc4f7c6ed28caadbbeaf079050f58dda4fadfe0f4217f7
SHA512 d542ac65a223dc5c2d314a80ef2d87562e0dedea6f1c7b586ce94fa8751601ebd55482aa200816ad6f03709623d6936913f94404684ee278efb3b18f370e7aac

memory/984-293-0x00000000011B0000-0x000000000179F000-memory.dmp

memory/984-294-0x00000000011B0000-0x00000000011C2000-memory.dmp

memory/984-295-0x0000000005D00000-0x0000000005D10000-memory.dmp

memory/984-296-0x00000000060F0000-0x000000000618C000-memory.dmp

memory/984-297-0x0000000006740000-0x0000000006CE4000-memory.dmp

memory/984-298-0x0000000006200000-0x0000000006266000-memory.dmp

memory/984-299-0x0000000005D00000-0x0000000005D10000-memory.dmp